HW CI: allow maintainers to label fork PRs onto the bench

[bwhitman]

Follow-up to the AMYboard HW CI trigger (#741). Adds a reviewed path for fork PRs onto the self-hosted bench, without weakening the default.

Behavior

PR kind	Before	After
Same-repo branch (maintainers — you, dpwe)	auto-runs	auto-runs, no label needed
Fork PR (outside contributor)	skipped	runs once a maintainer adds the hwci-ok label

The gate becomes same-repo OR carries hwci-ok:

if: >-
  (github.event.action == 'labeled' && github.event.label.name == 'hwci-ok') ||
  (github.event.action != 'labeled' &&
   (github.event.pull_request.head.repo.full_name == github.repository ||
    contains(github.event.pull_request.labels.*.name, 'hwci-ok')))

Why a label (vs. just relying on GitHub's "Approve and run")

• Only maintainers can apply labels, so the label is the human-review gate, and it's auditable per-PR.
• It's independent of the repo's fork-approval setting — a returning contributor can't auto-bench just because they've been approved once before.
• GitHub's "Approve and run" for fork workflows still applies on top (defense in depth).
• The dispatch launders the fork's amy SHA into tulipcc's context → onto the Pi, so this amy-side gate is the only thing keeping unvetted fork firmware off the bench. Keeping it explicit matters.

Notes

• Adding an unrelated label to a same-repo PR does not re-trigger (avoids a duplicate bench run).
• The "dispatched" note now posts via HWCI_BRIDGE_TOKEN so it also works on fork PRs (whose GITHUB_TOKEN is read-only even after approval).
• Verified end-to-end: same-repo run passed on the bench (#742), fork PR correctly skipped (#743).

🤖 Generated with Claude Code

[bwhitman]

🎛️ AMYboard HW CI

Dispatched this PR's amy SHA to the tulipcc bench — it builds the AMYboard firmware with your change and runs it on the physical board (audio spectral-compared to a committed reference). Results post here in a few minutes.

[bwhitman]

Another workflow only PR, will merge

[bwhitman]

🎛️ HW CI (physical bench)

Built from this AMY PR, pinned into the tulipcc amy submodule.

AMYboard (USB-MIDI + AMY zP → audio): ✅ PASS — flashed this PR’s firmware; all checks matched the references.

Tulip (TULIP4_R11; serial-REPL audio + WiFi screenshot): ✅ PASS — flashed this PR’s firmware; all checks matched the references.

⬇️ Artifacts: recordings · screenshot · serial logs · run logs

_{Self-hosted bench. Audio spectral-compared to ref/hwci_basic.wav + ref/tulip_basic.wav; Tulip screenshot pixel-compared to ref/tulip_screenshot.png. Both analog outs share one capture card, so the tests run sequentially.}