ci: dispatch to console-enterprise for fork PRs [UX-1222]

[c-julin]

Summary

• Adds .github/workflows/fork-pr-dispatch.yml, a workflow_run-triggered workflow that fires after PR verification (forks) succeeds on fork pull_request runs.
• It dispatches the push event to console-enterprise and marks Enterprise CI as pending, matching the non-fork repository-dispatch.yml flow.
• Payload now includes head_repository + is_fork so the enterprise side can clone from the fork repo (the OSS SHA is not reachable from redpanda-data/console for fork PRs).

Why not put it in fork-pr-verify.yml?

That workflow runs on pull_request, which strips secrets on fork triggers — the dispatch needs AWS creds + the bot token. workflow_run is GitHub's documented pattern for "wait for verify, then use secrets", and it runs on the base repo's default-branch workflow file (no fork code executes with secrets present).

Security

• Fork-controlled values (head_branch, head_sha, head_repository.full_name) are passed through env: → process.env.X rather than ${{ }} template expansion, closing the classic Actions script-injection vector.
• Client payload is built via JSON.stringify so a malicious repo name can't escape JSON structure.

Companion PR

Enterprise side: https://github.com/redpanda-data/console-enterprise/pull/new/jc/accept-oss-fork-dispatch — merge that one first (or together) so dispatches land somewhere that accepts head_repository.

Ticket

UX-1222

Test plan

• Merge companion enterprise PR first.
• Open a fork PR against master with a frontend/backend change.
• Confirm PR verification (forks) runs.
• Confirm Fork PR dispatch to enterprise fires on success, sets Enterprise CI to pending, and dispatches to console-enterprise.
• Confirm report-status on the enterprise side updates Enterprise CI to success/failure on the PR head SHA.

[malinskibeniamin]

is this github action something that's ok to use? wondering if we can own it e2e or bring in-house potentially?