chore: add GitHub Action to mark CLA as passed for bot contributors (#1350)

* chore: add GitHub Action to mark CLA as passed for bot contributors

The hosted cla-assistant.io webhook service does not apply the .clabot
allowlist, leaving dependabot PRs in a permanent PENDING state. This
workflow detects bot contributors (users with [bot] in their login) and
explicitly sets the license/cla status to success using GITHUB_TOKEN,
matching the same context the cla-assistant service uses.

Human contributor PRs are unaffected and continue through the existing
cla-assistant.io webhook flow.

* fix: add least-privilege permissions block to CLA bot bypass workflow

---------

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

.github/workflows/cla.yml

@@ -0,0 +1,25 @@
+name: CLA Bot Bypass
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+permissions: {}
+
+jobs:
+  cla-bot-bypass:
+    permissions:
+      statuses: write
+    runs-on: ubuntu-latest
+    if: contains(github.event.pull_request.user.login, '[bot]')
+    steps:
+      - name: Mark CLA passed for bot contributors
+        run: |
+          gh api "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
+            --method POST \
+            -f state=success \
+            -f description="CLA not required for bot contributors" \
+            -f context="license/cla" \
+            -f target_url="https://cla-assistant.io/meridianhub/meridian"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}