feat(workflow): wire Grug TPM bot - DoR gate + weekly pulse

[githumps]

Why

Wire up Grug TPM bot caller workflows so PRs get Definition-of-Ready feedback + weekly iteration pulse. Grug source-of-truth at githumps/grug (public). Advisory mode (strict: false) for first rollout, flip to strict: true once PR template aligns.

Adds

• .github/workflows/grug.pr-gate.yml — every PR open/edit/sync
• .github/workflows/grug.pulse.yml — Mon 13:00Z weekly groom signal

Acceptance criteria

• grug-bot GitHub Environment created (out-of-band)
• POOLSIDE_API_KEY env-scoped secret set (out-of-band)
• PR-gate fires on this PR (advisory only, sticky DoR comment posted)
• After merge: weekly pulse fires Mon or via workflow_dispatch + issue opens

Out of scope

• Per-repo PR-template alignment with DoR — separate cleanup PR
• Strict mode flip — separate PR after PR-template lands

Size: XS

Refs: githumps/grug#1

[github-actions]

Grug — automated TPM check

✅ Definition of Ready — 4/5 pass, 1 warnings

	Check	Detail
✅	why	Why/Summary section ≥5 words
✅	acceptance	Acceptance/Test plan with 4 bullets
✅	estimate	Size noted (XS/S/M/L)
✅	scope-fence	Out-of-scope section present
⚠️	issue-link	RECOMMEND linking issue: closes #N or refs #N

Grug's read on scope

• ✅ XS scope matches 2 new workflow files (~47 lines total)
• ✅ Title aligns with body (DoR gate + weekly pulse workflows)
• ✅ Testable AC: PR-gate fires with sticky comment, pulse creates issue
• ✅ Clear out-of-scope boundaries prevent creep

_{Static checks are blocking. LLM read is advisory. Re-runs on every push. Edit PR body, push empty commit, or comment /grug recheck to re-trigger.}

[sentry]

Bug: The workflow is missing the environment: grug-bot declaration, causing the environment-scoped POOLSIDE_API_KEY secret to be an empty string and breaking API authentication.
_{Severity: HIGH}

Suggested Fix

Add environment: grug-bot to the job definition within .github/workflows/grug.pr-gate.yml to grant it access to the environment-scoped POOLSIDE_API_KEY secret.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/grug.pr-gate.yml#L17-L23

Potential issue: The `grug.pr-gate.yml` workflow attempts to use
`secrets.POOLSIDE_API_KEY`, which is an environment-scoped secret tied to the `grug-bot`
environment. However, the workflow job fails to declare `environment: grug-bot`.
Consequently, `secrets.POOLSIDE_API_KEY` resolves to an empty string, which is then
passed to reusable workflows. This causes all API calls requiring this key to fail with
authentication errors, rendering the workflow's core functionality inoperative.

Also affects:

• .github/workflows/grug.pulse.yml

_{Did we get this right? 👍 / 👎 to inform future reviews.}