feat(ci): use GraphQL createCommitOnBranch for signed commits

[guglez]

Summary

Replaces git commit + git push with the GitHub GraphQL createCommitOnBranch mutation.

Why: The required_signatures ruleset on ChainSafe/infra-kubernetes requires all commits on main to be signed. Commits via git push are unsigned and block auto-merge. Commits via the GitHub GraphQL API are automatically signed by GitHub and show as Verified — no bypass actor or GPG key needed.

Changes:

• Branch creation via REST API
• Signed commit via GraphQL createCommitOnBranch
• Raw file fetch via Accept: application/vnd.github.raw (no base64 decode)
• Idempotency check now compares the branch (not main)
• git commit / git push / git config removed entirely

Closes #285
Refs ChainSafe/infrastructure-general#1246

🤖 Generated with Claude Code

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@05a1ba2). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #286   +/-   ##
=======================================
  Coverage        ?   31.28%           
=======================================
  Files           ?      131           
  Lines           ?    10179           
  Branches        ?        0           
=======================================
  Hits            ?     3185           
  Misses          ?     6724           
  Partials        ?      270           

Flag	Coverage Δ
unittests	31.28% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.