chore: require hub-team approval via Actions check

[andresbayon]

The changes I made

Adds a require-hub-approval GitHub Actions workflow that gates merges on an approval from a hub-team member — the protection CODEOWNERS used to provide — without committing the team name to the source tree.

How it stays clean of internal references:

• Team slug lives in the repo Actions variable HUB_TEAM_SLUG (set to hub), not in the workflow file.
• Org is derived from github.repository_owner.

How the check works:

• Triggers on pull_request (opened/reopened/synchronize) and pull_request_review (submitted/dismissed/edited).
• Computes each reviewer's latest review state (a later CHANGES_REQUESTED/DISMISSED overrides an earlier APPROVED; COMMENTED is ignored).
• Passes only if at least one current approver is an active member of @<org>/${{ vars.HUB_TEAM_SLUG }}.

Prerequisites before this becomes effective

1. Repo secret HUB_APPROVAL_TOKEN — a token with read:org + pull-request read (the default GITHUB_TOKEN can't read org team membership). A classic PAT with repo, read:org scopes (ideally from a bot/service account) works.
2. After merge, add require-hub-approval to main's required status checks.

How To Test/Validate

1. Set the HUB_APPROVAL_TOKEN secret.
2. Merge this PR; open a test PR.
3. With no hub approval → check fails. After a hub member approves → check passes. Push a new commit → stale approval dismissed → check fails again.

🤖 Generated with Claude Code