ci: add installer-test caller workflow

[scottconverse]

Adds the reusable installer-test caller from scottconverse/installer-ci. On merge (and on this PR) it auto-detects this repo's installer type(s) and runs a full build/install/launch/upgrade/uninstall test. No-ops green if no installer is detected.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 66f96e19d2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Force the PyInstaller matrix for this repo

The referenced reusable workflow's detector only selects pyinstaller when it finds both a *.spec file and a pyinstaller reference in packaging/requirements metadata; this repo has neither, only build.sh/build.bat that install PyInstaller ad hoc. As written, push/PR runs will emit noop=true and pass without building or launching the desktop app, so this new check gives a false green unless the caller passes force_types: pyinstaller or the repo adds the expected detection metadata.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Stop inheriting unused secrets

Because this job calls scottconverse/installer-ci at the mutable @main ref, secrets: inherit would expose every Actions secret available to this workflow to whatever that external reusable workflow contains at run time. The current installer-test workflow only needs the read-only token permissions configured above, so inheriting all secrets unnecessarily broadens the blast radius for push/manual runs in any repo that has release or signing secrets configured.

Useful? React with 👍 / 👎.