Add deployment protection that checks if the push sender is a repo
collaborator before triggering a deployment. Non-collaborators get their
deployment created in awaiting_approval status with a PR comment posted
linking to the approval page.

- Add awaiting_approval status to deployments enum
- Add deployment_protection boolean to projects table
- Add deployment_approvals table for audit trail
- Add sender_login to HandlePushRequest proto
- Add IsCollaborator, FindPullRequestForBranch, CreateIssueComment to
  GitHub client (with SWR cache for collaborator checks)
- Inject GitHub client into webhook service for collaborator checks
- Bot accounts ([bot] suffix) are auto-approved
- Fails open if collaborator check errors