fix: live pre-merge build-status revalidation (BERTE-602)

[charlesprost]

Summary

• Adds revalidate_build_status(), called immediately before the merge/queue decision in _handle_pull_request. It bypasses BUILD_STATUS_CACHE and fetches live state from the GitHub Actions API, filtering workflow runs strictly to the current w-branch before aggregating.
• Adds AggregatedWorkflowRuns.state_for_branch(name): filters and deduplicates within a single branch, preventing a sibling branch sharing the same SHA from producing a false SUCCESSFUL.
• Regression tests explicitly replaying the artesca#5155 incident shape (renamed source branch, same SHA on old and new w-branches, old completed/new in-progress → must raise BuildInProgress).

Root cause (artesca#5155, 2026-05-20)

The source branch was renamed; the new w-branch shared its commit SHA with the old w-branch. GitHub's API returned workflow runs for both names. AggregatedWorkflowRuns.state picked the best status across branches, returning SUCCESSFUL because the old w-branch completed. That result was latched into BUILD_STATUS_CACHE (which never overwrites SUCCESSFUL). When the peer approval landed 15 s later, Bert-E read SUCCESSFUL from cache and merged — while the actual push CI on the new w-branch was still running.

What this PR does

bert_e/git_host/github/__init__.py

• state_for_branch(branch_name): filters _workflow_runs to branch_name before deduplicating by workflow_id, so a sibling branch cannot mask the result. Logs the filtered run snapshot (branch + runs + conclusion) for post-mortem diagnostics.

bert_e/workflow/gitwaterflow/__init__.py

• revalidate_build_status(job, wbranches): live, cache-bypassing final check at the merge decision boundary. Calls get_commit_status() directly (always hits the API), uses state_for_branch for GitHub Actions keys, skips gracefully for hosts without get_commit_status (e.g. Bitbucket).
• Called in _handle_pull_request after the interactive confirm and before build_queue_collection.

Test plan

• test_artesca5155_renamed_branch_inprogress_blocked — exact incident shape, asserts BuildInProgress
• test_artesca5155_old_aggregator_would_have_passed — documents the pre-fix bug: AggregatedWorkflowRuns.state returns SUCCESSFUL for the same data
• test_pr5155_shape_raises_build_in_progress — same SHA on w-branch (in_progress) and destination (success)
• Full matrix: bypass/no-key/no-method → skipped; clean PR → passes; failed/no-runs → correct exception
• state_for_branch unit tests: cross-branch poisoning, dedup within branch, workflow_dispatch exclusion, no-runs case

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.54%. Comparing base (8481bef) to head (3adafc9).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #268      +/-   ##
==========================================
+ Coverage   89.31%   89.54%   +0.22%     
==========================================
  Files          78       79       +1     
  Lines       10316    10522     +206     
==========================================
+ Hits         9214     9422     +208     
+ Misses       1102     1100       -2     

Flag	Coverage Δ
integration	87.19% <23.80%> (-0.33%)	⬇️
tests	87.15% <23.80%> (-0.33%)	⬇️
tests-BuildFailedTest	26.68% <4.76%> (-0.12%)	⬇️
tests-QuickTest	34.23% <4.76%> (-0.15%)	⬇️
tests-RepositoryTests	26.34% <4.76%> (-0.11%)	⬇️
tests-TaskQueueTests	51.46% <11.90%> (-0.21%)	⬇️
tests-TestBertE	65.38% <23.80%> (-0.22%)	⬇️
tests-TestQueueing	53.69% <11.90%> (-0.22%)	⬇️
tests-api-mock	15.47% <0.48%> (-0.30%)	⬇️
tests-noqueue	77.35% <23.80%> (-0.28%)	⬇️
tests-noqueue-BuildFailedTest	26.68% <4.76%> (-0.12%)	⬇️
tests-noqueue-QuickTest	34.23% <4.76%> (-0.15%)	⬇️
tests-noqueue-RepositoryTests	26.34% <4.76%> (-0.11%)	⬇️
tests-noqueue-TaskQueueTests	51.46% <11.90%> (-0.21%)	⬇️
tests-noqueue-TestBertE	61.74% <23.80%> (-0.21%)	⬇️
tests-noqueue-TestQueueing	26.37% <4.76%> (-0.11%)	⬇️
tests-server	28.49% <0.97%> (-0.56%)	⬇️
unittests	42.99% <99.51%> (+1.15%)	⬆️
utests	27.62% <99.51%> (+1.46%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[matthiasL-scality]

Code review — non-blocking observations