Add PR-Agent job to GitLab CI for merge-request review

Run PR-Agent's `review` and `improve` commands against each merge
request from the canonical repository, posting an automated review
and code-improvement suggestions as MR comments. The rule restricts
the job to MRs whose source project matches CI_PROJECT_PATH so the
OpenAI key and GitLab personal access token are never exposed to
fork pipelines.

(cherry picked from commit 07345b25d9)
(cherry picked from commit 4257454262)
(cherry picked from commit 5550fb84ae)

.gitlab-ci.yml

@@ -2593,3 +2593,23 @@ autorebase-sub:
   <<: *autorebase
   rules:
     - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_PIPELINE_SOURCE == "pipeline" && $CI_COMMIT_REF_NAME =~ /^bind-9\.[0-9]+-sub$/ && $REBASE_ONLY == "1" && $CI_COMMIT_REF_NAME =~ $AUTOREBASED_BRANCHES'
+
+pr-agent:
+  <<: *other_checks_job
+  image:
+    name: registry.gitlab.isc.org/isc-projects/images/pr-agent:latest
+    entrypoint: [""]
+  script:
+    - cd /app
+    - export MR_URL="$CI_MERGE_REQUEST_PROJECT_URL/-/merge_requests/$CI_MERGE_REQUEST_IID"
+    - echo "MR_URL=$MR_URL"
+    - export gitlab__url="$CI_SERVER_URL"
+    - export gitlab__PERSONAL_ACCESS_TOKEN="$GITLAB_PERSONAL_ACCESS_TOKEN"
+    - export config__git_provider="gitlab"
+    - export openai__key="$OPENAI_KEY"
+    - python -m pr_agent.cli --pr_url="$MR_URL" review
+    - python -m pr_agent.cli --pr_url="$MR_URL" improve
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_SOURCE_PROJECT_PATH == $CI_PROJECT_PATH && $GITLAB_PERSONAL_ACCESS_TOKEN && $OPENAI_KEY'
+      when: manual
+    - when: never