Guard GraphQL PR number conversion against int32 overflow

[Copilot]

This PR addresses the CodeQL alert on unsafe integer downcast when passing PR numbers into GraphQL query variables. The change ensures int values are validated before converting to graphql.Int (int32-backed).

• What changed

  • Added a narrow conversion helper in internal/github/github.go:
    • toGraphQLInt(n int) (graphql.Int, error)
    • Enforces math.MinInt32 <= n <= math.MaxInt32
  • Updated FindPRByNumber to use the validated conversion instead of direct cast.

• Behavioral impact

  • Out-of-range PR numbers now fail fast with a clear error instead of risking truncation/overflow during conversion.

• Focused coverage

  • Added unit tests in internal/github/github_test.go for:
    • successful in-range conversion
    • error on out-of-range conversion

func toGraphQLInt(n int) (graphql.Int, error) {
	if n < math.MinInt32 || n > math.MaxInt32 {
		return 0, fmt.Errorf("number %d is out of GraphQL Int range", n)
	}
	return graphql.Int(n), nil
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /tmp/go-build2513184261/b287/cmd.test /tmp/go-build2513184261/b287/cmd.test -test.testlogfile=/tmp/go-build2513184261/b287/testlog.txt -test.paniconexit0 -test.timeout=10m0s conf�� g_.a 0.1-go1.25.7.lin--64 ux-amd64/pkg/tool/linux_amd64/compile user.name (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)