fix: handle fork PRs in CVE enhancement workflow

PRs from forks cannot be automatically updated by GitHub Actions due to
permission restrictions. This update:

1. Only attempts to commit/push changes for PRs from the same repository
2. For fork PRs, shows a helpful error message with the diff and
   instructions for the PR author to apply changes manually

This prevents the workflow from failing with a 403 error when trying
to push to forked repositories.

.github/workflows/cve-enhancement.yml

@@ -52,7 +52,7 @@ jobs:
           done < /tmp/cve_files.txt
 
       - name: Commit changes
-        if: steps.files.outputs.changed == 'true'
+        if: steps.files.outputs.changed == 'true' && github.event.pull_request.head.repo.full_name == github.repository
         run: |
           if ! git diff --quiet; then
             git config user.name "github-actions[bot]"
@@ -61,3 +61,16 @@ jobs:
             git commit -m "chore: add impact and remediation fields 🤖"
             git push origin HEAD:${{ github.event.pull_request.head.ref }}
           fi
+
+      - name: Check for unapplied changes (fork PRs)
+        if: steps.files.outputs.changed == 'true' && github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          if ! git diff --quiet; then
+            echo "⚠️ This PR is from a fork. The CVE enhancement script generated changes that need to be applied manually."
+            echo "Please run the following command locally and push to your branch:"
+            echo ""
+            echo "  python .github/scripts/enhance-cve-fields.py <your-cve-file.yaml>"
+            echo ""
+            git diff
+            exit 1
+          fi