ci(eval): persist eval reports via auto-merge PR

[jasonodoom]

The weekly and monthly eval jobs generate a report, then push it to main. main is protected (requires the test check), so the bot push is rejected with GH006 after all the compute is done. The monthly job spends real money on vision scoring before hitting this, and the report is then lost with the ephemeral runner.

Change

Replace the direct push to main with a branch-and-PR flow:

• Push the generated report to a dated bot/ branch (bot/weekly-eval-, bot/monthly-vision-eval-).
• Open a PR into main and enable auto-merge (squash). ci.yml runs the test check on the PR; once it passes, the PR merges and the branch is deleted.
• Checkout uses RELEASE_PAT instead of GITHUB_TOKEN. PRs opened with GITHUB_TOKEN do not start workflow runs, so the required test check would stay pending and auto-merge would never fire. RELEASE_PAT (already used by the release workflow for the same reason) makes the PR trigger CI.

Branch protection stays intact: reports still pass through the test gate before landing on main. The smoke path on the monthly workflow continues to skip the PR entirely.

Notes

• Reuses the existing RELEASE_PAT secret; no new secret required. Assumes it carries pull-request write (classic repo scope or fine-grained contents+PR). If a run reports a permissions error opening the PR, the PAT scope needs widening.
• No change to the eval compute steps, which already pass.