fix: add a plan execution workflow for gemini-invoke workflow

[cynthialong0-0]

Overview

This PR adds a plan execution workflow which will execute the approved plans generated from gemini-invoke workflow. The new workflow will have content write permission which resolve the permission issues in the invoke workflow. This workflow will be triggered when /approve is mentioned in the comments, and should refuse to execute if no plan being found in the issue comments.

Changes

• Update gemini-invoke workflow to only have steps for action planning.
• Add gemini-plan-execute workflow for plan execution: trigger on /approve comment. If no plan of action exist in the issue, nothing with be executed. If there is a plan of action found, it will be executed. If there are multiple plan of action, it will execute the latest one.
• Update evals to include plan-execute workflow

Fixes #382
Fixes #396

[gemini-cli]

🤖 Hi @cynthialong0-0, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[gemini-cli]

## 📋 Review Summary

This PR successfully implements a two-stage workflow (plan vs. execute) to improve security and control over the Gemini agent's actions. The architectural separation is sound and the new plan-execute workflow is well-structured with appropriate permissions. However, there are critical configuration issues pointing to a personal fork that must be resolved before merging.

🔍 General Feedback

• Critical Configuration: Ensure all uses directives point to the canonical google-github-actions/run-gemini-cli repository, not a personal fork.
• User Experience: The instructions provided by the agent in the invoke phase must match the commands expected by the dispatch workflow (e.g., @gemini-cli /approve).
• Context Handling: Consider capturing additional context provided during the approval step to allow users to provide final instructions or caveats to the execution agent.