[debug] Add sync-to-nexus workflow + Tekton pipeline trigger

[l-qing]

Summary

• Adds .github/workflows/sync-to-nexus.yml that, on every `v*-alauda-*` tag push, creates a Hub-resolved Tekton PipelineRun on the in-cluster ARC runner to mirror the GitHub Release assets to internal Nexus.
• Workflow lives in this PR (not yet on master) so it triggers via `pull_request` against this file path; `workflow_dispatch` will become available once merged.
• The Tekton pipeline itself ships in https://github.com/AlaudaDevops/edge-devops-task (branch `feat/sync-github-release-to-nexus`, soon to land in catalog `extras`).

How this is being tested

Path A (in-namespace pipeline + sample PipelineRun): ✅ green end-to-end on the integration cluster — assets land at `https://build-nexus.alauda.cn/repository/alauda/devops/github-releases/AlaudaDevops/yq/v4.47.2-alauda-19/\` and `.../latest/`, `_meta.json` written, Tekton overview-markdown shows clickable Nexus UI deep-links.

Path B (this PR): triggering via `pull_request` to validate the GitHub Actions trigger surface end-to-end before the Tekton pipeline merges into the catalog and we flip the `pipelineRef` to `resolver: hub`.

Test plan

• First PR commit fires `Sync Release To Nexus` workflow run
• Workflow creates PipelineRun `sync-<run_id>-<run_attempt>` in the `devops` ns
• PipelineRun reaches `Succeeded=True` (5 tasks: wait-for-release → download-and-verify → upload-versioned → decide-latest → upload-latest)
• Pipeline results `versioned-base-url`, `latest-base-url`, `latest-updated` populated correctly
• Re-running the workflow against the same tag fails fast at `upload-versioned` (Nexus write-once contract → US-4)

Out of scope for this PR

• Replicating to other forks (trivy / cosign / chains) — comes after this lands.
• Switching `pipelineRef` from in-namespace name to `resolver: hub` — gated on the catalog PR for the pipeline.

🤖 Generated with Claude Code