update documentation

[derekmisler]

Related Issues

Closes: https://github.com/docker/gordon/issues/401

Summary

Reorganizes and improves the review-pr/README.md to make the documentation clearer and more accurate, particularly around fork PR handling, secret management, and built-in security guarantees.

Key changes

• Relocated Fork PR Auto-Review from the bottom of the doc into the main setup section — makes the two-workflow (workflow_run) pattern easier to discover right after basic setup
• Added fork protection callout — explains that the reusable workflow has built-in defense-in-depth (fork skipping, OIDC fail-safe, org membership verification), so users should not add redundant if: guards that can break /review and feedback capture
• Removed standalone "Required Secrets" section — the ANTHROPIC_API_KEY / OPENAI_API_KEY / GOOGLE_API_KEY table was misleading; API keys are only needed when using the composite action directly
• Updated API key footnote to clarify that credentials come from OIDC in the reusable workflow and keys are only required for the composite action
• Minor fixes: secrets.GITHUB_TOKEN → github.token, improved contents: read permission comment

---

Tip

Comment /review to trigger the PR Reviewer agent for automated feedback.
Comment /describe to generate a PR description.

[docker-agent]

Assessment: 🟡 NEEDS ATTENTION

Two issues found in the new YAML example for fork PR auto-review.