feat(ci): re-introduce pre-commit fixer workflow but limit autofixes for now

[ashwinb]

• pre-commit is not given the GITHUB_TOKEN so a malicious pre-commit from a fork cannot end up with write access to the repo
• restrict the apply-pre-commit workflow to hooks that actually modify files so detection-only checks are skipped
• clarify that the trusted subset now focuses on automatic fixes for commit-ready changes