ci: add pr-guards caller that disables auto-merge on push

Thin caller for molecule-ci's reusable disable-auto-merge-on-push
workflow. Forces operator re-engagement when a commit is pushed to
an open PR with auto-merge already enabled.

Pairs with the org-wide "Automatically delete head branches" repo
setting (also enabled today). Defense in depth:

1. Repo setting blocks pushes to a merged-and-deleted branch
   (post-merge orphan case — what bit #2174 today: my second
   commit landed on an already-merged-and-deleted branch).
2. This workflow catches in-queue races (push lands while the
   merge queue is processing) by disabling auto-merge so the
   operator must explicitly re-engage.

Together they cover the full lifecycle of "auto-merge enabled →
new commits arrive" without relying on operator discipline.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/workflows/pr-guards.yml

@@ -0,0 +1,22 @@
+name: pr-guards
+
+# Thin caller that delegates to the molecule-ci reusable guard. Today
+# the guard is just "disable auto-merge when a new commit is pushed
+# after auto-merge was enabled" — added 2026-04-27 after PR #2174
+# auto-merged with only its first commit because the second commit
+# was pushed after the merge queue had locked the PR's SHA.
+#
+# When more PR-time guards land in molecule-ci, add them here as
+# additional jobs that share the same pull_request:synchronize
+# trigger.
+
+on:
+  pull_request:
+    types: [synchronize]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  disable-auto-merge-on-push:
+    uses: Molecule-AI/molecule-ci/.github/workflows/disable-auto-merge-on-push.yml@main