Fix external plugin command concurrency issues (#1958)

* Separate re-review commands from intake/approval pipeline

- Removed /re-review-* from external-plugin-command-router.yml
- Created external-plugin-rereview-command.yml with separate concurrency
- Each pipeline maintains independent per-issue serialization
  - Router: /approve, /reject, /mark-ready-for-review, /rerun-intake
  - Re-review: /re-review-keep, /re-review-needs-changes, /re-review-remove

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Scope router workflow token permissions

- Set default router workflow permissions to contents:read + issues:write
- Move elevated contents/pull-requests write permissions to approval-command only
- Keep approval command behavior unchanged while reducing privileges for rerun-intake and mark-ready paths

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Align router concurrency with intake workflow

- Update command router to reuse the intake concurrency group key
- Preserve queueing behavior for comment commands

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

.github/workflows/external-plugin-rereview-command.yml

@@ -1,16 +1,20 @@
-name: External Plugin Re-review Commands
+name: External Plugin Re-review Command
 
 on:
   issue_comment:
     types: [created]
 
+concurrency:
+  group: external-plugin-rereview-${{ github.event.issue.number }}
+  cancel-in-progress: false
+
 permissions:
   contents: write
   issues: write
   pull-requests: write
 
 jobs:
-  handle-command:
+  rereview-command:
     runs-on: ubuntu-latest
     if: >-
       !github.event.issue.pull_request &&