feat: add --prebuilt flag to download PR artifacts from CI

[gakonst]

Summary

This adds a --prebuilt flag that can be used with --pr to download prebuilt binaries from GitHub Actions CI instead of compiling from source.

Usage

foundryup --pr 1234 --prebuilt

Motivation

Building Foundry from source requires compiling 1000+ dependencies, which takes 10-15 minutes. This feature allows users to quickly test PR changes by downloading the binaries that CI already built.

Implementation

1. Fetches the PR head SHA via GitHub API
2. Finds successful CI workflow runs for that commit
3. Downloads platform-specific artifacts via nightly.link (public repos) or GitHub API (with GITHUB_TOKEN for private repos)
4. Extracts and installs binaries with appropriate permissions
5. Shows security warnings since these are unreviewed binaries

Security Considerations

The feature displays prominent warnings before installation:

⚠️  SECURITY WARNING: You are about to install binaries built from PR #1234.
⚠️  These binaries are NOT officially released and may contain untrusted code.
⚠️  Please review the PR changes before proceeding: https://github.com/foundry-rs/foundry/pull/1234

Caveats

• GitHub Actions artifacts expire after 90 days by default
• For private repos, requires GITHUB_TOKEN environment variable
• Artifact naming must match expected patterns (foundry_{platform}_{arch})

Closes foundry-rs/foundry#13232

/cc @zerosnacks

[zerosnacks]

Per discussion, we prefer people build from source as we cannot guarantee the correctness and E2E attestation of non-release artifacts produced in the CI.