ci: Restore changelog-preview workflow with hardened craft 2.26.2

[antonis]

📢 Type of change

• Bugfix
• New feature
• Enhancement
• Refactoring

📜 Description

Re-adds .github/workflows/changelog-preview.yml, removed in #6030, using the hardened reusable workflow from getsentry/craft@v2.26.2 (#6050).

Differences from the previously deleted file:

• Pinned to craft 3dc647fee3586e57c7c31eb900fdec7cbb44f23f (v2.26.2) instead of v2.25.4.
• permissions.contents: write → contents: read. Upstream's reusable workflow only reads git metadata + .craft.yml; write was unnecessary and unsafe under pull_request_target.
• Drop statuses: write (only needed in non-comment / status-check mode; we use the default comment mode).
• Add unlabeled to the trigger types per upstream's recommended caller template.

💡 Motivation and Context

The original workflow combined pull_request_target + contents: write + secrets: inherit while pinning to a craft version (v2.25.4) that predated the upstream hardening series (2.25.5 onward). PR #6030 removed it. Now that #6050 has landed bumping the release workflow to craft 2.26.2, we can safely restore the changelog preview using the redesigned upstream reusable workflow, which:

• downloads the craft binary from releases (does not run any PR code),
• reads only git metadata and .craft.yml,
• checks out with persist-credentials: false.

Refs:

• Remove changelog-preview.yml workflow #6030 (removal)
• chore(deps): bump getsentry/craft from 2.25.4 to 2.26.2 #6050 (craft bump to 2.26.2)
• Upstream caller template documented in getsentry/craft/.github/workflows/changelog-preview.yml

💚 How did you test it?

Workflow file only — will be exercised by GitHub once this PR is opened (the workflow runs on pull_request_target, so the version on the base branch is what executes; full validation will come once merged).

📝 Checklist

• I added tests to verify changes
• No new PII added or SDK only sends newly added PII if sendDefaultPII is enabled
• I updated the docs if needed.
• I updated the wizard if needed.
• All tests passing
• No breaking changes

🔮 Next steps

[github-actions]

	Fails
🚫	Pull request is not ready for merge, please add the "ready-to-merge" label to the pull request

Generated by 🚫 dangerJS against 91bdc07

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 143787a. Configure here.}

[lucas-zimerman]

LGTM!