ci: run sequential CodeAnt review for merge pushes on main

.gitea/workflows/codeant.yml

@@ -133,9 +133,34 @@ EOF
             # For push to main: check if HEAD is a merge commit
             PARENTS=$(git log -1 --format="%P" HEAD | wc -w)
             if [ "$PARENTS" -gt 1 ]; then
-              # Merge commits often include very large diffs and are already reviewed on pull_request.
-              echo "Merge commit detected on push; skipping review here."
-              echo "PR workflow run is the source of truth for full review." | tee review.txt
+              echo "Merge commit detected on push; reviewing files introduced by merge (vs HEAD~1)."
+              CHANGED_FILES=$(git diff --name-only HEAD~1...HEAD | grep '^.gitea/workflows/src/' | grep -v '^.gitea/workflows/codeant.yml' || true)
+
+              if [ -z "${CHANGED_FILES}" ]; then
+                echo "No source files changed in merge commit scope." | tee review.txt
+                exit 0
+              fi
+
+              FAILED=0
+              : > review.txt
+              while IFS= read -r file; do
+                [ -z "$file" ] && continue
+                echo "--- Reviewing merged file: $file ---" | tee -a review.txt
+                codeant review --base-commit HEAD~1 --include "$file" --exclude "${REVIEW_EXCLUDES}" 2>&1 | tee -a review.txt || true
+
+                if grep -q "Unexpected token '<'\|HTTP error 403" review.txt; then
+                  FAILED=1
+                  echo "Transient API failure detected for $file; continuing to next file." | tee -a review.txt
+                fi
+
+                sleep 12
+              done <<EOF
+${CHANGED_FILES}
+EOF
+
+              if [ "$FAILED" -eq 1 ]; then
+                echo "Completed with API instability; some merged files may be partially reviewed." | tee -a review.txt
+              fi
             else
               echo "Regular push - reviewing last commit"
               for attempt in 1 2 3; do