fix(ci): make targeted format-check base fetch non-fast-forward safe

[simonhagger]

Summary

• What changed:
  • Updated targeted format-check base fetch logic in CI to avoid non-fast-forward ref update failures.
  • Switched from writing refs/remotes/origin/<base> to fetching base into FETCH_HEAD.
• Why this change is needed:
  • PR checks were failing with non-fast-forward when base moved, before nx format:check executed.
• Risk level (low/medium/high):
  • Low

Change Groups

• Docs / Governance:
  • None.
• Frontend / UX:
  • None.
• Desktop Main / Preload / Contracts:
  • None.
• CI / Tooling:
  • Fixed format check (targeted) fetch strategy in .github/workflows/ci.yml.

Validation

• pnpm nx run contracts:test
• pnpm nx run desktop-main:test
• pnpm nx run renderer:build
• pnpm nx run desktop-main:build
• Additional checks run:
  • Workflow logic reviewed and adjusted to use FETCH_HEAD base comparison.

Engineering Checklist

• Conventional Commit title used
• Unit/integration tests added or updated
• A11y impact reviewed
• I18n impact reviewed
• IPC contract changes documented
• ADR added/updated for architecture-level decisions

Security (Required For Sensitive Changes)

IMPORTANT:

• If this PR touches apps/desktop-main/**, apps/desktop-preload/**, libs/shared/contracts/**, .github/workflows/**, or docs/02-architecture/security-architecture.md, the two items below MUST be checked to pass CI.

• Security review completed

• Threat model updated or N/A explained

Security Notes

• Threat model link/update:
  • N/A
• N/A rationale (when no threat model update is needed):
  • CI ref-fetch strategy only; no runtime/app attack surface changes.