Fix three verification failure causes in push, check_suite, and TrustSignal client

[Copilot]

Three independent bugs were causing spurious "TrustSignal Verification failed" check runs in GitHub.

Zero-SHA branch deletion events (normalizePushPayload)

GitHub sends push events with after = "000...0" when a branch is deleted. This was being forwarded as headSha to TrustSignal, producing a verification request for a non-existent commit and a guaranteed failure check run.

// before: deletion events passed through and failed at the API
return { headSha: payload.after, ... };

// after: deletion events are ignored cleanly
if (!payload.after || payload.after === ZERO_SHA) return null;

check_suite detailsUrl pointed to the REST API (normalizeCheckSuitePayload)

detailsUrl was set to checkSuite.url (the API endpoint), so clicking "Details" on a check run opened raw JSON. Now uses checkSuite.html_url when present, falling back to the commit URL.

Missing accept header in TrustSignal client

The client wasn't sending Accept: application/json. CDNs and reverse proxies commonly serve HTML error pages when Accept is absent, triggering the non-JSON fallback path unnecessarily or causing hard failures on the secondary endpoint.

headers: {
  "content-type": "application/json",
  "accept": "application/json",        // added
  authorization: `******
},

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.