fix(ci): checkout the pr head instead of the default main head (#36311)

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change

Fix the invalid revision range issues : https://github.com/aws/aws-cdk/actions/runs/19970012866/job/57272071527

Since the action checks out the main branch HEAD instead of PR branch HEAD : https://github.com/aws/aws-cdk/actions/runs/19970012866/job/57272071527#step:2:1094

Inspired from : https://github.com/aws/aws-cdk/blob/main/.github/workflows/integration-test-deployment.yml#L39C11-L39C57

### Description of changes



### Describe any new or updated permissions being added




### Description of how you validated changes



### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: kumvprat

.github/workflows/security-guardian.yml

@@ -19,6 +19,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
+          ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0  
 
       - name: Install cfn-guard
@@ -51,4 +52,4 @@ jobs:
         if: always()
         with:
           name: security-guardian-reports
-          path: test-results/
+          path: test-results/