Fix contribution message workflow permission issue on PR from fork

[jovnc]

Problem:

• pull_request trigger type is forced for PRs that come from forks to only have read permission for all scopes regardless of what we set explicitly in the workflow -> results in permission issue in contribution comment

Source: https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflows-in-forked-repositories

Proposed solution:

• Use pull_request_target with restricted scope for GITHUB_TOKEN
• Checkout to base repository default branch instead of the HEAD of the forked repository for security reasons (ensures we only run safe and trusted code in the main branch)

Source: https://www.linkedin.com/pulse/how-access-secrets-running-tests-forked-pull-requests-kylee-fields-7vcne/

Note: this change will only take effect for PRs that appear AFTER this PR is merged.

Alternative solution:

• more complicated flow where we have a pull_request trigger that builds relevant artifacts (if needed), then use workflow_runs trigger to comment to github (see more here: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/)

[woojiahao]

What's the purpose of these comments if there's no changes to the behavior? I would remove them since they don't really add anything. If you want to add a comment to not checkout to HEAD, add it as a line above the - name

[jovnc]

@woojiahao There is a difference in behaviour if we are using pull_request_target vs. pull_request trigger.

pull_request checks out to the forks repo (since it is run in safer environment)
pull_request_target checks out to the base repo (that's why the updated gh action can only run after we merge this into main)

I'm adding this here as additional documentation why I made this change, but I can add it above -name