.github/workflows/{e2e,test}: check out sha instead of ref

`ref` can be raced between approval and checkout by pushing a commit between approval and checkout.
`sha` always refers to the triggering commit, which is safe.

Author: wikkyk

.github/workflows/e2e.yml

@@ -27,7 +27,7 @@ jobs:
         uses: actions/[email protected]
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: actions/setup-go@v5
         with:

.github/workflows/test.yml

@@ -31,7 +31,7 @@ jobs:
         with:
           fetch-depth: 0 # for SonarQube
           repository: ${{ github.event.pull_request.head.repo.full_name }}
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: checkout
         if: github.event_name == 'push'