limit PR permissions vol.2 (Lightning-AI#2078)

Author: Borda

.github/workflows/cpu-tests.yml

@@ -11,17 +11,12 @@ on:
 
 # lock down all permissions by default
 permissions:
-  contents: read
-  issues: read
-  pull-requests: read
-  id-token: read
-  security-events: read
-  actions: read
-  checks: write
-  deployments: read
-  discussions: read
-  packages: read
-  statuses: write
+  contents: read # needed to check out code
+  checks: write # needed for test results
+  pull-requests: read # needed for PR metadata
+  actions: read # needed to use actions
+  security-events: none
+  statuses: write # needed to update commit status
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref }}
@@ -40,6 +35,7 @@ env:
 jobs:
   testing-imports:
     runs-on: ${{ matrix.os }}
+    if: github.event_name != 'pull_request_target'
     strategy:
       fail-fast: false
       matrix:
@@ -49,12 +45,6 @@ jobs:
     steps:
       - name: Checkout generic
         uses: actions/checkout@v4
-        if: github.event_name != 'pull_request_target'
-      - name: Checkout for `pull_request_target`
-        uses: actions/checkout@v4
-        if: github.event_name == 'pull_request_target'
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}