Ensure not using pull_request_target event

For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified, and the workflow can access secrets, even when it is triggered from a fork.