[tooling] Fix contribution message workflow permission issue on PR from fork (#224)

Problem:
* `pull_request` trigger type is forced for PRs that **come from forks**
to only have `read` permission for all scopes regardless of what we set
explicitly in the workflow -> results in permission issue in
contribution comment

Source:
https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflows-in-forked-repositories


Proposed solution:
* Use `pull_request_target` with restricted scope for GITHUB_TOKEN
* Checkout to base repository default branch instead of the HEAD of the
forked repository for security reasons (ensures we only run safe and
trusted code in the main branch)

Source:
https://www.linkedin.com/pulse/how-access-secrets-running-tests-forked-pull-requests-kylee-fields-7vcne/

Note: this change will only take effect for PRs that appear AFTER this
PR is merged.

Alternative solution:
* more complicated flow where we have a `pull_request` trigger that
builds relevant artifacts (if needed), then use `workflow_runs` trigger
to comment to github (see more here:
https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/)

Author: jovnc

.github/workflows/contribution-message.yml

@@ -1,16 +1,17 @@
 name: Post contribution message in pull request
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, reopened]
 
 permissions:
-  contents: write
+  # Only scope GITHUB_TOKEN to write for pull requests, others set to none (by default) for security reasons since we are using pull_request_target trigger
   pull-requests: write
 
 jobs:
   post_contribution_message:
     runs-on: ubuntu-latest
     steps:
+      # DO NOT CHECKOUT TO HEAD UNSAFE (will checkout to head of the fork for pull_request_target trigger)
       - name: Checkout repository
         uses: actions/checkout@v6