Harden PR Builder Dependabot PR builder check (#769)

The PR builder checks the `github.actor` to determine if it's a
Dependabot PR, and if so allows execution.

This check is flawed - the `actor` is the user triggering the event, not
necessarily the author of the PR - as such it's possible to create an
event where the triggering actor is `dependabot` but the codebase is
not. Instead, we should check if `dependabot` _authored_ the PR.

References:
-
https://www.synacktiv.com/publications/github-actions-exploitation-dependabot
- https://docs.zizmor.sh/audits/#bot-conditions#
- [GitHub first-party
usage](https://github.com/github/docs/blob/7cbca58400edbc80b22512947ec96563bc984bf1/.github/workflows/triage-unallowed-contributions.yml#L17-L22)

Author: JackPGreen

.github/workflows/builder.yaml

@@ -24,7 +24,7 @@ jobs:
     needs: check_for_membership
     steps:
       - name: Detect untrusted community PR
-        if: ${{ needs.check_for_membership.outputs.check-result == 'false' && github.actor != 'dependabot[bot]' }}
+        if: ${{ needs.check_for_membership.outputs.check-result == 'false' && github.event.pull_request.user.login != 'dependabot[bot]' }}
         run: |
           echo "::error::ERROR: Untrusted external PR. Must be reviewed and executed by Hazelcast" 1>&2;
           exit 1