Do not generate provenance on PR builds

It does not make sense to do so; nor do PR submitters have permission to do so.
We can't write attestations to `php/pie` in an unprivileged context, otherwise
anyone could send a PR with malicious code, store attestation that `php/pie`
built the PHAR, and it would look genuine.

Author: asgrim

.github/workflows/build-phar.yml

@@ -48,6 +48,12 @@ jobs:
       - name: Check the PHAR executes
         run: php pie.phar --version
       - name: Generate build provenance attestation
+        # It does not make sense to do this for PR builds, nor do contributors
+        # have permission to do. We can't write attestations to `php/pie` in an
+        # unprivileged context, otherwise anyone could send a PR with malicious
+        # code, which would store attestation that `php/pie` built the PHAR, and
+        # it would look genuine. So this should NOT run for PR builds.
+        if: github.event_name != 'pull_request'
         uses: actions/attest-build-provenance@v1
         with:
           subject-path: '${{ github.workspace }}/pie.phar'