ci: allow dependabot PRs to skip deployments to cloudflare (#1235)

* ci: allow dependabot PRs to deploy via pull_request_target

GitHub restricts secrets for pull_request events triggered by
dependabot[bot]. Switch dependabot PRs to pull_request_target,
which runs in the base branch context and has access to secrets.

- Add pull_request_target trigger
- Route dependabot PRs through pull_request_target only
- Route all other PRs through pull_request only (no double runs)
- Checkout PR head SHA for pull_request_target events

* Update .github/workflows/deploy.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* bypass cloudflare

* Simplify deploy job condition in workflow file

* Fix conditional syntax in deploy workflow steps

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: jderochervlk

.github/workflows/deploy.yml

@@ -53,6 +53,7 @@ jobs:
         env:
           VITE_DEPLOYMENT_URL: ${{ env.VITE_DEPLOYMENT_URL }}
       - name: Deploy
+        if: ${{ github.actor != 'dependabot[bot]' }}
         id: deploy
         uses: cloudflare/wrangler-action@v3
         with:
@@ -64,6 +65,7 @@ jobs:
         env:
           FORCE_COLOR: 0
       - name: Comment PR with deployment link
+        if: ${{ github.actor != 'dependabot[bot]' }}
         uses: marocchino/sticky-pull-request-comment@v2
         with:
           recreate: true