Allow re-triggering workflows on PRs from forks for secrets access

[atlasgong]

addresses #556 and fixes #527

read: https://michaelheap.com/access-secrets-from-forks/

in short, we use the insecure pull_request_target event, but

• add gate job to check if triggering actor has write perms on the repo
  • if not, halts and fails the workflow
    • a collaborator with write access to the repo can retrigger the failed workflow after they've reviewed the PR and determined there are no security vulnerabilities
  • if yes, moves onto the next jobs and pull_request_target will allow accessing secrets
• make all other jobs dependent on gate passing
• nothing changes on push event

[Copilot]

Pull Request Overview

This PR addresses security concerns when running workflows for pull requests from forks by implementing a permission gate mechanism. It transitions from the standard pull_request event to pull_request_target with safety controls to allow secret access while preventing unauthorized code execution.

• Replaces pull_request with pull_request_target event trigger
• Adds a gate job that validates the triggering actor has write permissions
• Makes all existing jobs dependent on the gate passing

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The action is pinned to a specific commit hash, which is a security best practice. However, consider verifying this is the latest secure version and adding a comment indicating the version for easier maintenance.

Suggested change

	id: checkAccess
	id: checkAccess
	# v2.2.2