Forking pull requests result in Preview workflow errors

[grayside]

When a fork of this repository opens a PR, the Preview/Cleanup workflows want to push to the gh-pages branch. In many cases, the forking user (such as renovate-bot) won't have access for that push.

There are a couple options:

1. Skip the push (limiting the workflow to verifying the build)
2. Switch the event from pull_request to pull_request_target (violating GitHub warnings that this should not be used where the Pull Request creator can create code that will be executed, such as hugo templates)

I think (1) is the fastest path. However, we could pursue (2) with a twist: build in logic that scans the PR for maintainer approval before running the build.

[grayside]

Exploring the approval idea, there is a built-in mechanism, but it's not compatible with pull_request_target.

https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ suggests that a pull_request_target workflow might have some protection by gating execution on the presence of a label, that requires someone with write access to apply. We'd probably want the workflow to remove his label as a later step so failures can be re-run, but new commits aren't automatically accepted.

[grayside]

The first implementation of fork skipping does not seem to work. Delving more closely, I found: https://til.cazzulino.com/devops-ci-cd/how-to-skip-steps-or-jobs-in-github-actions-for-prs-from-forks

Tracing this github.event.pull_request.head.repo.fork context property to confirm it is correct is not easy,

• https://docs.github.com/en/actions/learn-github-actions/contexts#github-context => place I knew to find github context.
• https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request => review pull request event
• https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#webhook-payload-object-34 => tells me there might be a pull_request object, go check the API docs
• https://docs.github.com/en/rest/pulls => click on "Get a pull request"
• github.event.pull_request.head.repo.fork => confirm head property, example response confirms repo.fork is a boolean

Going to switch the previous if logic to use this pattern. I assume my previous research was wrong, and github.repository is always the parent repo.