Fix pwn request vulnerability in PR quality checks workflow

The pull_request_target workflow checked out and executed Go scripts from
the PR head, allowing attackers to inject arbitrary code via init()
functions with access to a write-scoped GITHUB_TOKEN. This was confirmed
exploited in the wild (ref: StepSecurity blog).

Checkout now targets the base branch so only trusted scripts execute.
PR head SHA is fetched as data-only for diffing via a new PR_HEAD_SHA
env var. Write operations (comments, labels) are isolated in a separate
report job that never checks out code. All job permissions follow least
privilege — quality runs read-only, report holds the write token.

fixed: #6083

Signed-off-by: Avelino <[email protected]>
Co-Authored-By: Thierry Abalea <[email protected]>