Patched insecure workflow trigger

[kgostic]

@boris-ning-usds pointed out that this pull_request_target trigger is a potential vulnerability in an open repo (see https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/).

Let's merge this patch quickly and then discuss next week:
(1) Make sure everyone knows not to use this trigger in CDCGov in the future
(2) What should be the permanent fix? (Is this workflow essential?)

[micahwiesner67]

Can we take a moment to dialog with Boris. I don't believe this workflow will work on pull_request b/c the workflow needs to push the change to the branch. I'll respond to Boris in just 1 moment. I'm comfortable with any approach though if we find this to be a risk.

[kgostic]

Let me give you a call @micahwiesner67. I agree this is breaking and after reading and thinking a bit more I agree it's not clear to me that there's a vulnerability here.

[kgostic]

Summarizing some Teams discussion:

1. This change may break the workflow
2. Because the workflow does not expose secrets or execute/install/expose any code submitted as part of the PR we're not clear that there's a vulnerability.

I'm not sure how critical this workflow is day to day, but it clearly helps dependabot work seamlessly by updating the news.md file, which we need to ensure dependabot PRs pass CI tests. @giomrella will talk with Boris to see if we can get an exception.

[github-actions]

Thank you for your contribution @kgostic 🚀! Your pkgdown-site is ready for download 👉 here 👈!
_{(The artifact expires on 2026-04-09T18:36:36Z. You can re-generate it by re-running the workflow here.)}

[giomrella]

After speaking to Boris, he demonstrated some risks with this workflow. I opened #390 to apply his (and ChatGPT's) recommendations.

[micahwiesner67]

I'm going to close this so we can address updates in PR #390