fix: remove pull_request_target security vulnerability (#22)

The PR workflow used `pull_request_target` with explicit checkout of
untrusted PR code (`ref: ${{ github.event.pull_request.head.sha }}`),
allowing malicious PRs to execute arbitrary code with write permissions.

## Changes

- Changed workflow trigger from `pull_request_target` to `pull_request`
- Removed explicit `ref` parameter from checkout action
- Retained `pull-requests: write` permission for semantic PR action

The workflow now executes PR code in a restricted context without
elevated privileges while maintaining full functionality.

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: airtonix <61225+airtonix@users.noreply.github.com>
Co-authored-by: Zeno Jiricek <airtonix@users.noreply.github.com>

Author: Copilot

.github/workflows/pr.yml

@@ -1,7 +1,7 @@
 name: PR Checks
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -25,7 +25,6 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
 
 
       # if the pull request target is default branch, then use normal rules
@@ -45,7 +44,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: startsWith(github.base_ref, 'release/')
         with:
-          types: [fix]
+          types: |
+            fix
           ignoreLabels: |
             autorelease-pending
             bot
@@ -78,4 +78,4 @@ jobs:
           VAULT_PATH="$(mktemp -d)"
           mkdir -p "${VAULT_PATH}/.obsidian/plugins"
           env VAULT_PATH="$VAULT_PATH" \
-            mise run check
+            mise run check