Correct handling of previews.

[freakboy3742]

PR #575 modified the GitHub checkout associated with the preview action; in doing so, it inadvertently broke previews. This is because the CI action triggers on pull_request_target, not pull_request. pull_request_target defaults to checking out the SHA of the branch base, not the head.

We have to use pull_request_target for security reasons; if a pull_request trigger is used, malicious code could alter the repository or exfiltrate secrets.

This takes a different approach to the code removed by #575, explicitly naming the SHA of the PR branch, rather than referencing the PR as an indirect reference. Using the PR number as a proxy is potentially insecure as the PR itself could be modified.

To prove the preview is working, the PR modifies the label of the first entry on the https://beeware.org/news/events/ page. This is a change that is also made by #579.

PR Checklist:

• All new features have been tested
• All new features have been documented
• I have read the CONTRIBUTING.md file
• I will abide by the code of conduct

[freakboy3742]

If my understanding is correct, this PR's preview run will use the current main status of the CI workflow, which doesn't have a new preview code (this is why pull_request_target exists). Once this is merged, we should be able to merge an existing PR (e.g, #579) with main, re-tag for preview, and see the desired effect.

[github-actions]

Visit the preview URL for this PR (updated for commit e135c34):

https://beeware-org--pr580-preview-fix-tqch4y3p.web.app

_{(expires Sat, 10 Aug 2024 08:05:08 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: b0da44bc067e7d9a4255c77cb2c5fce572218cec}