update note regarding pull_request_target

[beeequeue]

• changes the note about pull_request_target to a CAUTION instead of a WARNING
• merges the two sections about it into one
• adds a note about using the bot as an alternative

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2df4dde

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[beeequeue]

i'm still not entirely sure about the wording in this line, but i think it's a good guideline to give to people who don't know anything about the subject

i considered adding a line saying "e.g. installing dependencies can lead to cache poisoning in the main repo", but decided against it

[beeequeue]

maybe it should say "do not execute any code except code inside GitHub Actions"?

[bluwy]

I think previously the "do not run untrusted code" would fit better, since github actions can't guarantee that they won't run untrusted code either. Maybe we can give some examples of what not to do, but I don't think is necessary.

[beeequeue]

this should override whatever default permissions the repo is configured to use, so the comment step can't accidentally get content: write

[bluwy]

I'd like to suggest some changes but I don't have time now, blocking it for a while