pull_request_target is not secure

[jeffmaury]

quarkusio.github.io/.github/workflows/preview.yml

Line 4 in 89aa226

pull_request_target:

Would allow someone to submit a PR that dumps all secrets in the run log

[jeffmaury]

See this from GitHub security team: https://securitylab.github.com/research/github-actions-preventing-pwn-requests

[maxandersen]

@gsmet wdyt?
should we have github bot add "preview" label on prs that only touch non-yml content and otherwise require a "preview" label for this to run to avoid this issue?