Don't allow trusted publishing token exchange from GitHub Actions if the `event_name` is `pull_request_target`

[di]

We started measuring this in #18887. If usage seems low to non-existent in a few weeks, we can likely just disable this, otherwise we may want to have a deprecation period.

#18886 is a draft PR to implement this.

(h/t @steiza)