Fixing semver checks again

[nicklan]

The saga continues.

Turns out pull_request_target triggers mean that the checkout action will checkout the head of main, not the head of the PR, so the check was a no-op because it was comparing main to main and nothing changed.

So, now we specify a ref in the checkout action and point it at github.event.pull_request.head.sha which afaict will checkout the head of the PR.

That means the running the job with write permissions would be dangerous because any code in the PR could be evaluated, so I've also split this into two jobs. One that does the check and needs the PR code, which runs with only read permissions, and then a second job that looks at the output of the previous job and just adds a label or not and nothing else, so it can have write permissions.

Tested as best I can via using a "normal" pull_request trigger. You can see the expected run here where it got as far as correctly wanting to add the label, but failing due to permissions (which will be fixed by merging this)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.66%. Comparing base (42afc06) to head (6b84489).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #384   +/-   ##
=======================================
  Coverage   77.66%   77.66%           
=======================================
  Files          49       49           
  Lines       10079    10079           
  Branches    10079    10079           
=======================================
  Hits         7828     7828           
  Misses       1805     1805           
  Partials      446      446           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zachschuermann]

nice catch on the security concern!

[OussamaSaoudi-db]

Moving PR: write to a just the labeler is nice. GJ