Harden CI workflow: switch to pull_request trigger and remove unnecessary id-token:write (#214)

Addressing two issues in the CI workflow:

1. **`pull_request_target` > `pull_request`**: Fork PRs currently run in
the base repo's execution context. Switching to pull_request runs fork
PRs in the fork's context, which matches the workflow's declared
read-only permissions and is the recommended trigger for CI jobs that
don't need write access to the base repo.

(Some references:

-
https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout

-
https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
)

2. **Remove `id-token: write`**: No active job uses OIDC. This
permission is a leftover from the commented-out `online-test` job and
grants unnecessary token-minting capability.

No CI behavior change. All active jobs (`check`, `format`,
`offline-test`) only need `contents: read` and `pull-requests: read`,
which work identically with `pull_request`.

Author: hgvfhsrtyvrt456vtg

.github/workflows/ci.yml

@@ -4,7 +4,7 @@ name: CI
 on:
   push:
     branches: [ "main" ]
-  pull_request_target:
+  pull_request:
     branches: [ "main" ]
   workflow_dispatch:     # manual run
 
@@ -15,7 +15,6 @@ concurrency:
 permissions:
   pull-requests: read
   contents: read
-  id-token: write
   actions: read
 
 jobs: