fix: allow to manually run external contributors workflows

This changed the way we run the test workflow that requires secrets.

Actually we should close contributors PRs and reopen ourselves to be
able to run tests. That is a massive PITA.

Dependabot PRs are also broken.

This changes how we run this test workflow by using pull_request_target
and then manually checking for permissions. We also always allow
dependabot to run.

So for an external contributor, our workflow would be:

- external contributor fork the project and create a new PR targetting
main
- the test workflow run and fails
- one internal maintainer review the PR
- internal maintainers can retry the failed run if the PR looks safe
- all green, we can merge

.github/workflows/test.yml

@@ -1,6 +1,12 @@
 name: Test
 
-on: [push]
+on:
+  pull_request_target:
+    branches:
+      - main
+    types:
+      - opened
+      - synchronize
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -12,8 +18,27 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Get permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@7b90a27f92f3961b368376107661682c441f6103 # v2.3.0
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check permission
+        if: steps.checkAccess.outputs.require-result == 'false' && github.actor != 'dependabot[bot]'
+        run: |
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by ${{ github.actor }}"
+          exit 1
+
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Install Go
         uses: actions/setup-go@v5