ci: run issue-link gate on pull requests

[bntvllnt]

Summary

• Switch the issue-link workflow trigger from pull_request_target to pull_request so the eventual required check is produced on the PR head SHA.
• Preserve the existing activity types, read-only permissions, and Enforce issue-linked PRs job/check name.
• Keep the workflow dependency-free: no checkout, install, or execution of PR code.

Validation

• git diff --check — passed on d9f21b1494c4440d146a70f0297c13c9718730ad.
• python3 invariant check — passed: no pull_request_target, pull_request present, read-only permissions preserved, check name preserved, no actions/checkout.
• python3 + PyYAML parse — passed.
• Broad package gates intentionally not run locally: workflow-only one-line trigger change, per task scope.

Current CI status

• Enforce issue-linked PRs — passing on d9f21b1494c4440d146a70f0297c13c9718730ad.
• Quality Gates, CodeQL, react-doctor, Storybook build/deploy preview — passing.
• build · sign · scan · deploy (ui-registry) — failing in deployer config outside this PR's diff: deployer returns parse /etc/***/apps/ui-registry/app.yaml: yaml: unmarshal errors ... field dockerfile/context not found in type apps.Source.
• One earlier Enforce issue-linked PRs run was cancelled by workflow concurrency; the later run on the same head passed.

Risk notes

• This PR does not mutate branch protection, rulesets, repository settings, releases, deployments, or production.
• Follow-up settings mutation remains unsafe until explicitly approved after this check runs successfully on recent PR heads.

Related to #152

[vllnt-pilot]

Preview ready · Updated 2026-05-20T14:42:13Z

Service	Status	Preview
ui-registry	Ready	https://pr-375-ui-registry.preview.vllnt.ai

Inspect

• Tailnet-only by default (not reachable from public internet)
• Cert: real Let's Encrypt wildcard
• Reply with /clean to destroy this preview now

[bntvllnt]

Review — PR #375 at d9f21b1

BLOCKING

• None in the PR diff.

WARN

• None for the PR code/config change. The earlier/shared ui-registry deployer issue is not a PR #375 diff finding and remains tracked separately; live checks now show the ui-registry deploy job passing on this head.

VERIFIED CLEAN

• Reconciled the prior full-diff review evidence for the unchanged current head.
• Changed-file coverage is complete: .github/workflows/pr-issue-link.yml is the only changed file (+1/-1).
• The workflow now runs on pull_request instead of pull_request_target, preserving the issue-link activity types and read-only permissions.
• The workflow still does not check out or execute PR-controlled code.
• PR metadata still matches the bounded scope: one workflow trigger change for the issue-link gate.

VALIDATION

• Live preflight: PR is OPEN, non-draft, head is still d9f21b1494c4440d146a70f0297c13c9718730ad, base is main, and there were no existing GitHub review artifacts before this comment review.
• Live checks observed before publication: 9 pass, 1 cancelled concurrency-noise issue-link run; latest Enforce issue-linked PRs, Quality Gates, CodeQL, Storybook, preview deploy, and ui-registry deploy were passing.
• Re-read the live patch and workflow contents at the current head; invariant check passed for pull_request present, pull_request_target absent, expected activity types preserved, and no actions/checkout.

Approval is recommended from this review evidence, but final APPROVE and merge remain reserved for bntvllnt.