Avoiding `pull_request_target` usage in workflows

One of this repositories workflow's uses pull_request_target:

Please see the GitHub documentation for a list of risks associated with the target. I see the workflow is currently quite careful, but IMO it is still better to split it into two, one for building and one for posting.

It is now disallowed by actions/checkout (see blog post). We are also considering disabling it across the organisation (new feature), but it would break this workflow.