fix(ci): use pull_request_target to fix 403 on gh-pages deploy from forks

[Copilot]

The deploy-preview job was failing with a 403 when pushing to gh-pages. GitHub silently downgrades GITHUB_TOKEN to read-only for pull_request events originating from forks — the permissions: contents: write declaration has no effect in that context.

Changes

• .github/workflows/pr-preview.yml
  • Switch trigger from pull_request → pull_request_target, which runs in the base repo context and honours the declared write permissions
  • Explicitly pin the checkout to the PR head SHA (ref: ${{ github.event.pull_request.head.sha }}), since pull_request_target defaults to checking out the base branch

on:
  pull_request_target:          # was: pull_request
    types: [opened, synchronize, reopened, closed]
...
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}  # added

Security note: pull_request_target runs with base-repo write permissions against fork PR code. Risk here is low (no custom secrets; only writes static files to gh-pages), but if untrusted external contributors become a concern, add a GitHub environment with required reviewers to gate the deployment.