fix: use pull_request_target for PR preview workflow to grant write access on fork PRs

[Copilot]

GitHub silently downgrades GITHUB_TOKEN to read-only when a pull_request workflow is triggered from a fork, ignoring any permissions: contents: write declaration. This caused the deploy-preview job to fail with a 403 when trying to push to gh-pages.

Changes

• pull_request → pull_request_target: Runs in the base repo context, so GITHUB_TOKEN respects the declared contents: write permission regardless of PR origin.
• Explicit PR head checkout: Since pull_request_target checks out the base branch by default, added ref: ${{ github.event.pull_request.head.sha }} to build the PR's actual code.

⚠️ Security note: pull_request_target with an explicit fork checkout runs untrusted build scripts with write-token access. This is a standard pattern for public OSS PR previews — no sensitive secrets are used in the build step and GITHUB_TOKEN scope is limited to this repo.