With `pull_request`, we run in the context of the pull request branch.
- This means we run with the code from the PR branch, possibly breaking
the current release PR for this repo with in-progress, unreviewed changes.
- This means that the secret is not available on Pull Requests from
forks.
Switching to `pull_request_target` means we always run in the scope of
the original repository. The secret is available and the code is checked
out from our main branch.
`pull_request_target` has security considerations, but they do not apply
here as we do not check out or run code from the (external, malicious) PR.
The previous job always used the last release version of
releaser-pleaser. This caused two issues:
- if new flags were added to `action.yml` since the last release, the
program errored because the flags are unknown.
- right after merging a release pr, the image reference was already
updated, but no new container image was built yet.
This fixes both issues, by using a locally built version of
releaser-pleaser, which is always up-to-date and available.
