ci: harden verify workflow against pull_request_target secret exfiltration

[kwiatekus]

Summary

• Replaces the insecure verify.yml (pull_request_target + fork checkout + GITHUB_TOKEN) with two hardened workflows that enforce a strict trust boundary
• verify-pr-code.yml: pull_request trigger, contents: read only, no secrets — runs make docs and code standard checks on PR code, uploads results as artifact
• verify-pr-comment.yml: workflow_run trigger, pull-requests: write at job level only — downloads artifact, posts/edits PR comment; never touches PR code

Security properties

Property	Before	After
GITHUB_TOKEN present when PR code runs	Yes	No
PR Makefile can exfiltrate token	Yes	No
eval of PR-controlled file with token in scope	Yes	No
Least-privilege permissions	No	Yes (job-level scoping)

Test plan

• Open a test PR from a fork — verify verify-pr-code runs with no secrets, artifact uploads, verify-pr-comment posts the comment
• Introduce a deliberate violation (fmt.Println in ./internal) — verify failure comment appears
• Fix the violation — verify comment updates to pass message (edit-last behaviour)
• Cancel verify-pr-code mid-run — verify verify-pr-comment skips silently