Switch caller triggers from pull_request to pull_request_target

Fork-PR welcomes and thanks were failing because pull_request events
from forks run with a read-only token and no secrets access — the
jinx app token can't be minted, the workflow dies before posting.

pull_request_target runs in the upstream repo's context with full
secrets access, so the welcome/thank/checklist comments fire on
fork PRs too.

The workflows don't check out PR head code, so the usual
pull_request_target security concern (running untrusted code with
secrets) doesn't apply here — they only post a comment via the app
token.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: drmowinckels

.github/workflows/hello.yaml

@@ -1,7 +1,7 @@
 name: Hello on PR or Issue
 
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, closed]
   issues:
     types: [opened]
@@ -19,7 +19,7 @@ jobs:
       JINX_PRIVATE_KEY: ${{ secrets.JINX_PRIVATE_KEY }}
 
   thank:
-    if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged == true
+    if: github.event_name == 'pull_request_target' && github.event.action == 'closed' && github.event.pull_request.merged == true
     uses: rladies/jinx/.github/workflows/reusable-thank-contributor.yml@main
     secrets:
       JINX_APP_ID: ${{ secrets.JINX_APP_ID }}