fix(security): Remove unsafe PR head checkout in pull_request_target workflow

[fix-it-felix-sentry]

Summary

This PR fixes a high-severity security vulnerability (VULN-1416) in the changelog-preview workflow where untrusted PR code could be executed with access to repository secrets.

Problem

The workflow uses pull_request_target which runs with elevated permissions and access to secrets. The vulnerable code had a fallback that would checkout the PR head ref (github.event.pull_request.head.sha) when merge conflicts existed:

- uses: actions/checkout@v6
  if: steps.checkout-merge.outcome == 'failure'
  with:
    ref: ${{ github.event.pull_request.head.sha }}  # ⚠️ UNSAFE

This allowed attackers to potentially execute arbitrary code from malicious PRs with full repository access.

Solution

• ✅ Removed the unsafe fallback checkout of PR head
• ✅ Workflow now fails safely when merge conflicts exist
• ✅ Added clear error messages instructing users to resolve conflicts
• ✅ Updated security documentation in the workflow file

Changes

1. Removed continue-on-error: true from merge ref checkout
2. Removed the fallback checkout step entirely
3. Added a failure handler with informative error messages
4. Enhanced security notes to document the safeguards

Testing

This is a workflow configuration change. The behavior change is:

• Before: Workflow would checkout PR head when merge conflicts existed
• After: Workflow fails gracefully with clear error message

No existing tests are affected as there are no automated tests for workflow files.

References

• Parent ticket: https://linear.app/getsentry/issue/VULN-1416
• Child ticket: https://linear.app/getsentry/issue/DI-1825
• Semgrep rule: https://semgrep.dev/r/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout
• GitHub Security Lab research: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

[sentry]

Bug: The error handling step with if: failure() will not execute when the checkout-merge step fails because continue-on-error: true was removed from the failing step.
_{Severity: MEDIUM}

Suggested Fix

Reinstate continue-on-error: true on the checkout-merge step. This will allow the workflow to proceed to the next step, where the if: failure() condition can be evaluated to display the intended error message when merge conflicts occur.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/changelog-preview.yml#L96-L101

Potential issue: The `checkout-merge` step had `continue-on-error: true` removed, and a
new step with `if: failure()` was added to handle checkout failures. However, GitHub
Actions jobs halt immediately on a failed step. Subsequent steps, even those with an
`if: failure()` condition, are not evaluated unless the failing step is marked with
`continue-on-error: true`. Consequently, if the `checkout-merge` step fails (e.g., due
to merge conflicts), the intended error message will not be displayed, and the workflow
will fail without providing the helpful context to the user.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[BYK]

This is intentional