Analyze and document the security implications of pull_request_target trigger

[maresb]

I have been reading about GitHub Actions security and came across some concerns regarding the use of pull_request_target in the recommended documentation-links.yml from the README. I am not an expert, which is actually the point of this request. In particular, the use of pull_request_target in the suggested workflow triggers the security tool zizmor to flag the usage as follows:

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
  |
2 | / on:
3 | |   pull_request_target:
4 | |     types:
5 | |       - opened
  | |______________^ pull_request_target is almost always used insecurely

I'm trying to understand the implications and whether or not this usage is actually unsafe. From what I understand, it may be safe in the context of this RTD action because no code from the forked repo is ever checked out or executed.

It would be really helpful to save others similar research if someone could explicitly address the security implications in the README. If my understanding is incorrect, I would appreciate any guidance or corrections. Thank you for your time and for maintaining this project!