Feature: SAST tool run on PR should count more than those run after merge

[laurentsimon]

See https://github.com/ossf/scorecard/issues/1031#issuecomment-969117938 (Additional long-term improvements are in https://github.com/ossf/scorecard/issues/966#issuecomment-915598041)

We would like to give more points to repos that run SAST before merging code, i.e. on pull_request event.

FYI, cron-scheduled runs are automatically disabled after 60 days of inactivity https://docs.github.com/en/actions/managing-workflow-runs/disabling-and-enabling-a-workflow