Dangerous workflows: detect refs

[laurentsimon]

Workflows that use labels to enforce reviews before running test on pull_request_targets checkout the repo with ref: ${{github.event.pull_request.head.sha}}. One mistake some developers make is use ref: ${{github.event.pull_request.head.ref}} instead, which is subject to a TOCTOU attack.

1. Maintainer reviews the RP code and adds a label
2. Attacker pushes different code before the workflow is triggered / the repo is checked out.

Scorecard can detect these as part of the dangerous workflow check.