ci: run actions on pull_request

This seems to be the correct and safe way to enable github actions CI
runs for third party forks (when they are submitted as a PR).

The important detail is that the `.github/*` action stuff does not run
from the fork, it runs from the previous `main` (or whatever branch)
that the fork branched off from. This should prevent exfiltration of
secrets?

Still possible for folks to, eg, mine cryptocurrency on our dime, I
think. The current behavior from the github UI side should be that
first-time contributors need to be approved before the CI job runs.