Harden Forgejo CI: disable untrusted PR runs on self-hosted runner

[blackopsrepl]

Motivation

• The CI workflow ran on pull_request and executed repository-controlled build steps on the self-hosted rust runner, allowing untrusted PRs to run arbitrary commands on the runner host, so the trigger must be removed to prevent RCE risk.

Description

• Replace the pull_request trigger with workflow_dispatch in .forgejo/workflows/ci.yml while keeping the existing push triggers and all job steps intact to preserve CI functionality for trusted pushes and manual runs.

Testing

• Validated the edited workflow parses successfully with ruby -e "require 'yaml'; YAML.load_file('.forgejo/workflows/ci.yml')" which returned successfully; git diff showed the change; and the change was committed successfully.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6367c31c53

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore a PR-capable trigger for fork contributions

For pull requests opened from forks, replacing pull_request with workflow_dispatch removes the only way to test the proposed commit on Forgejo before merge. A manual dispatch runs against a ref in the base repository, and the unchanged actions/checkout@v4 step later in this file uses its defaults, so it checks out github.repository at that base ref rather than the contributor's fork/head branch. In practice, forked PRs now get no Forgejo CI coverage unless a maintainer first copies the branch into this repository.

Useful? React with 👍 / 👎.

[blackopsrepl]

I do not think the Codex review identifies a correctness bug in this PR. It correctly notes that removing pull_request also removes Forgejo CI coverage for fork PRs, but restoring fork-triggered execution on the self-hosted rust runner would reintroduce the original risk this PR is fixing: untrusted repository-controlled commands running on that host. On the rebased branch there is still no safe PR-capable trigger here that preserves the current job behavior without bringing that exposure back, so I kept the trigger removal as intended. Local validation passed with cargo fmt --all -- --check, cargo clippy --workspace --all-targets -- -D warnings, and cargo test.