Fix forgeable context usage in welcome workflow (`github.actor` → safe event fields)

[yada]

Issue reported by SonarQube Inwelcome-new-users.yml workflow:

The welcome workflow currently relies on github.actor to filter bot users.
This is flagged by GitHub security guidance as a forgeable context value, especially when using pull_request_target.

This issue proposes switching to non-forgeable fields:
github.event.pull_request.user.login
github.event.issue.user.login

The goal is to preserve existing behavior while resolving the security warning.

[yada]

I made some tests on a fork and tried multiple ways like:

    # Do not run on bots
    if: >
      github.event_name == 'pull_request_target' &&
      !contains(fromJson('["dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'),
            github.event.pull_request.user.login) ||
      github.event_name == 'issues' &&
      !contains(fromJson('["dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'),
            github.event.issue.user.login)

But, this is not as efficient as expected... based on the nature and impact (just adding comments) of this workflow and as the check only send a message for the first issue, PR, merge... is working fine: I recommend making it simple and removing this exclusion check as it is not necessary ref: wow-actions/welcome).