fix: restrict pull_request_target prettier workflow to same-repo PRs (#4888)

Author: barakharyati

.github/workflows/prettier.yml

@@ -10,6 +10,12 @@ concurrency:
 
 jobs:
   format:
+    # ---------------------------------------------------------
+    # SAFETY CHECK:
+    # Only run for PRs from the SAME repository.
+    # Fork PRs are skipped entirely to prevent RCE via npm install.
+    # ---------------------------------------------------------
+    if: ${{ github.event.pull_request.head.repo.fork == false }}
     permissions:
       contents: write
     runs-on: ubuntu-latest