chore(repo): limit pr validation runs to checkout only from master (#32545)

Reduces some unnecessary permissions to ease future risks.

Author: AgentEnder

.github/workflows/pr-title-validation.yml

@@ -1,9 +1,11 @@
 name: PR Title Validation
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, edited, synchronize, reopened]
 
+permissions: read-all
+
 jobs:
   validate-pr-title:
     name: Validate PR Title
@@ -12,8 +14,8 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          # For pull_request_target, we need to checkout the base branch
-          ref: ${{ github.event.pull_request.base.ref }}
+          # Ensure's validate-pr-title.js is the copy from master
+          ref: master
 
       - name: Setup Node.js
         uses: actions/setup-node@v4