Pre-submission checks

• I am not reporting a bug (crash, false positive/negative, etc). These must be filed via the bug report template.
• I have looked through the open issues for a duplicate request.

What's the problem this feature will solve?

Relates to #170

Users sometimes write workflows to automatically approve or merge Dependabot and Renovate PRs. To my understanding pull_request_target is not actually needed for these cases because Dependabot and Renovate create branches within the same repository and therefore on: pull_request should suffice to get a privileged token (unlike malicious PRs from forks which don't get a privileged token).

Unfortunately it seems some webpages, including older versions of the GitHub documentation (but not the latest one) recommended using pull_request_target.

Describe the solution you'd like

Maybe either add a new audit rule, or extend the existing dangerous-triggers one, to report workflows which check if the author is Dependabot or Renovate, and where it is therefore likely that pull_request_target is not needed and pull_request suffices (if users explicitly specify permissions, see GitHub documentation).

(This would act as additional defense in combination with #170)

Additional context

No response