Split pr-code-format.yml into separate untrusted+trusted workflows

[jyknight]

The workflow should be split in two, with a "pull_request" workflow (unprivileged) to run formatting actions, and a separate "workflow_run" (privileged) to post the issue update, as recommended by https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

The current implementation is not obviously broken (it's not running binaries from the untrusted checkout), but manipulating the untrusted checkout at all in a privileged context is riskier than necessary, so would be improved by splitting into two parts.

@tstellar @tru @boomanaiden154

[tru]

Yes this would be nice. But I looked at the ways to do this and felt dumb and don't have much time to work on this right now. Happy to review if someone have more time to look into this though.