Fix lint workflow to checkout PR branch instead of base branch

[Copilot]

The lint.yml workflow uses pull_request_target, which causes actions/checkout to check out the base branch (main) by default—not the PR branch. Rubocop then lints main, misses PR fixes, and fails on already-resolved issues.

Change

Added explicit ref to the checkout step:

- uses: actions/checkout@v6.0.1
  with:
    ref: ${{ github.event.pull_request.head.ref || github.ref }}

• pull_request_target → checks out the PR's head branch
• workflow_dispatch / merge_group → falls back to github.ref (default behavior)

Uses head.ref (branch name) rather than head.sha because the workflow pushes auto-corrected commits back to the PR branch, which requires a named ref.

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

[Copilot]

Pull request overview

Updates the lint GitHub Actions workflow so that, when triggered via pull_request_target, it checks out the PR’s head branch rather than the base branch—ensuring RuboCop runs against the proposed changes and can auto-correct them on the PR branch.

Changes:

• Add an explicit ref to actions/checkout to prefer github.event.pull_request.head.ref with a fallback to github.ref.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Checking out the PR head branch under pull_request_target while the workflow has contents: write and runs Bundler/RuboCop means untrusted PR code can execute with a write-capable GITHUB_TOKEN (repo-compromise risk). It will also fail for fork PRs because head.ref refers to a branch in the fork, but actions/checkout defaults to the base repo unless repository: is set.

Consider gating this job/step to same-repo PRs only (e.g., if: github.event.pull_request.head.repo.full_name == github.repository) and using a separate read-only lint workflow for forks; or otherwise avoid pull_request_target + write permissions when running PR code.