ci(github-actions): fix workflow failures for external fork PRs (WPB-8645)

[MohamadJaara]

https://wearezeta.atlassian.net/browse/WPB-8645

What's new in this PR?

Issues

Four GitHub Actions workflows fail or produce incorrect behaviour when a PR is opened from an external contributor's fork:

• jira-lint-and-link: The fork-detection guard (github.repository_owner == 'wireapp') always evaluates to true, even for fork PRs, because GitHub runs the workflow in the base repo context. As a result the workflow attempted to use JIRA_TOKEN on fork PRs where the secret is unavailable, causing a failure instead of a clean skip.
• pr-author-assigner: Used the pull_request trigger, which does not grant pull-requests: write permission for fork PRs. Auto-assignment silently failed.
• semantic-commit-lint: Used the pull_request trigger, so gh pr edit --add-label / --remove-label failed on fork PRs due to missing write permissions. Also contained an unnecessary actions/checkout step.
• publish-test-results: The workflow_run trigger referenced workflows: [Run Unit Tests] but no workflow with that name exists — the actual top-level PR workflows are named "Develop" and "Main". This meant the job never triggered. Additionally, if DD_API_KEY is absent, the Datadog upload steps failed and took down the entire publish job.

Solutions

• jira-lint-and-link.yml: Replaced the broken fork check (github.repository_owner == 'wireapp') with the correct expression (github.event.pull_request.head.repo.full_name == github.repository) on both jobs. Fork PRs now skip cleanly; GitHub branch protection treats a conditionally-skipped required check as passing.
• pr-author-assigner.yml: Switched trigger from pull_request to pull_request_target. The action only calls the GitHub API to assign the PR author — no fork code is checked out or executed.
• semantic-commit-lint.yml: Switched trigger to pull_request_target and removed the unnecessary actions/checkout step. The semantic PR linter reads the PR title directly from the event payload via the GitHub API.
• publish-test-results.yml: Fixed the workflow_run trigger to listen to ["Develop", "Main"] (the actual top-level PR workflow names). Added DD_API_KEY as a job-level env var and gated all three Datadog steps (setup-node, install datadog-ci, upload results) with if: ${{ env.DD_API_KEY != '' }} so they skip gracefully when the secret is not configured.

Notes

pull_request_target is safe for pr-author-assigner and semantic-commit-lint because neither workflow checks out or executes code from the fork's tree. The workflow YAML always runs from the base branch with pull_request_target, so a fork contributor cannot modify the workflow to access secrets via a PR.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud