Action pull-request.yml possibly vulnerable to RCE

[nickleali]

Describe the bug
The pull-request.yml is vulnerable to RCE via a malicious PR

https://github.com/webex/webex-js-sdk/blob/next/.github/workflows/pull-request.yml

See more information in the github blog
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

To Reproduce
Steps to reproduce the behavior:

While the event verifies that the PR contains a validated label, it is possible for the attacker to push malicious content to the PR after this label was added. After the validation, the workflow:
- name: Checkout Project
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}

Checks out the PR, which may contain malicious data.
Then it runs yarn, which uses local data, and may lead to RCE:
- name: Install Dependencies
run: yarn

Expected behavior
May consider not using the pull_request action or a different flow to invoke yarn.

Screenshots
If applicable, add screenshots to help explain your problem.

Platform (please complete the following information):

• OS: Linux platforms
• Browser independent
• Version independed

Additional context
No additional context but refer to the github best practices