[Bugfix]: owner-notification: checkout base repo (not PR head) to eliminate pull_request_target external code risk (#747)

Signed-off-by: samzong <samzong.lu@gmail.com>
Co-authored-by: Huamin Chen <rootfs@users.noreply.github.com>

Author: samzong

.github/workflows/owner-notification.yml

@@ -17,8 +17,8 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-          ref: ${{ github.event.pull_request.head.sha }}
+          repository: ${{ github.repository }}
+          ref: ${{ github.event.pull_request.base.sha }}
           fetch-depth: 0
 
       - name: Get changed files