GHA trigger CI with pull_request_target for secrets access

[AndreKurait]

Description

Update pull request trigger to be "pull_request_target" which allows actions to access secrets needed for CODECOV_TOKEN.

Removed codecov retry since this was due to throttling when ran without tokens, the retry didn't help. Also added verbose: true to aid in any future debugging on codecov action.

See documentation: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories

Note: This will make changes to GHA workflows slightly more complicated, the GHA on the PR will run with the upstream branch workflow definition when triggered on a PR from a forked repository (a security feature). Instead we can push updates to a branch to verify, or temporarily update pull_request_target -> pull_request in a staged commit which will run the forked actions without secrets.

Testing

See GHA

Verified throttle limits aren't hit

• https://github.com/opensearch-project/opensearch-migrations/actions/runs/11810094397/job/32901507727

Verified PRs run with secrets:

• https://github.com/opensearch-project/opensearch-migrations/actions/runs/11810129776/job/32901596046?pr=1131

Check List

• New functionality includes testing
  • All tests pass, including unit test, integration test and doctest
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[gregschohn]

Can you please clarify what this means?
"This will make updates to GHA slightly more complicated, they won't run when triggered on a PR from a forked repository (a security feature)."

Does that mean that creating a PR from my fork won't be able to run codecov? Will that show up as an error or would it just not run? Given our current, typical workflow with forked repos, would devs know codecov differences before merging?

[AndreKurait]

Can you please clarify what this means?

"This will make updates to GHA slightly more complicated, they won't run when triggered on a PR from a forked repository (a security feature)."

Does that mean that creating a PR from my fork won't be able to run codecov? Will that show up as an error or would it just not run? Given our current, typical workflow with forked repos, would devs know codecov differences before merging?

The GHA will still run on PRs from a forked repo. They will just use the workflow definition from the upstream branch instead of from the fork.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.74%. Comparing base (d7884e9) to head (75fafba).
Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main    #1132   +/-   ##
=========================================
  Coverage     80.74%   80.74%           
  Complexity     2924     2924           
=========================================
  Files           399      399           
  Lines         14845    14845           
  Branches       1007     1007           
=========================================
  Hits          11986    11986           
  Misses         2252     2252           
  Partials        607      607           

Flag	Coverage Δ
gradle-test	78.75% <ø> (ø)
python-test	89.93% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.