Treat PRs with agit flow as fork PRs when triggering actions. (#23884)

There is no fork concept in agit flow, anyone with read permission can
push `refs/for/<target-branch>/<topic-branch>` to the repo. So we should
treat it as a fork pull request because it may be from an untrusted
user.

models/actions/run.go

@@ -36,7 +36,7 @@ type ActionRun struct {
 	TriggerUser       *user_model.User       `xorm:"-"`
 	Ref               string
 	CommitSHA         string
-	IsForkPullRequest bool
+	IsForkPullRequest bool  // If this is triggered by a PR from a forked repository or an untrusted user, we need to check if it is approved and limit permissions when running the workflow.
 	NeedApproval      bool  // may need approval if it's a fork pull request
 	ApprovedBy        int64 `xorm:"index"` // who approved
 	Event             webhook_module.HookEventType