enable sonar for dependabot PRs

Author: wuan

.github/workflows/build.yml

@@ -5,8 +5,9 @@ on:
   push:
     branches:
       - main
-  pull_request:
-
+  pull_request_target:
+    branches:
+      - main
 
 permissions:
   contents: read
@@ -19,7 +20,7 @@ jobs:
     name: Build
     strategy:
       matrix:
-        python-version: [ "3.9", "3.10", "3.11", "3.12" ]
+        python-version: [ "3.10", "3.11", "3.12", "3.13" ]
         os: [ ubuntu-latest, macos-latest, windows-latest ]
     runs-on: ${{ matrix.os }}
     steps:
@@ -32,6 +33,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+          ref: "${{ (github.event_name == 'pull_request_target') && github.event.pull_request.merge_commit_sha || github.ref }}"
 
       - name: Setup Python ${{ matrix.python-version }}
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0