chore: enhance PR plugin upload workflow with improved concurrency handling and security measures

.github/workflows/pr-plugin-upload.yml

@@ -1,7 +1,9 @@
 name: Upload PR Plugin to R2
 
 concurrency:
-  group: pr-plugin-${{ github.event.workflow_run.id || github.run_id }}
+  # Use the PR number from the workflow run to group uploads for the same PR
+  # This ensures previous in-progress uploads for the same PR are cancelled
+  group: pr-plugin-${{ github.event.workflow_run.pull_requests[0].number || github.event.workflow_run.head_branch }}
   cancel-in-progress: true
 
 on:
@@ -29,6 +31,12 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          # SECURITY: Always checkout the default branch (trusted code)
+          # Never checkout PR code in workflow_run context
+          ref: ${{ github.event.repository.default_branch }}
+          # Ensure we're checking out the base repository, not a fork
+          repository: ${{ github.repository }}
 
       - name: Prepare artifact extraction directory
         run: |