37a016576b
Previous code used `pull_request:` which meant `secrets.GRADLE_ENCRYPTION_KEY` was not available, so the configuration cache was not restored. Use `pull_request_target` to give the workflow access to `secrets`, and explicitly downscope the permissions of `GITHUB_TOKEN` to read only.