fix: separate safe permission check job and ci job (#5460)

Author: junpuf

.github/workflows/pr-example.yml

@@ -1,17 +1,19 @@
 name: Example Workflow
 
 on:
-  workflow_run:
-    workflows: ["PR Permission Gate"]
-    types:
-      - completed
+  pull_request:
+    branches: 
+      - main
 
 permissions:
   contents: read
 
+concurrency:
+  group: pr-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 jobs:  
   pre-commit:
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5

.github/workflows/pr-gate.yml

@@ -20,9 +20,7 @@ jobs:
       - name: Checkout base branch (safe)
         uses: actions/checkout@v5
         with:
-          # checkout the workflow's commit (base branch), not the PR head
           ref: ${{ github.event.pull_request.base.sha }}
           fetch-depth: 1
-
       - name: Run permission gate (from base)
         uses: ./.github/actions/pr-permission-gate

.pre-commit-config.yaml

@@ -8,8 +8,7 @@ default_stages:
 
 repos:
   - repo: https://github.com/reteps/dockerfmt
-    # run `pre-commit autoupdate` to pin the version
-    rev: main
+    rev: v0.3.9
     hooks:
       - id: dockerfmt
         args: