[Workflow] Have a safe way to test a PR with secrets

Maybe: we can add a workflow_dispatch workflow that lets a maintainer explicitly specify the PR to test, triggers the workflow, and adds a comment to the PR when started/finished. This wouldn't be as nice, but would be secure against malicious PRs, and isn't dependent on getting the repo config exactly right.