We can enable build scans for PR builds without making credentials available to the workflow by publishing scans to scans.gradle.com.
Comment From: wilkinsona
This may prove tricky as I'm not sure how to handle the acceptable of the ToS without complicating our build configuration where we typically want to publish to ge.spring.io.
Using the upload-artifact action to upload the build's reports may be a better option for diagnosing problems with PR builds.