Allow for PR coming from forks to have a Breakage comment

[MaxenceGollier]

Related: JuliaSmoothOptimizers/LDLFactorizations.jl#137 (comment)
Currently,

RegularizedProblems.jl/.github/workflows/Breakage.yml

Lines 162 to 165 in 6dcffc6

	- name: PR comment with file
	uses: thollander/actions-comment-pull-request@v2
	with:
	filePath: breakage/summary.md

always fails if the PR is coming from a fork

For example, in thollander/actions-comment-pull-request

Note that, if the PR comes from a fork, it will have only read permission despite the permissions given in the action for the pull_request event.
In this case, you may use the pull_request_target event. With this event, permissions can be given without issue (the difference is that it will execute the action from the target branch and not from the origin PR).

The thing is that using GitHub recommends to use pull_request_target very carefully: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

From the latter blog post, we'd need to create an additional workflow, using the pull_request_target to `write a comment in the PR coming from a fork.
I will try to write one for this repo, perhaps it could be general enough to be moved to https://github.com/JuliaSmoothOptimizers/.github afterwards ?

[amontoison]

@MaxenceGollier https://raw.githubusercontent.com/JuliaSmoothOptimizers/Krylov.jl/refs/heads/main/.github/workflows/Breakage.yml

I did a fix for it in Krylov.jl one year and I deployed it a little everywhere in JSO.
Even from a fork, we can have the breakage results, the markdown file is just an artifact of the workflow and not uploaded on the discussion.

[MaxenceGollier]

@amontoison, yes, I think it is more convienient to have it in the discussion, it should be possible from the GitHub documentation.

It looks like my fix doesn't work yet;

• for PRs from the repo itself, we do get the message posted: Test CommentBreakage workflow & update Breakage workflow #104
• for PRs from my fork, i forced push Add basis pursuit model #89 yesterday and the CommentBreakage workflow didn't succeed: https://github.com/JuliaSmoothOptimizers/RegularizedProblems.jl/actions/runs/23073805302 because the comment-pr step did not find the PR to comment. looks like this is a recurring issue: https://github.com/orgs/community/discussions/25220.

EDIT: I think I can fix this but I actually wonder if my approach is safe. @amontoison, what i do is that I run the breakage from the PR and upload artifacts then trigger a new workflow with full permissions that downloads these and posts a comment.
What if a malicious user changes the Breakage workflow to upload different artifacts, maybe this could be harmful ? On the other hand, the Comment breakage workflow just write a .md file so i am not sure if this could really be an issue...

Additionnally, it looks like from https://github.com/orgs/community/discussions/25220, that i need to pass the PR number as an artifact in the Breakage workflow and then download it in the Comment Breakage workflow in order to comment on fork PRs.
Again, not sure if this is safe, let me know what you think.

cc. @dpo, @tmigot

[MaxenceGollier]

Solved, see for example #89 (comment)