feat(ci): adjust scripts to run safely for external PRs

.github/scripts/create-values-diff.sh

@@ -6,21 +6,34 @@
 set -eu
 set -o pipefail
 
-issue=${1?You need to provide the issue ID}
-chart=${2?You need to provide the chart name}
-if [[ -v 3 ]]; then
-  case "$3" in
+parsed="$(getopt --options '' --longoptions "body:,dry-run" --name "$0" -- "$@")"
+
+eval set -- "$parsed"
+unset parsed
+
+dryRun=false
+
+while [[ "$#" -gt 0 ]]; do
+  case "$1" in
     --dry-run)
       dryRun=true
       ;;
-    *)
-      echo "Option '$3' not supported" >&2
-      exit 1
+    --body)
+      shift
+      body="${1}"
+      if [[ ! -f "$body" ]]; then
+        echo "input file '$body' does not exist" >&2
+        exit 3
+      fi
+      ;;
+    --) # positional arguments
+      shift
+      issue=${1?You need to provide the issue ID}
+      chart=${2?You need to provide the chart name}
       ;;
   esac
-else
-  dryRun=false
-fi
+  shift
+done
 
 if yq -e '.type == "library"' "$chart/Chart.yaml" >/dev/null; then
   echo "Skipping library chart '$chart'" >&2
@@ -131,7 +144,9 @@ function updateComment() {
       -d @-
 }
 
-body=$(generateComment "$chart")
+if [[ ! -v body ]]; then
+  body=$(generateComment "$chart")
+fi
 
 if [[ "$dryRun" == false ]]; then
   # cannot use `gh pr/issue view --json comments` as the returned id is incorrect

.github/workflows/check-licenses.yaml

@@ -1,7 +1,7 @@
 name: Check used licenses
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - opened
       - edited
@@ -35,6 +35,8 @@ jobs:
     needs: getChangedChart
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
       - run: pip install yq
       - env:
           chart: ${{ needs.getChangedChart.outputs.chart }}

.github/workflows/pr-comment-diff.yaml

@@ -4,7 +4,7 @@ concurrency:
   cancel-in-progress: true
 
 on:
-  pull_request:
+  pull_request_target:
     paths:
       - charts/**
     branches-ignore:
@@ -15,16 +15,38 @@ jobs:
     uses: ./.github/workflows/get-changed-chart.yaml
     with:
       pr_number: ${{ github.event.pull_request.number }}
-  postDiffComment:
+  generateDiffCommentBody:
     runs-on: ubuntu-latest
     needs: getChangedChart
+    permissions:
+      contents: read
+      pull-requests: read
     env:
       CT_TARGET_BRANCH: ${{ github.event.pull_request.base.ref || github.event.repository.default_branch }}
-      GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
       - run: pip install yq
       - name: Install sponge
         run: sudo apt-get -yq install moreutils
-      - run: ./.github/scripts/prepare-values.sh "charts/${{ needs.getChangedChart.outputs.chart }}"
-      - run: ./.github/scripts/create-values-diff.sh ${{ github.event.number }} "charts/${{ needs.getChangedChart.outputs.chart }}"
+      - run: ./.github/scripts/prepare-values.sh "pr/charts/${{ needs.getChangedChart.outputs.chart }}"
+      - run: ./.github/scripts/create-values-diff.sh ${{ github.event.number }} "pr/charts/${{ needs.getChangedChart.outputs.chart }}" --dry-run > comment_body.md
+      - uses: actions/upload-artifact@v4
+        with:
+          name: comment_body
+          path: comment_body.md
+          if-no-files-found: error
+          retention-days: 1
+  postDiffComment:
+    runs-on: ubuntu-latest
+    needs:
+      - getChangedChart
+      - generateDiffCommentBody
+    env:
+      GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }}
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: comment_body
+      - run: ./.github/scripts/create-values-diff.sh ${{ github.event.number }} "charts/${{ needs.getChangedChart.outputs.chart }}" --body comment_body.md