Description
I'm running a public open source project and I want to apply annotations to PRs from forked repos. As such, I can't run the CI job with pull_request_target because that is a security risk[1].
The apparently correct way to do this is to let the CI job run in the forked repo's space, with the regular pull_request event, and then use the workflow_run event in my repo, to fetch artifacts from the PR run and process them.
However, to do that and then push the comments back to the originating PR, I need to be able to forcibly set the commit SHA, or the PR number.
An example would be the "Support fork repositories and dependabot branches" section of https://github.com/marketplace/actions/publish-unit-test-results and if I could have the same commit: argument for this action, it would be awesome.
[1] - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/