Fix security, draft-PR, and comment-cleanup issues in maintainer-approval

- Checkout base branch SHA to prevent PR-authored code execution on review events
- Add ready_for_review to pull_request_target types so draft promotions trigger
- Delete ALL matching comments (not just first) including legacy REVIEWER_SUGGESTION marker
- Add concurrency group to prevent overlapping runs per PR

Co-authored-by: Isaac

Author: simonfaltum

.github/workflows/maintainer-approval.js

@@ -390,14 +390,18 @@ function buildSingleDomainPendingComment(sortedScores, dirScores, scoredCount, e
 
 // --- Comment management ---
 
+const LEGACY_MARKER = "<!-- REVIEWER_SUGGESTION -->";
+
 async function postComment(github, owner, repo, prNumber, comment) {
   const comments = await github.paginate(github.rest.issues.listComments, {
     owner, repo, issue_number: prNumber,
   });
-  const existing = comments.find(c => c.body && c.body.includes(MARKER));
-  if (existing) {
+  const toDelete = comments.filter(c =>
+    c.body && (c.body.includes(MARKER) || c.body.includes(LEGACY_MARKER))
+  );
+  for (const c of toDelete) {
     await github.rest.issues.deleteComment({
-      owner, repo, comment_id: existing.id,
+      owner, repo, comment_id: c.id,
     });
   }
   await github.rest.issues.createComment({

.github/workflows/maintainer-approval.yml

@@ -2,9 +2,14 @@ name: PR approval
 
 on:
   pull_request_target:
+    types: [opened, synchronize, reopened, ready_for_review]
   pull_request_review:
     types: [submitted, dismissed]
 
+concurrency:
+  group: pr-approval-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 defaults:
   run:
     shell: bash
@@ -23,6 +28,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          ref: ${{ github.event.pull_request.base.sha }}
           persist-credentials: false
           fetch-depth: 0
       - name: Check approval and suggest reviewers