ci: use pull_request_target for fork PR support

[osmman]

User description

Switch from pull_request to pull_request_target event to allow the workflow to post PR comments on pull requests from forks.

---

PR Type

Enhancement

---

Description

• Switch workflow trigger from pull_request to pull_request_target

• Enables posting PR comments on fork pull requests

• Maintains existing path and event type filters

---

Diagram Walkthrough

flowchart LR
  A["pull_request event"] -- "replaced with" --> B["pull_request_target event"]
  B -- "allows" --> C["Fork PR comments"]

Loading

File Walkthrough

	Relevant files
Configuration changes	kustomize-diff.yaml Switch to pull_request_target for fork support                      .github/workflows/kustomize-diff.yaml Changed workflow trigger from pull_request to pull_request_target Preserves existing path filter for konflux-configs/** Maintains event types: opened, synchronize, reopened Enables workflow to post comments on pull requests from forks +1/-1

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	pull_request_target exposure Description: Switching the workflow trigger to pull_request_target can expose repository secrets and the base-repo GITHUB_TOKEN to code influenced by fork PRs (e.g., if later steps check out and execute the PR head SHA or run PR-provided scripts), enabling secret exfiltration or privilege escalation via a malicious fork. kustomize-diff.yaml [3-7] Referred Code on: pull_request_target: paths: - 'konflux-configs/**' types: [opened, synchronize, reopened]
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Target event risk: Switching to pull_request_target can cause logs to inadvertently expose secrets if later steps print environment/context when running with elevated permissions on fork PRs, which must be verified in the full workflow. Referred Code pull_request_target: paths: Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Untrusted PR context: Using pull_request_target runs in the base-repo security context for fork PRs, so the full workflow must be verified to avoid checking out/executing untrusted PR code with write permissions or secrets. Referred Code pull_request_target: paths: Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Secure workflow against malicious PRs To prevent malicious code execution, modify the actions/checkout step to explicitly check out the pull request's base commit (${{ github.event.pull_request.base.sha }}) instead of the potentially unsafe head commit. .github/workflows/kustomize-diff.yaml [3-7] -on: -- pull_request: -+ pull_request_target: - paths: - - 'konflux-configs/**' - types: [opened, synchronize, reopened] +# In the jobs section of this workflow, ensure actions/checkout is configured like this: +# +# jobs: +# kustomize-diff: +# runs-on: ubuntu-latest +# steps: +# - name: Checkout base branch +# uses: actions/checkout@v4 # or your current version +# with: +# ref: ${{ github.event.pull_request.base.sha }} +# +# # If you need to diff against the PR's code, fetch it without executing it: +# - name: Fetch PR head +# run: git fetch origin pull/${{ github.event.pull_request.number }}/head:pr_head Apply / Chat Suggestion importance[1-10]: 10 __ Why: This suggestion correctly identifies a critical security vulnerability introduced by using pull_request_target and provides the standard, correct mitigation strategy of checking out the base SHA to prevent running untrusted code with access to secrets.	High
	Restrict workflow token permissions Add a top-level permissions block to the workflow to restrict the GITHUB_TOKEN's access, enhancing security by adhering to the principle of least privilege. .github/workflows/kustomize-diff.yaml [3-7] +permissions: + contents: read + pull-requests: write on: pull_request_target: paths: - 'konflux-configs/**' types: [opened, synchronize, reopened] Apply / Chat Suggestion importance[1-10]: 9 __ Why: This is a crucial security hardening measure that follows the principle of least privilege. By explicitly setting permissions, it limits the potential damage if the workflow is compromised, which is especially important when using the pull_request_target trigger.	High
More

[osmman]

related to #373 CI failures