Checkout base branch instead of PR head in build workflow

.github/workflows/build-pr-cmk.yml

@@ -18,7 +18,7 @@
 name: Build cmk binaries on PR
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, reopened]
 
 concurrency:
@@ -36,10 +36,9 @@ jobs:
       outcome: ${{ steps.meta.outputs.outcome }}
       artifact_url: ${{ steps.meta.outputs.artifact_url }}
     steps:
-      - name: Checkout PR HEAD
+      - name: Checkout PR code
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
           persist-credentials: false
 
       - name: Set up Go
@@ -68,53 +67,3 @@ jobs:
         run: |
           echo "outcome=${{ steps.build.outcome }}" >> $GITHUB_OUTPUT
           echo "artifact_url=${{ steps.upload_artifact.outputs.artifact-url }}" >> $GITHUB_OUTPUT
-
-  comment:
-    if: always()
-    needs: build
-    permissions:
-      contents: read
-      issues: write
-      pull-requests: write
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Comment or update cmk build artifact on PR
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const { execSync } = require('child_process');
-
-            const issue_number = context.payload.pull_request.number;
-            const identifier = "cmk-build-artifact-comment";
-
-            const owner = context.payload.repository.owner.login; // base repo (pull_request_target)
-            const repo  = context.payload.repository.name;
-
-            const buildOutcome = "${{ needs.build.outputs.outcome }}";
-            const artifactUrl  = "${{ needs.build.outputs.artifact_url }}";
-            const runId        = "${{ github.run_id }}";
-
-            core.info(`Will comment on ${owner}/${repo}#${issue_number}`);
-            core.info(`Outcome=${buildOutcome || '(empty)'} Artifact=${artifactUrl || '(none)'}`);
-
-            let body = `<!-- ${identifier} -->\n`;
-            if (buildOutcome === 'success' && artifactUrl) {
-              const expiryDate = execSync("date -d '+10 days' '+%B %d, %Y'").toString().trim();
-              body += `✅ Build complete for PR #${issue_number}.\n\n`;
-              body += `🔗 Download the [cmk binaries](${artifactUrl}) (expires on ${expiryDate})`;
-            } else {
-              body += `❌ Build failed for PR #${issue_number}.\n\n`;
-              body += `See the run: https://github.com/${owner}/${repo}/actions/runs/${runId}`;
-            }
-
-            const { data: comments } = await github.rest.issues.listComments({ owner, repo, issue_number });
-            const existing = comments.find(c => c.user.login === 'github-actions[bot]' && c.body.includes(identifier));
-
-            if (existing) {
-              core.info(`Updating comment id ${existing.id}`);
-              await github.rest.issues.updateComment({ owner, repo, comment_id: existing.id, body });
-            } else {
-              core.info(`Creating new comment`);
-              await github.rest.issues.createComment({ owner, repo, issue_number, body });
-            }
-

.github/workflows/comment-pr-build.yml

@@ -0,0 +1,165 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: Comment on PR build results
+
+on:
+  workflow_run:
+    workflows: ["Build cmk binaries on PR"]
+    types:
+      - completed
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+  actions: read
+
+jobs:
+  comment:
+    runs-on: ubuntu-24.04
+    if: >
+      github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: Download artifact metadata
+        uses: actions/github-script@v7
+        id: artifact-metadata
+        with:
+          script: |
+            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: context.payload.workflow_run.id,
+            });
+            
+            const prArtifact = artifacts.data.artifacts.find(a => a.name.startsWith('cmk-binaries.pr'));
+            
+            if (prArtifact) {
+              const prNumber = prArtifact.name.match(/pr(\d+)/)?.[1];
+              return {
+                artifact_url: prArtifact.archive_download_url,
+                pr_number: prNumber,
+                conclusion: context.payload.workflow_run.conclusion
+              };
+            }
+            
+            return {
+              pr_number: null,
+              conclusion: context.payload.workflow_run.conclusion
+            };
+
+      - name: Get PR number from workflow run
+        id: get-pr
+        uses: actions/github-script@v7
+        env:
+          METADATA: ${{ steps.artifact-metadata.outputs.result }}
+        with:
+          script: |
+            // Primary source: PRs attached to the workflow_run (for pull_request-triggered runs)
+            const runPRs = context.payload.workflow_run.pull_requests;
+            if (runPRs && runPRs.length > 0) {
+              return runPRs[0].number;
+            }
+            // Fallback 1: PR number discovered from artifact metadata
+            let metadata = {};
+            if (process.env.METADATA) {
+              try {
+                metadata = JSON.parse(process.env.METADATA);
+              } catch (e) {
+                core.warning(`Failed to parse artifact metadata: ${e.message}`);
+              }
+            }
+            if (metadata.pr_number) {
+              return metadata.pr_number;
+            }
+            // Fallback 2: look up PRs associated with the workflow run head SHA
+            const associated = await github.rest.repos.listPullRequestsAssociatedWithCommit({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              commit_sha: context.payload.workflow_run.head_sha,
+            });
+            if (associated.data.length > 0) {
+              return associated.data[0].number;
+            }
+            return null;
+
+      - name: Comment or update build result on PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { execSync } = require('child_process');
+            const prNumber = ${{ steps.get-pr.outputs.result }};
+            
+            if (!prNumber) {
+              core.warning('Could not determine PR number, skipping comment');
+              return;
+            }
+
+            const identifier = "cmk-build-artifact-comment";
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const conclusion = '${{ github.event.workflow_run.conclusion }}';
+            const runId = '${{ github.event.workflow_run.id }}';
+            const runUrl = `https://github.com/${owner}/${repo}/actions/runs/${runId}`;
+
+            core.info(`Commenting on PR #${prNumber}`);
+            core.info(`Build conclusion: ${conclusion}`);
+
+            let body = `<!-- ${identifier} -->\n`;
+            
+            if (conclusion === 'success') {
+              const expiryDate = execSync("date -d '+10 days' '+%B %d, %Y'").toString().trim();
+              body += `✅ Build complete for PR #${prNumber}.\n\n`;
+              body += `📦 Binary artifacts are available in the [workflow run](${runUrl}) (expires on ${expiryDate}).\n\n`;
+              body += `> **Note:** Download artifacts by clicking on the workflow run link above, then scroll to the "Artifacts" section.\n`;
+              body += `> _Artifacts from PR builds are for testing only and may contain unreviewed code._`;
+            } else if (conclusion === 'failure') {
+              body += `❌ Build failed for PR #${prNumber}.\n\n`;
+              body += `See the [workflow run](${runUrl}) for details.`;
+            } else {
+              body += `⚠️ Build ${conclusion} for PR #${prNumber}.\n\n`;
+              body += `See the [workflow run](${runUrl}) for details.`;
+            }
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner,
+              repo,
+              issue_number: prNumber
+            });
+            
+            const existing = comments.find(c => 
+              c.user.login === 'github-actions[bot]' && 
+              c.body.includes(identifier)
+            );
+
+            if (existing) {
+              core.info(`Updating existing comment id ${existing.id}`);
+              await github.rest.issues.updateComment({
+                owner,
+                repo,
+                comment_id: existing.id,
+                body
+              });
+            } else {
+              core.info(`Creating new comment`);
+              await github.rest.issues.createComment({
+                owner,
+                repo,
+                issue_number: prNumber,
+                body
+              });
+            }