chore: use pr target

Risky business.

Should be fine though and means PRs will get the bot comments properly.

Author: 43081j

.github/workflows/diff-dependencies.yml

@@ -1,11 +1,15 @@
 name: Dependency Diff
 
 on:
-  pull_request:
+  pull_request_target:
+    branches:
+      - main
 
 jobs:
   build-main:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -27,9 +31,13 @@ jobs:
           path: '*.tgz'
   build-pr:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
       - name: Use Node
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
@@ -54,6 +62,7 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
       - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: base-packages
@@ -63,7 +72,7 @@ jobs:
           name: source-packages
           path: ./source-packages
       - name: Create Diff
-        uses: ./
+        uses: e18e/action-dependency-diff@main
         with:
           base-packages: ./base-packages/*.tgz
           source-packages: ./source-packages/*.tgz