From 79e398c02aee92a9c30bccc023a71d5945f315e8 Mon Sep 17 00:00:00 2001
From: Paul Mars <paul.mars@canonical.com>
Date: Mon, 20 Apr 2026 17:03:44 +0200
Subject: [PATCH] fix: avoid attacker controlling PR number

---
 .github/workflows/comment-perf.yaml | 18 +++++++++++-------
 .github/workflows/performance.yaml  |  9 ++-------
 2 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/comment-perf.yaml b/.github/workflows/comment-perf.yaml
index 075d3611..378604da 100644
--- a/.github/workflows/comment-perf.yaml
+++ b/.github/workflows/comment-perf.yaml
@@ -20,18 +20,22 @@ jobs:
       - name: Download comment
         uses: actions/download-artifact@v4
         with:
-          name: benchmark-result
-          path: benchmark-result
+          name: benchmark-report
+          path: report.md
           github-token: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }}
           run-id: ${{ github.event.workflow_run.id }}
 
-      - name: Read PR number
-        id: read-pr-number
-        run: echo "number=$(cat benchmark-result/pr_number)" >> $GITHUB_OUTPUT
+      - name: Get PR number
+        id: get-pr-number
+        run: |
+          PR_NUMBER=$(gh api "repos/${{ github.repository }}/pulls?head=${{ github.event.workflow_run.head_repository.owner.login }}:${{ github.event.workflow_run.head_branch }}&state=open" --jq '.[0].number')
+          echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }}
 
       - name: Post message to PR
         uses: mshick/add-pr-comment@dd126dd8c253650d181ad9538d8b4fa218fc31e8 # v2
         with:
-          message-path: benchmark-result/report.md
-          issue: ${{ steps.read-pr-number.outputs.number }}
+          message-path: report.md
+          issue: ${{ steps.get-pr-number.outputs.number }}
           repo-token: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }}
diff --git a/.github/workflows/performance.yaml b/.github/workflows/performance.yaml
index a79bf1b6..f11c676e 100644
--- a/.github/workflows/performance.yaml
+++ b/.github/workflows/performance.yaml
@@ -68,14 +68,9 @@ jobs:
           chmod +x base head
           hyperfine --export-markdown report.md "./base info --release ./chisel-releases 'python3.12_core'" -n "BASE" "./head info --release ./chisel-releases 'python3.12_core'" -n "HEAD"
 
-      - name: Save PR number
-        run: echo "${{ github.event.pull_request.number }}" > pr_number
-
       - name: Upload result
         uses: actions/upload-artifact@v4
         with:
-          name: benchmark-result
-          path: |
-            report.md
-            pr_number
+          name: benchmark-report
+          path: report.md
           retention-days: 1