splitting the apk generation from the commenting to prevent action attacks when specifying the checkout target

.github/workflows/check_size.yml

@@ -1,14 +1,7 @@
 name: Check Size
 
-## Workaround for allow size checks on external PRs/dependabot
 on:
-  pull_request_target:
+  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-permissions:
-  pull-requests: write
 
 jobs:
   check-size:
@@ -44,23 +37,12 @@ jobs:
           chmod +x bin/bundletool
           echo "$(pwd)/bin" >> $GITHUB_PATH
 
-      - name: Check release size
+      - name: Save Size
         run: |
-          echo "::set-output name=APK_SIZE::$(./tools/check-size.sh | tail -1 | cut -d ',' -f2-)"
+          mkdir -p ./apk_size
-        id: size
+          echo $(./tools/check-size.sh | tail -1 | cut -d ',' -f2-) > ./apk_size/size.txt
-
+      - uses: actions/upload-artifact@v3
-      - name: Find Comment
-        uses: peter-evans/find-comment@v1
-        id: fc
         with:
-          issue-number: ${{ github.event.pull_request.number }}
+          name: apk-size
-          comment-author: 'github-actions[bot]'
+          path: apk_size/size.txt
-          body-includes: APK Size
+          retention-days: 5
-      - name: Publish size to PR
-        uses: peter-evans/create-or-update-comment@v1
-        with:
-          comment-id: ${{ steps.fc.outputs.comment-id }}
-          issue-number: ${{ github.event.pull_request.number }}
-          body: |
-            APK Size: ${{ steps.size.outputs.APK_SIZE }}
-          edit-mode: replace

.github/workflows/comment_size.yml

@@ -0,0 +1,42 @@
+name: Comment APK Size
+
+on:
+  workflow_run:
+    workflows: [ "Check Size" ]
+    types:
+      - completed
+
+jobs:
+  comment-size:
+    name: Comment Size
+    runs-on: ubuntu-latest
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: apk-size
+          path: ~/apk-size.txt
+
+      - name: Check release size
+        run: |
+          echo "::set-output name=APK_SIZE::$(cat ~/apk-size.txt)"
+        id: size
+
+      - name: Find Comment
+        uses: peter-evans/find-comment@v1
+        id: fc
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: APK Size
+      - name: Publish size to PR
+        uses: peter-evans/create-or-update-comment@v1
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            APK Size: ${{ steps.size.outputs.APK_SIZE }}
+          edit-mode: replace