Ability to override commit SHA

[cmsj]

I'm running a public open source project and I want to apply annotations to PRs from forked repos. As such, I can't run the CI job with pull_request_target because that is a security risk[1].

The apparently correct way to do this is to let the CI job run in the forked repo's space, with the regular pull_request event, and then use the workflow_run event in my repo, to fetch artifacts from the PR run and process them.

However, to do that and then push the comments back to the originating PR, I need to be able to forcibly set the commit SHA, or the PR number.

An example would be the "Support fork repositories and dependabot branches" section of https://github.com/marketplace/actions/publish-unit-test-results and if I could have the same commit: argument for this action, it would be awesome.

[1] - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

[ggrossetie]

Sounds reasonable, I think we will need to add a case here:

https://github.com/yuzutech/annotations-action/blob/a651a74507fca3f3fd2b0c3fa2e00e549b5ffcce/index.js#L142-L148

We can use getInput to get the value of the (new) commit argument:

const commit = getInput('commit', { required: false })

Feel free to submit a pull request and make sure to update the README and action.yml file with this new argument.