Summary

Hardens .github/workflows/generate-chart-readme.yaml against the fork PR pull_request_target checkout issue demonstrated in #20.

The workflow still updates chart README metadata for trusted same-repository PR branches, but it no longer runs as a privileged pull_request_target job against fork-controlled code.

Changes

• Switch the trigger from pull_request_target to pull_request.
• Skip the write-back job unless the PR branch is in this repository.
• Checkout only github.repository, not the PR-controlled head.repo.full_name.
• Checkout the immutable PR head SHA instead of a mutable head ref.
• Set persist-credentials: false so checkout credentials are not available to later steps.
• Provide GITHUB_TOKEN only to the final push step, after generation is complete.
• Keep actions/checkout pinned, updated to the current v6 commit.

Why this is minimal

The workflow still uses the same path trigger, generator, commit message, and README update flow for same-repo PRs. Fork-origin PRs are the only behavior removed from the privileged write path, which is the vulnerable case.

Validation

• Parsed the workflow YAML successfully.
• Ran git diff --check.