Preview Themes: address security concern

Calling `create-preview-links` from the branch is a possible security concern, where the script could be modified to access secrets.

To avoid it, I've split the workflow in two which makes it so it's not possible to execute code that is modifiable, as a part of the Workflow, by checking out the script from `trunk`.

.github/workflows/preview-theme.yml

@@ -3,6 +3,8 @@ name: Preview Theme Changes
 on:
   pull_request_target:
     types: [opened, synchronize]
+permissions:
+  pull-requests: write
 
 jobs:
   check-for-changes-to-themes:
@@ -43,10 +45,21 @@ jobs:
           echo "HAS_THEME_CHANGES=true" >> $GITHUB_OUTPUT
           echo "CHANGED_THEMES=$(echo ${unique_dirs[@]})" >> $GITHUB_ENV
           echo "Theme directories with changes: $CHANGED_THEMES"
+  
+  handle-pr-comment:
+    runs-on: ubuntu-latest
+    needs: check-for-changes-to-themes
+    steps:
+      - name: Checkout create-preview-links script from trunk
+        uses: actions/checkout@v2
+        with:
+          repository: Automattic/themes
+          path: .github/scripts
+          ref: trunk
 
       - name: Add Preview Links comment
         id: comment-on-pr
-        if: ${{ steps.check-for-changes.outputs.HAS_THEME_CHANGES == 'true' }}
+        if: ${{ needs.check-for-changes-to-themes.outputs.HAS_THEME_CHANGES == 'true' }}
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -55,7 +68,7 @@ jobs:
             createPreviewLinks(github, context, process.env.CHANGED_THEMES);
 
       - name: Remove comment if no changes are detected
-        if: ${{ steps.check-for-changes.outputs.HAS_THEME_CHANGES == 'false' }}
+        if: ${{ needs.check-for-changes-to-themes.outputs.HAS_THEME_CHANGES == 'false' }}
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -75,4 +88,4 @@ jobs:
                 repo: context.repo.repo
               });
             }
- 
+