From d6b706b8f7f28e431875d8a4268b53080b7b6d0f Mon Sep 17 00:00:00 2001
From: Mirko Curtolo <mirko.curtolo86@gmail.com>
Date: Thu, 23 Oct 2025 10:47:10 +0200
Subject: [PATCH 1/2] Fix cache poisoning via execution of untrusted code

---
 .github/workflows/calculate-size-delta.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/calculate-size-delta.yml b/.github/workflows/calculate-size-delta.yml
index e893af6..05011dc 100644
--- a/.github/workflows/calculate-size-delta.yml
+++ b/.github/workflows/calculate-size-delta.yml
@@ -2,8 +2,6 @@ name: Calculate Docker Image Size
 
 on:
   workflow_dispatch:
-  issue_comment:
-    types: [created]
 
 permissions:
   contents: read

From 11623a795884ff786c50f7d70ceff67e835da633 Mon Sep 17 00:00:00 2001
From: Mirko Curtolo <mirko.curtolo86@gmail.com>
Date: Thu, 23 Oct 2025 12:35:05 +0200
Subject: [PATCH 2/2] Remove unnecessary checks

---
 .github/workflows/calculate-size-delta.yml | 25 +++++-----------------
 1 file changed, 5 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/calculate-size-delta.yml b/.github/workflows/calculate-size-delta.yml
index 05011dc..91905b5 100644
--- a/.github/workflows/calculate-size-delta.yml
+++ b/.github/workflows/calculate-size-delta.yml
@@ -13,9 +13,6 @@ jobs:
       PYTHON_VERSION: '3.13'
       TASKFILE_VERSION: 'v3.44.0'
       TASKFILE_PATH: '/home/runner/go/bin'
-    if: |
-      github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'issue_comment' && github.event.comment.body == '/calculate-size' && github.event.issue.pull_request)
 
     services:
       registry:
@@ -32,16 +29,11 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
-            echo "Searching for PR from branch '${{ github.ref_name }}'..."
-            PR_NUMBER=$(gh pr list --state open --head "${{ github.ref_name }}" --json number --jq '.[0].number // empty')
-            if [ -z "$PR_NUMBER" ]; then
-              echo "Not found in current repo, searching across forks..."
-              PR_NUMBER=$(gh pr list --state open --json number,headRefName,headRepositoryOwner --jq ".[] | select(.headRefName == \"${{ github.ref_name }}\") | .number" | head -n1)
-            fi
-          else
-            # For issue_comment, the PR number is in the event context
-            PR_NUMBER=${{ github.event.issue.number }}
+          echo "Searching for PR from branch '${{ github.ref_name }}'..."
+          PR_NUMBER=$(gh pr list --state open --head "${{ github.ref_name }}" --json number --jq '.[0].number // empty')
+          if [ -z "$PR_NUMBER" ]; then
+            echo "Not found in current repo, searching across forks..."
+            PR_NUMBER=$(gh pr list --state open --json number,headRefName,headRepositoryOwner --jq ".[] | select(.headRefName == \"${{ github.ref_name }}\") | .number" | head -n1)
           fi
 
           if [ -z "$PR_NUMBER" ]; then
@@ -51,13 +43,6 @@ jobs:
           fi
           echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
 
-      - name: Checkout PR Branch (for comment trigger)
-        if: github.event_name == 'issue_comment'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh pr checkout ${{ steps.pr_info.outputs.pr_number }}
-
       - name: Set up Python
         uses: actions/setup-python@v5
         with: