github actions: Allow fork checkout for commit validation

Since we have external contributors we need process each of the commits
for faster reviews, validation that header information is correct and to
check the state of our tickets so that is actually tracked correctly
internally, on behalf of some external contributors.

In addition the order of steps was reordered so the clone and checkout
of the base repo and base branch was done first then the PR's were
fetched and checked out next.  This to ensure that our repo is the base
of everything rather than the PR's repo which could be an external
contributor.

Author: PlaidCat

.github/workflows/validate-kernel-commits.yml

@@ -14,15 +14,16 @@ jobs:
     timeout-minutes: 120
 
     steps:
-      - name: Checkout PR branch
+      - name: Checkout base branch
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          ref: ${{ github.head_ref }}
+          ref: ${{ github.base_ref }}
 
-      - name: Checkout base branch
+      - name: Fetch PR branch
         run: |
-          git fetch origin "${{ github.base_ref }}":"${{ github.base_ref }}"
+          git fetch "${{ github.event.pull_request.head.repo.clone_url }}" "${{ github.head_ref }}"
+          echo "HEAD_SHA=$(git rev-parse FETCH_HEAD)" >> "$GITHUB_ENV"
 
       - name: Checkout kernel-src-tree-tools
         uses: actions/checkout@v4
@@ -44,7 +45,7 @@ jobs:
           set -o pipefail  # Capture exit code from python script, not tee
           python3 check_kernel_commits.py \
             --repo .. \
-            --pr_branch "${{ github.head_ref }}" \
+            --pr_branch "$HEAD_SHA" \
             --base_branch "${{ github.base_ref }}" \
             --markdown \
             --check-cves | tee ../ckc_result.txt
@@ -108,7 +109,7 @@ jobs:
           set -o pipefail  # Capture exit code from python script, not tee
           python3 run_interdiff.py \
             --repo .. \
-            --pr_branch "${{ github.head_ref }}" \
+            --pr_branch "$HEAD_SHA" \
             --base_branch "${{ github.base_ref }}" \
             --markdown \
             --interdiff ../patchutils/src/interdiff | tee ../interdiff_result.txt
@@ -177,7 +178,7 @@ jobs:
           OUTPUT=$(python3 jira_pr_check.py \
             --kernel-src-tree .. \
             --merge-target "${{ github.base_ref }}" \
-            --pr-branch "${{ github.head_ref }}" 2>&1)
+            --pr-branch "$HEAD_SHA" 2>&1)
           EXIT_CODE=$?
 
           # Filter out any potential credential leaks from output