From 27a5e97505c6a13fbe1eece3388bd16e58888548 Mon Sep 17 00:00:00 2001
From: James Garbutt <43081j@users.noreply.github.com>
Date: Fri, 10 Apr 2026 10:51:29 +0100
Subject: [PATCH 1/2] chore: switch to two-phase workflow

---
 .../workflows/diff-dependencies-comment.yml   | 27 +++++++++++++++++++
 .github/workflows/diff-dependencies.yml       | 15 ++++++++---
 2 files changed, 38 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/diff-dependencies-comment.yml

diff --git a/.github/workflows/diff-dependencies-comment.yml b/.github/workflows/diff-dependencies-comment.yml
new file mode 100644
index 0000000..7e70302
--- /dev/null
+++ b/.github/workflows/diff-dependencies-comment.yml
@@ -0,0 +1,27 @@
+name: Dependency Diff (Comment)
+
+on:
+  workflow_run:
+    workflows: ['Dependency Diff (Analyze)']
+    types:
+      - completed
+
+jobs:
+  post_comment:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success'
+    permissions:
+      pull-requests: write
+      actions: read
+    steps:
+      - name: Download Artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: e18e-diff-result
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Post Comment
+        uses: e18e/action-dependency-diff@d995338f3b229fe7b2cd82048df5da930f70c7c3 # v1.4.4
+        with:
+          mode: comment-from-artifact
+          artifact-path: e18e-diff-result.json
diff --git a/.github/workflows/diff-dependencies.yml b/.github/workflows/diff-dependencies.yml
index 31a0cef..9c6ef91 100644
--- a/.github/workflows/diff-dependencies.yml
+++ b/.github/workflows/diff-dependencies.yml
@@ -1,7 +1,7 @@
-name: Dependency Diff
+name: Dependency Diff (Analyze)
 
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - main
 
@@ -56,7 +56,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build-main, build-pr]
     permissions:
-      pull-requests: write
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -71,8 +71,15 @@ jobs:
         with:
           name: source-packages
           path: ./source-packages
-      - name: Create Diff
+      - name: Analyze Dependencies
+        id: analyze
         uses: e18e/action-dependency-diff@d995338f3b229fe7b2cd82048df5da930f70c7c3 # v1.4.4
         with:
+          mode: artifact
           base-packages: ./base-packages/*.tgz
           source-packages: ./source-packages/*.tgz
+      - name: Upload Artifact
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: e18e-diff-result
+          path: ${{ steps.analyze.outputs.artifact-path }}

From e1ba41fa2c0825badaaa87531c3b6b781b6635cb Mon Sep 17 00:00:00 2001
From: James Garbutt <43081j@users.noreply.github.com>
Date: Fri, 10 Apr 2026 10:55:13 +0100
Subject: [PATCH 2/2] chore: temporarily use self

---
 .github/workflows/diff-dependencies-comment.yml | 2 +-
 .github/workflows/diff-dependencies.yml         | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/diff-dependencies-comment.yml b/.github/workflows/diff-dependencies-comment.yml
index 7e70302..dbfca6e 100644
--- a/.github/workflows/diff-dependencies-comment.yml
+++ b/.github/workflows/diff-dependencies-comment.yml
@@ -21,7 +21,7 @@ jobs:
           run-id: ${{ github.event.workflow_run.id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Post Comment
-        uses: e18e/action-dependency-diff@d995338f3b229fe7b2cd82048df5da930f70c7c3 # v1.4.4
+        uses: e18e/action-dependency-diff@27a5e97505c6a13fbe1eece3388bd16e58888548 # pre-release
         with:
           mode: comment-from-artifact
           artifact-path: e18e-diff-result.json
diff --git a/.github/workflows/diff-dependencies.yml b/.github/workflows/diff-dependencies.yml
index 9c6ef91..dc4d496 100644
--- a/.github/workflows/diff-dependencies.yml
+++ b/.github/workflows/diff-dependencies.yml
@@ -62,7 +62,6 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: base-packages
@@ -73,7 +72,7 @@ jobs:
           path: ./source-packages
       - name: Analyze Dependencies
         id: analyze
-        uses: e18e/action-dependency-diff@d995338f3b229fe7b2cd82048df5da930f70c7c3 # v1.4.4
+        uses: e18e/action-dependency-diff@27a5e97505c6a13fbe1eece3388bd16e58888548 # pre-release
         with:
           mode: artifact
           base-packages: ./base-packages/*.tgz