fix(ci): harden bundle-size PR workflow trust boundaries (#6773)

Author: Sheraff

.github/workflows/bundle-size.yml

@@ -1,7 +1,10 @@
 name: Bundle Size
 
 on:
-  pull_request:
+  # We use `pull_request_target` to split trust boundaries across jobs:
+  # - `benchmark-pr` checks out PR merge code and runs it as untrusted with read-only permissions.
+  # - `comment-pr` runs trusted base-repo code with limited write access to upsert the PR comment.
+  pull_request_target:
   push:
     branches: [main]
   workflow_dispatch:
@@ -11,26 +14,58 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   benchmark-pr:
     name: Benchmark PR
-    if: github.event_name == 'pull_request'
+    if: github.event_name == 'pull_request_target'
     runs-on: ubuntu-latest
+    outputs:
+      current_json_b64: ${{ steps.capture.outputs.current_json_b64 }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6.0.1
         with:
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Tools
         uses: tanstack/config/.github/setup@main
 
       - name: Measure Bundle Size
         run: pnpm nx run tanstack-router-e2e-bundle-size:build --outputStyle=stream --skipRemoteCache
 
+      - name: Capture Benchmark Outputs
+        id: capture
+        run: |
+          {
+            echo "current_json_b64=$(base64 -w 0 < e2e/bundle-size/results/current.json)"
+          } >> "$GITHUB_OUTPUT"
+
+  comment-pr:
+    name: Upsert PR Comment
+    if: github.event_name == 'pull_request_target'
+    runs-on: ubuntu-latest
+    needs: benchmark-pr
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6.0.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Restore Benchmark Outputs
+        env:
+          CURRENT_JSON_B64: ${{ needs.benchmark-pr.outputs.current_json_b64 }}
+        run: |
+          mkdir -p e2e/bundle-size/results
+          node -e "const fs=require('node:fs'); fs.writeFileSync('e2e/bundle-size/results/current.json', Buffer.from(process.env.CURRENT_JSON_B64 || '', 'base64'))"
+
       - name: Read Historical Data (if available)
         run: |
           mkdir -p e2e/bundle-size/results
@@ -64,6 +99,8 @@ jobs:
     name: Publish Bundle Size History
     if: github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository_owner == 'TanStack'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v6.0.1