workflows/codeowners: Fix security issue

Co-Authored-By: 13x1 <[email protected]>
Co-Authored-By: basti564 <[email protected]>

.github/workflows/codeowners.yml

@@ -1,12 +1,24 @@
 name: Codeowners
 
-# This workflow depends on a GitHub App with the following permissions:
-# - Repository > Administration: read-only
-# - Organization > Members: read-only
-# - Repository > Pull Requests: read-write
-# The App needs to be installed on this repository
-# the OWNER_APP_ID repository variable needs to be set
-# the OWNER_APP_PRIVATE_KEY repository secret needs to be set
+# This workflow depends on two GitHub Apps with the following permissions:
+# - For checking code owners:
+#   - Permissions:
+#     - Repository > Administration: read-only
+#     - Organization > Members: read-only
+#   - Install App on this repository, setting these variables:
+#     - OWNER_RO_APP_ID (variable)
+#     - OWNER_RO_APP_PRIVATE_KEY (secret)
+# - For requesting code owners:
+#   - Permissions:
+#     - Repository > Administration: read-only
+#     - Organization > Members: read-only
+#     - Repository > Pull Requests: read-write
+#   - Install App on this repository, setting these variables:
+#     - OWNER_APP_ID (variable)
+#     - OWNER_APP_PRIVATE_KEY (secret)
+#
+# This split is done because checking code owners requires handling untrusted PR input,
+# while requesting code owners requires PR write access, and those shouldn't be mixed.
 
 on:
   pull_request_target:
@@ -45,8 +57,8 @@ jobs:
     - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
       id: app-token
       with:
-        app-id: ${{ vars.OWNER_APP_ID }}
-        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+        app-id: ${{ vars.OWNER_RO_APP_ID }}
+        private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
 
     - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with: