As I was reviewing the python/cpython workflows for security issues, I noticed that documentation-links.yml uses pull_request_target, which is potentially dangerous:

• https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
• Analyze and document the security implications of pull_request_target trigger readthedocs/actions#45

This is apparently required by readthedocs/actions/preview in order to edit the first PR message and add the link to the doc preview.

However I also noticed that readthedocs/actions/preview is now deprecated and that its README states:

As an alternative they suggest to connect their GitHub app and use that instead. Instead of editing the first comment, the app will add a comment which will list and link to changed/added/deleted files.
Note that the app is still in beta.

If we switch to the app we can stop using the deprecated action get rid of the documentation-links.yml workflow and pull_request_target use.

I brought this up to @hugovk attention, and he suggested to try the app on one of the other (smaller) repos first:

• devguide: devguide#1713
• peps
• python-docs-theme
• docs-community

If it works fine and we are happy with it, we can then update all the other repos (including cpython).

• cpython

cc @humitos