[ci] Consolidate Verible linting workflow into one stage

Running the verible linter and adding review comments to the pull
request previously had to be done in two stages:

1. Triggered on the pull request - prepare config and waiver files as
   artifacts.
2. Running on the repo's HEAD - run Verible and add review comments.

This was required because Actions running in the context of the pull
request did not have write permissions to add comments to pull requests.

This is now possible with the `pull_request_target` event, which
triggers when pull requests change, but runs in the context of the
repo's HEAD and has the permissions to create comments.

See #1427 and
chipsalliance/verible-linter-action#31 for details.

Signed-off-by: James Wainwright <[email protected]>

.github/workflows/pr_lint_review.yml

@@ -1,49 +1,45 @@
 # Copyright lowRISC contributors.
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
+
+# GitHub Action to run Verible linting on pull requests and add review comments.
+#
+# See https://github.com/chipsalliance/verible-linter-action.
+
 name: pr-lint-review
 
+# Triggers when there is any activity on a pull request, e.g. opened, updated.
+#
+# The action runs in the context of the _base_ of the pull request, but later we
+# checkout the repository at the pull request's HEAD to run linting.
 on:
-  workflow_run:
-    workflows: ["pr-trigger"]
-    types:
-      - completed
+  pull_request_target:
 
 jobs:
-  review_triggered:
+  verible-lint:
     runs-on: ubuntu-latest
+    # Grant write permissions only for setting checks and adding review comments
+    # to pull requests.
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
+    env:
+      verible_config: 'vendor/lowrisc_ip/lint/tools/veriblelint/lowrisc-styleguide.rules.verible_lint'
     steps:
-      - uses: actions/checkout@v2
-
-      # this workflow does not run in a PR context
-      # download 'event.json' file from a PR-tiggered workflow
-      # to mock the PR context and make a review
-      - name: 'Download artifact'
-        id: get-artifacts
-        uses: actions/[email protected]
+      - uses: actions/checkout@v3
         with:
-          script: |
-            var artifacts = await github.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: ${{github.event.workflow_run.id }},
-            });
-            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "event.json"
-            })[0];
-            var download = await github.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip',
-            });
-            var fs = require('fs');
-            fs.writeFileSync('${{github.workspace}}/event.json.zip', Buffer.from(download.data));
-      - run: |
-          unzip event.json.zip
+          # Because `pull_request_target` runs at the PR's base, we need to
+          # checkout the head of the PR before running the lint.
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Display Verible config
+        run: |
+          echo "::group::Verible config"
+          cat "$verible_config"
+          echo "::endgroup::"
       - name: Run Verible linter action
         uses: chipsalliance/verible-linter-action@main
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           suggest_fixes: 'false'
-          config_file: 'vendor/lowrisc_ip/lint/tools/veriblelint/lowrisc-styleguide.rules.verible_lint'
+          config_file: ${{ env.verible_config }}