Fix hash-check workflow to check and merge against target branch of the PR (#21994)

* Fix hash-check workflow to check and merge against target branch of the PR

* Fix files check as well

* Explicity permissions withour write and remove the unnecessary merge

* Simplify script using actions already in the repo

Author: AAraKKe

.github/workflows/release-hash-check.yml

@@ -13,34 +13,20 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
-      contents: write
+      contents: read
 
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        fetch-depth: 0
 
     - name: Set up Python
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: '3.13'
 
-    - id: files
-      run: |
-        git fetch origin master
-        LAST_COMMON_COMMIT=$(git merge-base HEAD origin/master)
-        FILES=$(git --no-pager diff --name-only $LAST_COMMON_COMMIT -- .in-toto | xargs echo)
-        echo "all=$FILES" >> "$GITHUB_OUTPUT"
-
-    - id: merge
-      name: Merge branch into latest master
-      env:
-        HEAD_BRANCH: ${{ github.head_ref }}
-      run: |
-        git fetch origin $HEAD_BRANCH
-        git checkout origin/master
-        git config user.name "release-hash-check"
-        git config user.email "<>"
-        git merge --no-commit --no-edit origin/$HEAD_BRANCH
+    - name: Get changed files
+      id: changed-files
+      uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+      with:
+        files: .in-toto/*.link
 
-    - run: python .github/workflows/release-hash-check.py ${{ steps.files.outputs.all }}
+    - run: python .github/workflows/release-hash-check.py ${{ steps.changed-files.outputs.all_changed_files }}