ci: fix zizmor findings

.github/workflows/pr-conventional-title.yml

@@ -14,6 +14,7 @@ jobs:
   validate-pr-title:
     runs-on: ubuntu-latest
     permissions:
+      # We need `pull-requests: write` to be able to post comments on PRs
       pull-requests: write
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -32,21 +33,45 @@ jobs:
             doesn't start with an uppercase character.
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+      - name: Add a PR comment with semantic title suggestions
         if: always() && steps.pr-title.outputs.error_message != null
-        with:
-          header: pr-title-lint-error
-          message: |
-            Hey there and thank you for opening this pull request! 👋🏼
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          set -Eeuo pipefail
 
-            We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.
+          MARKER="<!-- pr-title-lint-error -->"
+          BODY_HEADER="Hey there and thank you for opening this pull request! 👋🏼\n\nWe require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.\n\n:warning: Details\n\n${{ steps.pr-title.outputs.error_message }}"
+          FULL_BODY="$MARKER\n\n$BODY_HEADER"
+          EXISTING_ID=$(gh api repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments --jq \
+            ".[] | select(.body|contains(\"$MARKER\")) | .id" | head -n1 || true)
 
-            :warning: Details
+          if [ -n "${EXISTING_ID}" ]; then
+            echo "Updating existing sticky comment (${EXISTING_ID})"
+            gh api repos/${GITHUB_REPOSITORY}/issues/comments/${EXISTING_ID} -X PATCH -f body="${FULL_BODY}"
+          else
+            echo "Creating new sticky comment"
+            gh api repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments -f body="${FULL_BODY}"
+          fi
+      - name: Remove PR comment
+        if: steps.pr-title.outputs.error_message == null
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          set -Eeuo pipefail
 
-            ${{ steps.pr-title.outputs.error_message }}
+          MARKER="<!-- pr-title-lint-error -->"
+          IDS=$(gh api repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments --jq \
+            ".[] | select(.body|contains(\"$MARKER\")) | .id" || true)
 
-      - if: steps.pr-title.outputs.error_message == null
-        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
-        with:
-          header: pr-title-lint-error
-          delete: true
+          if [ -z "${IDS}" ]; then
+            echo "No sticky comment to remove."
+            exit 0
+          fi
+
+          for id in $IDS; do
+            echo "Deleting sticky comment $id"
+            gh api repos/${GITHUB_REPOSITORY}/issues/comments/${id} -X DELETE
+          done