`wolfi check diff` not working for forks

[rawlingsj]

We have a new wolfictl check diff step in CI that comments a handy diff on a PR of added, modified and deleted files being proposed. This is only working for PRs created by the update bot because they are created from a branch on the main repo rather than forks.

This is due to GitHubs approach of locking down secrets in github pre submit actions.

Read more about this https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

There's a couple of options for having this available for PRs from forks too.

1. rework the github action to upload proposed apks from the PR melange build, as github artifacts in a job that does not have access to secrets. In a second job that does have access to secrets, comment on the PR. This comes from recommendations + the example in the blog linked above.
2. Investigate if creating a GitHub app would help.
3. Avoid GitHub Actions for CI, potential long term so will not get diffs anytime soon from forks.
4. Any others I've missed?

[rawlingsj]

/cc @cpanato fyi as you're looking at something similar elsewhere, though the difference here is a public repo.