fix: authenticate checksum fetching from remote #1119

	name: ghasum
	on:
	pull_request:

	permissions: read-all

	jobs:
	update:
	name: Update gha.sum
	runs-on: ubuntu-24.04
	permissions:
	contents: write # To push a commit
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: >
	api.github.com:443
	github.com:443
	objects.githubusercontent.com:443
	release-assets.githubusercontent.com:443

	- name: Checkout repository
	if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
	with:
	token: ${{ secrets.JRELEASER_GITHUB_TOKEN }}
	ref: ${{ github.event.pull_request.head.ref }}
	repository: ${{ github.event.pull_request.head.repo.full_name }}

	- name: Update gha.sum
	if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
	uses: chains-project/maven-lockfile/.github/actions/ghasum@3ddcf33c03217482c614440fd714375e9053e732 # 5.16.0
	with:
	mode: update

	- name: Commit gha.sum
	if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
	uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
	with:
	commit_message: "chore: update ghasum checksums"
	file_pattern: .github/workflows/gha.sum

	- name: Skip update (fork)
	if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
	run: echo "::warning::Cannot auto-update gha.sum for fork PRs. If actions were updated, please run ghasum update manually."

Provide feedback