tools: ensure the PR was not pushed before merging

When using Squash and Merge feature, it would allow to a malicious
actor to push unreviewed code to their PR while the CQ is running and
bypass the usual checks.
This commit adds a check to refuse to land if the head of the PR
branch is different from the one validated by ncu.

PR-URL: #40747
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Voltrex <[email protected]>

Author: aduh95

tools/actions/commit-queue.sh

@@ -110,7 +110,8 @@ for pr in "$@"; do
     jq -n \
       --arg title "$(git log -1 --pretty='format:%s')" \
       --arg body "$(git log -1 --pretty='format:%b')" \
-      '{merge_method:"squash",commit_title:$title,commit_message:$body}' > output.json
+      --arg head "$(grep 'Fetched commits as' output | cut -d. -f3 | xargs git rev-parse)" \
+      '{merge_method:"squash",commit_title:$title,commit_message:$body,sha:$head}' > output.json
     cat output.json
     gitHubCurl "$(mergeUrl "$pr")" PUT --data @output.json > output
     cat output