From bc9a76c611081fa7874ecddd95b99a0b979637e4 Mon Sep 17 00:00:00 2001
From: Matt Devy <matt.devy@elastic.co>
Date: Thu, 20 Nov 2025 12:08:15 +0000
Subject: [PATCH 1/3] ci: use ephemeral token for backport action

* uses ephemeral token so that backport PRs still trigger GitHub Actions checks
* uses `pull_request_target` so that backporting PRs from forked repos works
---
 .github/workflows/backport.yml | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 7040fbb6da..67abe6a7fb 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -1,16 +1,32 @@
 name: Backport
+
 on:
-  pull_request:
+  pull_request_target:
     types:
       - closed
       - labeled
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   backport:
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      id-token: write
     runs-on: ubuntu-latest
     name: Backport
     steps:
+      - name: Fetch ephemeral GitHub token
+        id: fetch-token
+        uses: elastic/ci-gh-actions/fetch-github-token@v1.0.0
+        with:
+          vault-instance: "ci-prod"
+
       - name: Backport
-        uses: tibdex/backport@v1
+        uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e # v2.0.4
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          github_token: ${{ steps.fetch-token.outputs.token }}

From 686664ddb7dceab869c2f2bfb6b5dd81c85dd740 Mon Sep 17 00:00:00 2001
From: Matt Devy <matt.devy@elastic.co>
Date: Thu, 20 Nov 2025 12:23:03 +0000
Subject: [PATCH 2/3] ci: update fetch-github-token action to specific commit
 version (best practice)

---
 .github/workflows/backport.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 67abe6a7fb..10facf7ad3 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -22,7 +22,7 @@ jobs:
     steps:
       - name: Fetch ephemeral GitHub token
         id: fetch-token
-        uses: elastic/ci-gh-actions/fetch-github-token@v1.0.0
+        uses: elastic/ci-gh-actions/fetch-github-token@8a7604dfdd4e7fe21f969bfe9ff96e17635ea577 # v1.0.0
         with:
           vault-instance: "ci-prod"
 

From 5995fa9c84db2f560500fbb64a9d70c1b8514866 Mon Sep 17 00:00:00 2001
From: Matt Devy <matt.devy@elastic.co>
Date: Thu, 20 Nov 2025 12:51:33 +0000
Subject: [PATCH 3/3] ci: restrict backport action to only react to merged PRs,
 and backport labels

---
 .github/workflows/backport.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 10facf7ad3..aada20f8e3 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -1,3 +1,4 @@
+# See: https://github.com/tibdex/backport/blob/main/.github/workflows/backport.yml
 name: Backport
 
 on:
@@ -18,6 +19,17 @@ jobs:
       issues: write
       id-token: write
     runs-on: ubuntu-latest
+    # Only react to merged PRs for security reasons.
+    # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
+    if: >
+      github.event.pull_request.merged
+      && (
+        github.event.action == 'closed'
+        || (
+          github.event.action == 'labeled'
+          && contains(github.event.label.name, 'backport')
+        )
+      )
     name: Backport
     steps:
       - name: Fetch ephemeral GitHub token