ci: Try backporting via pull_request_target (pytest-dev#9430)

* ci: Try backporting via pull_request_target * ci: Security improvements
nicoddemus · Jan 3, 2022 · d60771f · d60771f
1 parent 548cc4f
commit d60771f
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -1,15 +1,21 @@
 name: backport
 
 on:
-  pull_request:
+  # Note that `pull_request_target` has security implications:
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  # In particular:
+  # - Only allow triggers that can be used only be trusted users
+  # - Don't execute any code from the target branch
+  # - Don't use cache
+  pull_request_target:
     types: [labeled]
 
 # Set permissions at the job level.
 permissions: {}
 
 jobs:
   backport:
-    if: ${{ startsWith(github.event.label.name, 'backport ') }}
+    if: startsWith(github.event.label.name, 'backport ') && github.event.pull_request.merged
     runs-on: ubuntu-latest
     permissions:
       contents: write