p53209761
/
test_ok2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ci: Try backporting via pull_request_target (#9430) 

* ci: Try backporting via pull_request_target

* ci: Security improvements
This commit is contained in:
Florian Bruhin 2022-01-03 15:14:40 +01:00 committed by GitHub
parent 548cc4fc17
commit d60771f986
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.github/workflows/backport.yml vendored
View File

@ -1,7 +1,13 @@
name: backport name: backport
on: on:
pull_request: # Note that `pull_request_target` has security implications:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
# In particular:
# - Only allow triggers that can be used only be trusted users
# - Don't execute any code from the target branch
# - Don't use cache
pull_request_target:
types: [labeled] types: [labeled]
# Set permissions at the job level. # Set permissions at the job level.
@ -9,7 +15,7 @@ permissions: {}
jobs: jobs:
backport: backport:
if: ${{ startsWith(github.event.label.name, 'backport ') }} if: startsWith(github.event.label.name, 'backport ') && github.event.pull_request.merged
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: write contents: write