ci: Security improvements

2022-01-03 14:54:02 +01:00 · 2022-01-03 14:54:02 +01:00 · 817806a65e
parent 9008144b9c
commit 817806a65e
1 changed files with 7 additions and 1 deletions
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@ -1,6 +1,12 @@
 name: backport

 on:
+  # Note that `pull_request_target` has security implications:
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  # In particular:
+  # - Only allow triggers that can be used only be trusted users
+  # - Don't execute any code from the target branch
+  # - Don't use cache
  pull_request_target:
    types: [labeled]

@ -9,7 +15,7 @@ permissions: {}

 jobs:
  backport:
-    if: ${{ startsWith(github.event.label.name, 'backport ') }}
+    if: startsWith(github.event.label.name, 'backport ') && github.event.pull_request.merged
    runs-on: ubuntu-latest
    permissions:
      contents: write