From 817806a65e1a25cb816156a7f9cca4308ce27019 Mon Sep 17 00:00:00 2001
From: Florian Bruhin <me@the-compiler.org>
Date: Mon, 3 Jan 2022 14:54:02 +0100
Subject: [PATCH] ci: Security improvements

---
 .github/workflows/backport.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index a253c74ad..f7840d537 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -1,6 +1,12 @@
 name: backport
 
 on:
+  # Note that `pull_request_target` has security implications:
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  # In particular:
+  # - Only allow triggers that can be used only be trusted users
+  # - Don't execute any code from the target branch
+  # - Don't use cache
   pull_request_target:
     types: [labeled]
 
@@ -9,7 +15,7 @@ permissions: {}
 
 jobs:
   backport:
-    if: ${{ startsWith(github.event.label.name, 'backport ') }}
+    if: startsWith(github.event.label.name, 'backport ') && github.event.pull_request.merged
     runs-on: ubuntu-latest
     permissions:
       contents: write