github: don't persist checkout credentials by default #75
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Backport | |
| on: | |
| pull_request_target: | |
| types: [closed, labeled] | |
| # WARNING: | |
| # When extending this action, be aware that $GITHUB_TOKEN allows write access to | |
| # the GitHub repository. This means that it should not evaluate user input in a | |
| # way that allows code injection. | |
| permissions: | |
| contents: read | |
| jobs: | |
| backport: | |
| permissions: | |
| contents: write # for korthout/backport-action to create branch | |
| pull-requests: write # for korthout/backport-action to create PR to backport | |
| name: Backport Pull Request | |
| if: github.repository_owner == 'epics-extensions' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name)) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| # Credentials are needed to push to a remote branch, | |
| # before creating a pull request | |
| persist-credentials: true | |
| - name: Create backport PRs | |
| uses: korthout/backport-action@bd410d37cdcae80be6d969823ff5a225fe5c833f # v3.0.2 | |
| with: | |
| # Config README: https://github.com/korthout/backport-action#backport-action | |
| branch_name: backport/${pull_number}-to-${target_branch} | |
| copy_labels_pattern: 'severity:\ssecurity' | |
| pull_description: |- | |
| Bot-based backport to `${target_branch}`, triggered by a label in #${pull_number}. |