Secure pr_check workflow

Make sure the PR-target is only run against sanctioned base branches.
pulp · Dec 9, 2024 · cedf4b0 · cedf4b0
1 parent 5f397e3
commit cedf4b0
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/templates/github/.github/workflows/pr_checks.yml.j2 b/templates/github/.github/workflows/pr_checks.yml.j2
@@ -7,7 +7,13 @@ with context %}
 name: "{{ plugin_app_label | camel }} PR static checks"
 on:
   pull_request_target:
-    types: ["opened", "synchronize", "reopened"]
+    types:
+      - "opened"
+      - "synchronize"
+      - "reopened"
+    branches:
+      - "{{ default_branch }}"
+      - "[0-9]+.[0-9]+"
 
 # This workflow runs with elevated permissions.
 # Do not even think about running a single bit of code from the PR.