From cedf4b05e0e72eb24329fe32805e1a88ceb4848d Mon Sep 17 00:00:00 2001
From: Matthias Dellweg <mdellweg@redhat.com>
Date: Mon, 9 Dec 2024 14:01:14 +0100
Subject: [PATCH] Secure pr_check workflow

Make sure the PR-target is only run against sanctioned base branches.
---
 templates/github/.github/workflows/pr_checks.yml.j2 | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/templates/github/.github/workflows/pr_checks.yml.j2 b/templates/github/.github/workflows/pr_checks.yml.j2
index 71671010..147da640 100644
--- a/templates/github/.github/workflows/pr_checks.yml.j2
+++ b/templates/github/.github/workflows/pr_checks.yml.j2
@@ -7,7 +7,13 @@ with context %}
 name: "{{ plugin_app_label | camel }} PR static checks"
 on:
   pull_request_target:
-    types: ["opened", "synchronize", "reopened"]
+    types:
+      - "opened"
+      - "synchronize"
+      - "reopened"
+    branches:
+      - "{{ default_branch }}"
+      - "[0-9]+.[0-9]+"
 
 # This workflow runs with elevated permissions.
 # Do not even think about running a single bit of code from the PR.