Skip to content

ci: restrict /backport comment trigger to repo members#5448

Merged
louiseschmidtgen merged 1 commit intomasterfrom
fix/backport-author-association-gate
Apr 8, 2026
Merged

ci: restrict /backport comment trigger to repo members#5448
louiseschmidtgen merged 1 commit intomasterfrom
fix/backport-author-association-gate

Conversation

@HomayoonAlimohammadi
Copy link
Copy Markdown
Contributor

@HomayoonAlimohammadi HomayoonAlimohammadi commented Apr 7, 2026

Summary

The issue_comment trigger in this backport workflow runs with elevated permissions (contents: write, pull-requests: write, BOT_TOKEN). Previously any GitHub user could trigger it by commenting /backport on any PR.

This adds an author_association guard so only MEMBER, OWNER, or COLLABORATOR accounts can trigger a backport via comment.

Change

# Before
github.event.comment.user.id != 99445902 &&
contains(github.event.comment.body, '/backport')

# After
github.event.comment.user.id != 99445902 &&
(github.event.comment.author_association == 'MEMBER' ||
 github.event.comment.author_association == 'OWNER' ||
 github.event.comment.author_association == 'COLLABORATOR') &&
contains(github.event.comment.body, '/backport')

References

@HomayoonAlimohammadi
ci: restrict /backport comment trigger to repo members
ae2bf96 
The issue_comment trigger on pull_request_target runs with contents:write
and pull-requests:write permissions plus access to BOT_TOKEN. Previously
any GitHub user could trigger it by commenting /backport on any PR.

Add an author_association check so only MEMBER, OWNER, or COLLABORATOR
accounts can trigger the backport via comment.

Ref: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
@HomayoonAlimohammadi HomayoonAlimohammadi marked this pull request as ready for review April 7, 2026 12:47
louiseschmidtgen
louiseschmidtgen approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@louiseschmidtgen louiseschmidtgen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@louiseschmidtgen louiseschmidtgen merged commit 8453419 into master Apr 8, 2026
3 checks passed
@louiseschmidtgen louiseschmidtgen deleted the fix/backport-author-association-gate branch April 8, 2026 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@louiseschmidtgen louiseschmidtgen louiseschmidtgen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HomayoonAlimohammadi @louiseschmidtgen