[core] Fix security regressions in cherry-pick-next-to-master.yml

mui · Dec 21, 2023 · 03ed2f3 · 03ed2f3
1 parent 380f1bb
commit 03ed2f3
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/.github/workflows/cherry-pick-next-to-master.yml b/.github/workflows/cherry-pick-next-to-master.yml
@@ -6,6 +6,8 @@ on:
       - next
     types: ['closed']
 
+permissions: {}
+
 jobs:
   cherry_pick_to_master:
     runs-on: ubuntu-latest
@@ -16,17 +18,17 @@ jobs:
     if: ${{ contains(github.event.pull_request.labels.*.name, 'needs cherry-pick') && github.event.pull_request.merged == true }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@722adc63f1aa60a57ec37892e133b1d319cae598 # v2.0.0
         with:
           fetch-depth: 0
       - name: Cherry pick and create the new PR
-        uses: carloscastrojumo/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5 # v1.0.9
         with:
           branch: master
           body: 'Cherry-pick of #{old_pull_request_id}'
           cherry-pick-branch: ${{ format('cherry-pick-{0}', github.event.number) }}
           title: '{old_title} (@${{ github.event.pull_request.user.login }})'
           labels: |
             cherry-pick
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}