From 551a0f6faeae7575717a2b3f912ac030a78f9207 Mon Sep 17 00:00:00 2001
From: Yonas Habteab <yonas.habteab@icinga.com>
Date: Fri, 28 Nov 2025 09:18:14 +0100
Subject: [PATCH 1/2] workflows: fix invalid usage of `github.event_name`

The condition was wrong because `github.event_name` will never be
`labeled` since this field always refers to the actual type of the
event, which in this case will always be `pull_request`. We need to
determine which type of activity has triggered the workflow via the
`github.event.action` context.
---
 .github/workflows/backbot.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/backbot.yml b/.github/workflows/backbot.yml
index 4edf830e9..74e75b96c 100644
--- a/.github/workflows/backbot.yml
+++ b/.github/workflows/backbot.yml
@@ -11,7 +11,12 @@ permissions: {}
 jobs:
   backbot:
     runs-on: ubuntu-latest
-    if: ${{ github.repository_owner == 'Icinga' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith(github.event.label.name, 'backport-to-support/')) }}
+    if: |
+      github.repository_owner == 'Icinga' &&
+      github.event.pull_request.merged == true && (
+        github.event.action != 'labeled' ||
+        startsWith(github.event.label.name, 'backport-to-support/')
+      )
     steps:
       - name: Generate GitHub Installation Access Token
         # Use GitHub App to generate an installation access token to allow PRs created by Backbot to trigger workflows.

From 460247d177499905e7736a1ff777d1a1f0ee5211 Mon Sep 17 00:00:00 2001
From: Yonas Habteab <yonas.habteab@icinga.com>
Date: Fri, 28 Nov 2025 09:27:19 +0100
Subject: [PATCH 2/2] backbot: use `pull_request_target` event

---
 .github/workflows/backbot.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/backbot.yml b/.github/workflows/backbot.yml
index 74e75b96c..fb4fa5654 100644
--- a/.github/workflows/backbot.yml
+++ b/.github/workflows/backbot.yml
@@ -1,6 +1,6 @@
 name: Backbot
 on:
-  pull_request:
+  pull_request_target:
     types:
       - closed
       - labeled
@@ -41,6 +41,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           token: ${{ steps.backbot-token.outputs.token }} # To make authenticated git operations.
+          sha: ${{ github.event.pull_request.head.sha }} # Checkout the latest commit of the merged PR.
 
       - name: Run Backbot
         uses: korthout/backport-action@d07416681cab29bf2661702f925f020aaa962997 # v3.4.1