stylix: restrict access to config while using mkTarget #1098

	---
	# Derived from
	# https://github.com/NixOS/nixpkgs/blob/2566f9dcb469b06241519a8185863d67773f943a/.github/workflows/backport.yml
	name: Backport

	on:
	pull_request_target:
	types: [closed, labeled]

	permissions:
	contents: read
	pull-requests: write

	jobs:
	backport:
	runs-on: ubuntu-24.04

	if: >
	(
	vars.APP_ID &&
	github.event.pull_request.merged == true &&
	(
	github.event.action != 'labeled' \|\|
	startsWith(github.event.label.name, 'backport: ')
	)
	)

	steps:
	# Use a GitHub App rather than the default token so that GitHub Actions
	# workflows may run on the created pull request.
	- uses: actions/create-github-app-token@v2
	id: app-token
	with:
	app-id: ${{ vars.APP_ID }}
	private-key: ${{ secrets.APP_PRIVATE_KEY }}
	permission-contents: write
	permission-pull-requests: write

	- uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.sha }}
	token: ${{ steps.app-token.outputs.token }}

	- uses: korthout/backport-action@v3
	with:
	github_token: ${{ steps.app-token.outputs.token }}
	label_pattern: "^backport: ([^ ]+)$"
	pull_title: "[${target_branch}] ${pull_title}"
	pull_description: "This is an automated backport of #${pull_number}."

	- name: "Add 'has: port to stable' label"
	if: steps.backport.outputs.created_pull_numbers != ''
	env:
	# Not the app on purpose to avoid triggering another workflow run
	# after adding this label
	GH_TOKEN: ${{ github.token }}
	REPOSITORY: ${{ github.repository }}
	NUMBER: ${{ github.event.number }}
	run: \|
	gh api \
	--method POST \
	/repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
	-f "labels[]=has: port to stable"

Provide feedback