[Backport 8.19] ci: use ephemeral token for backport action (#1048)

ci: use ephemeral token for backport action (#1047)

* ci: use ephemeral token for backport action

* uses ephemeral token so that backport PRs still trigger GitHub Actions checks
* uses `pull_request_target` so that backporting PRs from forked repos works

* ci: update fetch-github-token action to specific commit version (best practice)

* ci: restrict backport action to only react to merged PRs, and backport labels

(cherry picked from commit 39f8a22)

Co-authored-by: Matt Devy <32791943+MattDevy@users.noreply.github.com>

Author: elastic-vault-github-plugin-prod[bot]

.github/workflows/backport.yml

@@ -1,16 +1,44 @@
+# See: https://github.com/tibdex/backport/blob/main/.github/workflows/backport.yml
 name: Backport
+
 on:
-  pull_request:
+  pull_request_target:
     types:
       - closed
       - labeled
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   backport:
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      id-token: write
     runs-on: ubuntu-latest
+    # Only react to merged PRs for security reasons.
+    # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
+    if: >
+      github.event.pull_request.merged
+      && (
+        github.event.action == 'closed'
+        || (
+          github.event.action == 'labeled'
+          && contains(github.event.label.name, 'backport')
+        )
+      )
     name: Backport
     steps:
+      - name: Fetch ephemeral GitHub token
+        id: fetch-token
+        uses: elastic/ci-gh-actions/fetch-github-token@8a7604dfdd4e7fe21f969bfe9ff96e17635ea577 # v1.0.0
+        with:
+          vault-instance: "ci-prod"
+
       - name: Backport
-        uses: tibdex/backport@v1
+        uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e # v2.0.4
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.fetch-token.outputs.token }}