# Owned by grafana-release-guild
# Intended to be dropped into the base repo (Ex: grafana/grafana) for use in the security mirror.
name: Create security patch
run-name: create-security-patch
on:
  pull_request:
    types:
      - opened
      - reopened
      - synchronize
    branches:
      - "main"
      - "v*.*.*"

# This is run before the pull request has been merged, so we'll run against the src branch
jobs:
  trigger_downstream_create_security_patch:
    concurrency: create-patch-${{ github.ref_name }}
    uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main
    if: github.repository == 'grafana/grafana-security-mirror'
    with:
      repo: "${{ github.repository }}"
      src_ref: "${{ github.head_ref }}" # this is the source branch name, Ex: "feature/newthing"
      patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
      patch_repo: "grafana/grafana-security-patches"
      patch_prefix: "${{ github.event.pull_request.number }}"
    secrets: inherit