Is this potiuk/get-workflow-origin@v1_5 trustable? I don't really know how the security model of the github API works but is it possible to give this step a token with a limited set of permissions just to retrieve the issue number and nothing in write mode?

In particular I am not sure how the abuse of ${{ secrets.GITHUB_TOKEN }} would make it possible for a malicious actions/setup-python@v3 to upload malicious wheels to pypi or anaconda.org's nightly wheel repo one way or another.

I think we should explicitly configure the permissions granted to the actions in this workflow file:

https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token

See also:

https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/

this includes examples.

token permissions are set, now this action only has read access to pull requests.