test_ok2/.github/workflows/backport.yml

name: backport

on:
  # Note that `pull_request_target` has security implications:
  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
  # In particular:
  # - Only allow triggers that can be used only be trusted users
  # - Don't execute any code from the target branch
  # - Don't use cache
  pull_request_target:
    types: [labeled]

# Set permissions at the job level.
permissions: {}

jobs:
  backport:
    if: startsWith(github.event.label.name, 'backport ') && github.event.pull_request.merged
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write

    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
        persist-credentials: true

    - name: Create backport PR
      run: |
        set -eux

        git config --global user.name "pytest bot"
        git config --global user.email "pytestbot@gmail.com"

        label='${{ github.event.label.name }}'
        target_branch="${label#backport }"
        backport_branch=backport-${{ github.event.number }}-to-"${target_branch}"
        subject="[$target_branch] $(gh pr view --json title -q .title ${{ github.event.number }})"

        git checkout origin/"${target_branch}" -b "${backport_branch}"
        git cherry-pick -x --mainline 1 ${{ github.event.pull_request.merge_commit_sha }}
        git commit --amend --message "$subject"
        git push --set-upstream origin --force-with-lease "${backport_branch}"
        gh pr create \
          --base "${target_branch}" \
          --title "${subject}" \
          --body "Backport of PR #${{ github.event.number }} to $target_branch branch. PR created by backport workflow."
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ci: add a workflow for backporting to other branches To backport a PR, e.g. 1000, to another branch, e.g. `7.0.x`, add a label `backport 7.0.x` to the PR. This will trigger a workflow which will create a branch `backport-1000-to-7.0.x` based on the `7.0.x` branch with a cherry-pick of the PR's merge commit, and create a new PR for it against the `7.0.x` branch. It is very simplistic, for instance it doesn't handle cherry-pick failure gracefully, doesn't validate the state of the PR, doesn't check if the branch already exists, etc. But we can improve on it later as needed. Finally, PRs created by github actions do not themselves trigger further actions, i.e. the PR isn't checked. You need to close & reopen the PR for the checks to trigger. There are workarounds for this but they are either less secure or require more setup. 2021-12-12 06:47:26 +08:00			`name: backport`

			`on:`
ci: Try backporting via pull_request_target (#9430) * ci: Try backporting via pull_request_target * ci: Security improvements 2022-01-03 22:14:40 +08:00			# Note that `pull_request_target` has security implications:
			`# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/`
			`# In particular:`
			`# - Only allow triggers that can be used only be trusted users`
			`# - Don't execute any code from the target branch`
			`# - Don't use cache`
			`pull_request_target:`
ci: add a workflow for backporting to other branches To backport a PR, e.g. 1000, to another branch, e.g. `7.0.x`, add a label `backport 7.0.x` to the PR. This will trigger a workflow which will create a branch `backport-1000-to-7.0.x` based on the `7.0.x` branch with a cherry-pick of the PR's merge commit, and create a new PR for it against the `7.0.x` branch. It is very simplistic, for instance it doesn't handle cherry-pick failure gracefully, doesn't validate the state of the PR, doesn't check if the branch already exists, etc. But we can improve on it later as needed. Finally, PRs created by github actions do not themselves trigger further actions, i.e. the PR isn't checked. You need to close & reopen the PR for the checks to trigger. There are workarounds for this but they are either less secure or require more setup. 2021-12-12 06:47:26 +08:00			`types: [labeled]`

			`# Set permissions at the job level.`
			`permissions: {}`

			`jobs:`
			`backport:`
ci: Try backporting via pull_request_target (#9430) * ci: Try backporting via pull_request_target * ci: Security improvements 2022-01-03 22:14:40 +08:00			`if: startsWith(github.event.label.name, 'backport ') && github.event.pull_request.merged`
ci: add a workflow for backporting to other branches To backport a PR, e.g. 1000, to another branch, e.g. `7.0.x`, add a label `backport 7.0.x` to the PR. This will trigger a workflow which will create a branch `backport-1000-to-7.0.x` based on the `7.0.x` branch with a cherry-pick of the PR's merge commit, and create a new PR for it against the `7.0.x` branch. It is very simplistic, for instance it doesn't handle cherry-pick failure gracefully, doesn't validate the state of the PR, doesn't check if the branch already exists, etc. But we can improve on it later as needed. Finally, PRs created by github actions do not themselves trigger further actions, i.e. the PR isn't checked. You need to close & reopen the PR for the checks to trigger. There are workarounds for this but they are either less secure or require more setup. 2021-12-12 06:47:26 +08:00			`runs-on: ubuntu-latest`
			`permissions:`
			`contents: write`
			`pull-requests: write`

			`steps:`
build(deps): Bump actions/checkout from 3 to 4 (#11429) Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-09-11 17:50:08 +08:00			`- uses: actions/checkout@v4`
ci: add a workflow for backporting to other branches To backport a PR, e.g. 1000, to another branch, e.g. `7.0.x`, add a label `backport 7.0.x` to the PR. This will trigger a workflow which will create a branch `backport-1000-to-7.0.x` based on the `7.0.x` branch with a cherry-pick of the PR's merge commit, and create a new PR for it against the `7.0.x` branch. It is very simplistic, for instance it doesn't handle cherry-pick failure gracefully, doesn't validate the state of the PR, doesn't check if the branch already exists, etc. But we can improve on it later as needed. Finally, PRs created by github actions do not themselves trigger further actions, i.e. the PR isn't checked. You need to close & reopen the PR for the checks to trigger. There are workarounds for this but they are either less secure or require more setup. 2021-12-12 06:47:26 +08:00			`with:`
			`fetch-depth: 0`
			`persist-credentials: true`

			`- name: Create backport PR`
			`run: \|`
			`set -eux`

			`git config --global user.name "pytest bot"`
			`git config --global user.email "pytestbot@gmail.com"`

			`label='${{ github.event.label.name }}'`
			`target_branch="${label#backport }"`
			`backport_branch=backport-${{ github.event.number }}-to-"${target_branch}"`
			`subject="[$target_branch] $(gh pr view --json title -q .title ${{ github.event.number }})"`

			`git checkout origin/"${target_branch}" -b "${backport_branch}"`
			`git cherry-pick -x --mainline 1 ${{ github.event.pull_request.merge_commit_sha }}`
			`git commit --amend --message "$subject"`
			`git push --set-upstream origin --force-with-lease "${backport_branch}"`
			`gh pr create \`
			`--base "${target_branch}" \`
			`--title "${subject}" \`
			`--body "Backport of PR #${{ github.event.number }} to $target_branch branch. PR created by backport workflow."`
			`env:`
Revert "ci: fix PR not triggering workflows by switching back to pytestbot access token" 2022-10-08 05:58:51 +08:00			`GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}`