name: backport

on:
  # Note that `pull_request_target` has security implications:
  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
  # In particular:
  # - Only allow triggers that can be used only be trusted users
  # - Don't execute any code from the target branch
  # - Don't use cache
  pull_request_target:
    types: [labeled]

# Set permissions at the job level.
permissions: {}

jobs:
  backport:
    if: startsWith(github.event.label.name, 'backport ') && github.event.pull_request.merged
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write

    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        persist-credentials: true

    - name: Create backport PR
      run: |
        set -eux

        git config --global user.name "pytest bot"
        git config --global user.email "pytestbot@gmail.com"

        label='${{ github.event.label.name }}'
        target_branch="${label#backport }"
        backport_branch=backport-${{ github.event.number }}-to-"${target_branch}"
        subject="[$target_branch] $(gh pr view --json title -q .title ${{ github.event.number }})"

        git checkout origin/"${target_branch}" -b "${backport_branch}"
        git cherry-pick -x --mainline 1 ${{ github.event.pull_request.merge_commit_sha }}
        git commit --amend --message "$subject"
        git push --set-upstream origin --force-with-lease "${backport_branch}"
        gh pr create \
          --base "${target_branch}" \
          --title "${subject}" \
          --body "Backport of PR #${{ github.event.number }} to $target_branch branch. PR created by backport workflow."
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}