diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml new file mode 100644 index 000000000..0e93347c8 --- /dev/null +++ b/.github/workflows/backport.yml @@ -0,0 +1,54 @@ +--- +name: Backport merged pull request + +on: + pull_request_target: + types: [labeled] + +permissions: {} + +env: + GIT_AUTHOR_NAME: OpenVoxProjectBot + GIT_AUTHOR_EMAIL: 215568489+OpenVoxProjectBot@users.noreply.github.com + GIT_COMMITTER_NAME: OpenVoxProjectBot + GIT_COMMITTER_EMAIL: 215568489+OpenVoxProjectBot@users.noreply.github.com + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + +jobs: + backport: + name: Backport merged pull request + runs-on: ubuntu-latest + # For security reasons, we don't want to checkout and run arbitrary code when + # using the pull_request_target trigger. So restrict this to cases where the + # backport label is applied to an already merged PR. + if: github.event.pull_request.merged && startsWith(github.event.label.name, 'backport ') + steps: + - name: Add SSH key + run: | + mkdir -p ~/.ssh + echo "${{ secrets.OPENVOXBOT_SSH_PRIVATE_KEY }}" > ~/.ssh/github_actions + chmod 600 ~/.ssh/github_actions + ssh-agent -a $SSH_AUTH_SOCK > /dev/null + ssh-add ~/.ssh/github_actions + + - name: Setup git + run: | + git config --global user.email "$GIT_AUTHOR_EMAIL" + git config --global user.name "$GIT_AUTHOR_NAME" + git config --global gpg.format ssh + git config --global user.signingkey ~/.ssh/github_actions + git config --global commit.gpgsign true + git config --global tag.gpgsign true + - name: Checkout repository + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + token: ${{ secrets.OPENVOXBOT_COMMIT_AND_PRS }} + ref: main + - name: Create backport pull requests + uses: korthout/backport-action@2e830a1d0b8269505846ddd407a70876913ad1f8 # v4.6.0 + with: + auto_merge_enabled: true + auto_merge_method: merge + github_token: ${{ secrets.OPENVOXBOT_COMMIT_AND_PRS }} + git_committer_name: OpenVoxProjectBot + git_committer_email: 215568489+OpenVoxProjectBot@users.noreply.github.com