.github/workflows/backport.yml at 20b403a0502e085d8764ebc6d4d9e8b89a281d09 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / .github / workflows / backport.yml
at 20b403a0502e085d8764ebc6d4d9e8b89a281d09 3.1 kB view raw
 1# WARNING:
 2# When extending this action, be aware that $GITHUB_TOKEN allows write access to
 3# the GitHub repository. This means that it should not evaluate user input in a
 4# way that allows code injection.
 5
 6name: Backport
 7
 8on:
 9  pull_request_target:
10    types: [closed, labeled]
11
12permissions:
13  contents: read
14  issues: write
15  pull-requests: write
16
17defaults:
18  run:
19    shell: bash
20
21jobs:
22  backport:
23    name: Backport Pull Request
24    if: vars.NIXPKGS_CI_APP_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
25    runs-on: ubuntu-24.04-arm
26    timeout-minutes: 3
27    steps:
28      # Use a GitHub App to create the PR so that CI gets triggered
29      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
30      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
31        id: app-token
32        with:
33          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
34          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
35          permission-contents: write
36          permission-pull-requests: write
37          permission-workflows: write
38
39      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
40        with:
41          ref: ${{ github.event.pull_request.head.sha }}
42          token: ${{ steps.app-token.outputs.token }}
43
44      - name: Log current API rate limits
45        env:
46          GH_TOKEN: ${{ steps.app-token.outputs.token }}
47        run: gh api /rate_limit | jq
48
49      - name: Create backport PRs
50        id: backport
51        uses: korthout/backport-action@ca4972adce8039ff995e618f5fc02d1b7961f27a # v3.3.0
52        with:
53          # Config README: https://github.com/korthout/backport-action#backport-action
54          copy_labels_pattern: 'severity:\ssecurity'
55          github_token: ${{ steps.app-token.outputs.token }}
56          pull_description: |-
57            Bot-based backport to `${target_branch}`, triggered by a label in #${pull_number}.
58
59            * [ ] Before merging, ensure that this backport is [acceptable for the release](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases).
60              * Even as a non-committer, if you find that it is not acceptable, leave a comment.
61
62      - name: Log current API rate limits
63        env:
64          GH_TOKEN: ${{ steps.app-token.outputs.token }}
65        run: gh api /rate_limit | jq
66
67      - name: "Add 'has: port to stable' label"
68        if: steps.backport.outputs.created_pull_numbers != ''
69        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
70        with:
71          # Not using the app on purpose to avoid triggering another workflow run after adding this label.
72          script: |
73            await github.rest.issues.addLabels({
74              owner: context.repo.owner,
75              repo: context.repo.repo,
76              issue_number: context.payload.pull_request.number,
77              labels: [ '8.has: port to stable' ]
78            })