tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / .github / workflows / backport.yml
at python-updates 3.0 kB view raw
1# WARNING: 2# When extending this action, be aware that $GITHUB_TOKEN allows write access to 3# the GitHub repository. This means that it should not evaluate user input in a 4# way that allows code injection. 5 6name: Backport 7 8on: 9 pull_request_target: 10 types: [closed, labeled] 11 12permissions: 13 contents: read 14 issues: write 15 pull-requests: write 16 17defaults: 18 run: 19 shell: bash 20 21jobs: 22 backport: 23 name: Backport Pull Request 24 if: vars.NIXPKGS_CI_APP_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport')) 25 runs-on: ubuntu-24.04-arm 26 steps: 27 # Use a GitHub App to create the PR so that CI gets triggered 28 # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs 29 - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 30 id: app-token 31 with: 32 app-id: ${{ vars.NIXPKGS_CI_APP_ID }} 33 private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} 34 permission-contents: write 35 permission-pull-requests: write 36 37 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 38 with: 39 ref: ${{ github.event.pull_request.head.sha }} 40 token: ${{ steps.app-token.outputs.token }} 41 42 - name: Log current API rate limits 43 env: 44 GH_TOKEN: ${{ steps.app-token.outputs.token }} 45 run: gh api /rate_limit | jq 46 47 - name: Create backport PRs 48 id: backport 49 uses: korthout/backport-action@0193454f0c5947491d348f33a275c119f30eb736 # v3.2.1 50 with: 51 # Config README: https://github.com/korthout/backport-action#backport-action 52 copy_labels_pattern: 'severity:\ssecurity' 53 github_token: ${{ steps.app-token.outputs.token }} 54 pull_description: |- 55 Bot-based backport to `${target_branch}`, triggered by a label in #${pull_number}. 56 57 * [ ] Before merging, ensure that this backport is [acceptable for the release](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases). 58 * Even as a non-committer, if you find that it is not acceptable, leave a comment. 59 60 - name: Log current API rate limits 61 env: 62 GH_TOKEN: ${{ steps.app-token.outputs.token }} 63 run: gh api /rate_limit | jq 64 65 - name: "Add 'has: port to stable' label" 66 if: steps.backport.outputs.created_pull_numbers != '' 67 uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 68 with: 69 # Not using the app on purpose to avoid triggering another workflow run after adding this label. 70 script: | 71 await github.rest.issues.addLabels({ 72 owner: context.repo.owner, 73 repo: context.repo.repo, 74 issue_number: context.payload.pull_request.number, 75 labels: [ '8.has: port to stable' ] 76 })