# WARNING: # When extending this action, be aware that $GITHUB_TOKEN allows write access to # the GitHub repository. This means that it should not evaluate user input in a # way that allows code injection. name: Backport on: pull_request_target: types: [closed, labeled] permissions: contents: read issues: write # adding the 'has: port to stable' and 'has: backport failed' label pull-requests: write # creating backport pull requests defaults: run: shell: bash jobs: backport: name: Backport Pull Request if: vars.NIXPKGS_CI_CLIENT_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport')) runs-on: ubuntu-slim timeout-minutes: 3 steps: # Use a GitHub App to create the PR so that CI gets triggered # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: app-token with: client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }} private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }} permission-contents: write permission-pull-requests: write permission-workflows: write - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.event.pull_request.head.sha }} token: ${{ steps.app-token.outputs.token }} persist-credentials: true - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq - name: Create backport PRs id: backport uses: korthout/backport-action@66065406958f46e82238fd59546f5a99e69e22aa # v4.5.2 with: # Config README: https://github.com/korthout/backport-action#backport-action add_author_as_reviewer: true copy_labels_pattern: 'severity:\ssecurity' github_token: ${{ steps.app-token.outputs.token }} pull_description: |- Bot-based backport to `${target_branch}`, triggered by a label in #${pull_number}. **Before merging, ensure that this backport is [acceptable for the release](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases).** Even as a non-committer, if you find that it is not acceptable, leave a comment. > [!TIP] > If you maintain all packages touched by this pull request, and they are all located under `pkgs/by-name/*`, you can comment **`@NixOS/nixpkgs-merge-bot merge`** to automatically merge this PR using the [`nixpkgs-merge-bot`](https://github.com/NixOS/nixpkgs/blob/master/ci/README.md#nixpkgs-merge-bot). - name: Log current API rate limits env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh api /rate_limit | jq - name: "Add 'has: port to stable' label" if: steps.backport.outputs.created_pull_numbers != '' uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: # Not using the app on purpose to avoid triggering another workflow run after adding this label. script: | await github.rest.issues.addLabels({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.payload.pull_request.number, labels: [ '8.has: port to stable' ] }) - name: "Add 'has: failed backport' label" if: steps.backport.outputs.was_successful == 'false' uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: # Not using the app on purpose to avoid triggering another workflow run after adding this label. script: | await github.rest.issues.addLabels({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.payload.pull_request.number, labels: [ '8.has: failed backport' ] })