diff --git a/.github/ci-and-release.md b/.github/ci-and-release.md index 3858b3f93..fd3460454 100644 --- a/.github/ci-and-release.md +++ b/.github/ci-and-release.md @@ -19,6 +19,13 @@ Sponsors and Kali releases go through the same release process. It is easier to A side effect of this is its possible for a version bump to be empty (no changes) and still be released. ### 1. cherry-pick any changes from BC-SECURITY/Empire#main to BC-SECURITY/Empire-Sponsors#private-main + +Pull requests that should be merged from `main` to `private-main` can be auto-cherry-picked using the `Prerelease - Cherry Pick Main` workflow. +Add the label `auto-cherry-pick` to the pull request and upon merge, it will open a pull request into `BC-SECURITY/Empire-Sponsors#private-main`, assuming no conflicts. +If there are conflicts, you must cherry-pick the commits manually. See the steps below. + +If you forgot to add the label, the workflow can be manually run, just enter the commit hash as an input to the workflow. + If you don't feel comfortable pushing to `private-main`, you can branch from `private-main` before cherry-picking and open a pull request to merge into `private-main`. ```bash diff --git a/.github/workflows/cherry-pick-main.yml b/.github/workflows/cherry-pick-main.yml new file mode 100644 index 000000000..3a135c73a --- /dev/null +++ b/.github/workflows/cherry-pick-main.yml @@ -0,0 +1,71 @@ +# On pull request merge to main in BC-SECURITY/Empire, +# cherry-pick the squashed merge commit to private-main in BC-SECURITY/Empire-Sponsors +# If the pull request contains the label 'auto-cherry-pick' +name: Prerelease - Cherry Pick Main + +on: + pull_request: + types: + - closed + branches: + - main + workflow_dispatch: + inputs: + commitHash: + description: 'The commit hash to cherry-pick.' + type: string + required: true + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +jobs: + cherry-pick: + if: ${{ github.repository == 'BC-Security/Empire' && + (github.event_name == 'workflow_dispatch' || + (github.event.pull_request && + github.event.pull_request.merged == true && + contains(github.event.pull_request.labels.*.name, 'auto-cherry-pick'))) }} + runs-on: ubuntu-latest + steps: + - name: Check out sponsor repo + uses: actions/checkout@v3 + with: + repository: 'BC-Security/Empire-Sponsors' + submodules: 'recursive' + ref: private-main + token: ${{ secrets.RELEASE_TOKEN }} + fetch-depth: 0 + - name: Add public repo + run: | + git remote add public https://github.com/BC-Security/empire.git + # recursing submodules in the fetch will cause remote error: upload-pack: not our ref since the + # remote for starkiller hasn't been synced yet + git fetch public --no-recurse-submodules + env: + GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} + - name: Initialize mandatory git config + run: | + git config user.name "GitHub Actions" + git config user.email noreply@github.com + - name: Create cherry-pick branch + run: | + git checkout -b cherry-pick-${{ github.event.inputs.commitHash }} + - name: Cherry-pick commit + run: | + git cherry-pick ${{ github.event.inputs.commitHash }} + - name: Push new branch + run: git push origin cherry-pick-${{ github.event.inputs.commitHash }} + - name: Create pull request into private-main + uses: thomaseizinger/create-pull-request@1.0.0 + with: + GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} + title: Cherry-pick ${{ github.event.inputs.commitHash }} to private-main + body: | + This pull request was automatically created by a GitHub Action. + The commit ${{ github.event.inputs.commitHash }} was cherry-picked from the main branch. + Merge the pull request. **DO NOT SQUASH** + head: cherry-pick-${{ github.event.inputs.commitHash }} + base: private-main + repository: BC-Security/Empire-Sponsors