add auto-cherry-pick workflow

.github/ci-and-release.md

@@ -19,6 +19,13 @@ Sponsors and Kali releases go through the same release process. It is easier to
 A side effect of this is its possible for a version bump to be empty (no changes) and still be released.
 
 ### 1. cherry-pick any changes from BC-SECURITY/Empire#main to BC-SECURITY/Empire-Sponsors#private-main
+
+Pull requests that should be merged from `main` to `private-main` can be auto-cherry-picked using the `Prerelease - Cherry Pick Main` workflow.
+Add the label `auto-cherry-pick` to the pull request and upon merge, it will open a pull request into `BC-SECURITY/Empire-Sponsors#private-main`, assuming no conflicts.
+If there are conflicts, you must cherry-pick the commits manually. See the steps below.
+
+If you forgot to add the label, the workflow can be manually run, just enter the commit hash as an input to the workflow.
+
 If you don't feel comfortable pushing to `private-main`, you can branch from `private-main` before cherry-picking and open a pull request to merge into `private-main`.
 
 ```bash

.github/workflows/cherry-pick-main.yml

@@ -0,0 +1,71 @@
+# On pull request merge to main in BC-SECURITY/Empire,
+# cherry-pick the squashed merge commit to private-main in BC-SECURITY/Empire-Sponsors
+# If the pull request contains the label 'auto-cherry-pick'
+name: Prerelease - Cherry Pick Main
+
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      commitHash:
+        description: 'The commit hash to cherry-pick.'
+        type: string
+        required: true
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  cherry-pick:
+    if: ${{ github.repository == 'BC-Security/Empire' &&
+      (github.event_name == 'workflow_dispatch' ||
+        (github.event.pull_request &&
+        github.event.pull_request.merged == true &&
+        contains(github.event.pull_request.labels.*.name, 'auto-cherry-pick'))) }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out sponsor repo
+        uses: actions/checkout@v3
+        with:
+          repository: 'BC-Security/Empire-Sponsors'
+          submodules: 'recursive'
+          ref: private-main
+          token: ${{ secrets.RELEASE_TOKEN }}
+          fetch-depth: 0
+      - name: Add public repo
+        run: |
+          git remote add public https://github.com/BC-Security/empire.git
+          # recursing submodules in the fetch will cause remote error: upload-pack: not our ref since the
+          # remote for starkiller hasn't been synced yet
+          git fetch public --no-recurse-submodules
+        env:
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+      - name: Initialize mandatory git config
+        run: |
+          git config user.name "GitHub Actions"
+          git config user.email [email protected]
+      - name: Create cherry-pick branch
+        run: |
+          git checkout -b cherry-pick-${{ github.event.inputs.commitHash }}
+      - name: Cherry-pick commit
+        run: |
+          git cherry-pick ${{ github.event.inputs.commitHash }}
+      - name: Push new branch
+        run: git push origin cherry-pick-${{ github.event.inputs.commitHash }}
+      - name: Create pull request into private-main
+        uses: thomaseizinger/[email protected]
+        with:
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          title: Cherry-pick ${{ github.event.inputs.commitHash }} to private-main
+          body: |
+            This pull request was automatically created by a GitHub Action.
+            The commit ${{ github.event.inputs.commitHash }} was cherry-picked from the main branch.
+            Merge the pull request. **DO NOT SQUASH**
+          head: cherry-pick-${{ github.event.inputs.commitHash }}
+          base: private-main
+          repository: BC-Security/Empire-Sponsors