SEC-090: Automated trusted workflow pinning (2024-11-04) #5403
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Backport Assistant Runner | |
on: | |
pull_request_target: | |
types: | |
- closed | |
- labeled | |
permissions: | |
contents: read | |
jobs: | |
backport: | |
if: github.event.pull_request.merged | |
runs-on: ${{ fromJSON(vars.RUNNER) }} | |
container: hashicorpdev/backport-assistant:0.5.1 | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 # Fetch all branches and tags | |
- name: Check if any migrations have changed | |
run: | | |
if git diff --exit-code --name-only "origin/${{ github.event.pull_request.base.ref }}"...HEAD -- internal/db/schema/migrations; then | |
echo "No migrations have changed, continuing with backport" | |
else | |
# Post comment on PR. | |
echo "Posting new backport-failure GitHub comment under PR #${{ github.event.pull_request.number }}" | |
curl -sX POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
-d '{"body": "Backport Assistant: you attempted to automatically backport changes in this PR, but because it contained changes to migration files, this was rejected. Please carefully manually backport the changes."}' \ | |
"$GITHUB_API_URL/repos/$GITHUB_REPOSITORY/issues/${{ github.event.pull_request.number }}/comments" | |
echo "Migrations have changed, refusing to backport. Please carefully manually backport the changes." | |
exit 1 | |
fi | |
- name: Backport changes to stable-website | |
run: | | |
backport-assistant backport -automerge | |
env: | |
BACKPORT_LABEL_REGEXP: "backport/(?P<target>website)" | |
BACKPORT_TARGET_TEMPLATE: "stable-{{.target}}" | |
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
- name: Backport changes to latest release branch | |
run: | | |
resp=$(curl -f -s "https://api.github.com/repos/$GITHUB_REPOSITORY/labels?per_page=100") | |
ret="$?" | |
if [[ "$ret" -ne 0 ]]; then | |
echo "The GitHub API returned $ret" | |
exit $ret | |
fi | |
# get the latest backport label excluding any website labels, ex: `backport/0.3.x` and not `backport/website` | |
latest_backport_label=$(echo "$resp" | jq -r '.[] | select(.name | (startswith("backport/") and (contains("website") | not))) | .name' | sort -rV | head -n1) | |
echo "Latest backport label: $latest_backport_label" | |
# set BACKPORT_TARGET_TEMPLATE for backport-assistant | |
# trims backport/ from the beginning with parameter substitution | |
export BACKPORT_TARGET_TEMPLATE="release/${latest_backport_label#backport/}" | |
backport-assistant backport -automerge | |
env: | |
BACKPORT_LABEL_REGEXP: "backport/(?P<target>website)" | |
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
- name: Backport changes to targeted release branch | |
run: | | |
backport-assistant backport -automerge | |
env: | |
BACKPORT_LABEL_REGEXP: "backport/(?P<target>\\d+\\.\\d+\\.\\w+)" | |
BACKPORT_TARGET_TEMPLATE: "release/{{.target}}" | |
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} |