Skip to content

SEC-090: Automated trusted workflow pinning (2024-11-04) #5403

SEC-090: Automated trusted workflow pinning (2024-11-04)

SEC-090: Automated trusted workflow pinning (2024-11-04) #5403

Workflow file for this run

---
name: Backport Assistant Runner
on:
pull_request_target:
types:
- closed
- labeled
permissions:
contents: read
jobs:
backport:
if: github.event.pull_request.merged
runs-on: ${{ fromJSON(vars.RUNNER) }}
container: hashicorpdev/backport-assistant:0.5.1
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # Fetch all branches and tags
- name: Check if any migrations have changed
run: |
if git diff --exit-code --name-only "origin/${{ github.event.pull_request.base.ref }}"...HEAD -- internal/db/schema/migrations; then
echo "No migrations have changed, continuing with backport"
else
# Post comment on PR.
echo "Posting new backport-failure GitHub comment under PR #${{ github.event.pull_request.number }}"
curl -sX POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-d '{"body": "Backport Assistant: you attempted to automatically backport changes in this PR, but because it contained changes to migration files, this was rejected. Please carefully manually backport the changes."}' \
"$GITHUB_API_URL/repos/$GITHUB_REPOSITORY/issues/${{ github.event.pull_request.number }}/comments"
echo "Migrations have changed, refusing to backport. Please carefully manually backport the changes."
exit 1
fi
- name: Backport changes to stable-website
run: |
backport-assistant backport -automerge
env:
BACKPORT_LABEL_REGEXP: "backport/(?P<target>website)"
BACKPORT_TARGET_TEMPLATE: "stable-{{.target}}"
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
- name: Backport changes to latest release branch
run: |
resp=$(curl -f -s "https://api.github.com/repos/$GITHUB_REPOSITORY/labels?per_page=100")
ret="$?"
if [[ "$ret" -ne 0 ]]; then
echo "The GitHub API returned $ret"
exit $ret
fi
# get the latest backport label excluding any website labels, ex: `backport/0.3.x` and not `backport/website`
latest_backport_label=$(echo "$resp" | jq -r '.[] | select(.name | (startswith("backport/") and (contains("website") | not))) | .name' | sort -rV | head -n1)
echo "Latest backport label: $latest_backport_label"
# set BACKPORT_TARGET_TEMPLATE for backport-assistant
# trims backport/ from the beginning with parameter substitution
export BACKPORT_TARGET_TEMPLATE="release/${latest_backport_label#backport/}"
backport-assistant backport -automerge
env:
BACKPORT_LABEL_REGEXP: "backport/(?P<target>website)"
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
- name: Backport changes to targeted release branch
run: |
backport-assistant backport -automerge
env:
BACKPORT_LABEL_REGEXP: "backport/(?P<target>\\d+\\.\\d+\\.\\w+)"
BACKPORT_TARGET_TEMPLATE: "release/{{.target}}"
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}