Skip to content

[ci] Added automated backport workflow #208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nemesifier merged 4 commits into from
Mar 4, 2026
+42 −0
Merged

[ci] Added automated backport workflow #208

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
89c787e
[ci] Added automated backport workflow
atif09 Feb 22, 2026
cefb1f5
Merge branch 'master' into feature/backport-workflow
atif09 Feb 22, 2026
e47f367
[chores] Fixed QA
atif09 Feb 24, 2026
ad8baf2
[chores] Removed main from workflow trigger branches
atif09 Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions .github/workflows/backport.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Backport fixes to stable branch

on:
push:
branches:
- master
issue_comment:
types: [created]

concurrency:
group: backport-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
Comment on lines +11 to +12
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Concurrency key serializes all backport jobs regardless of PR — cross-event collision too.

For both push and issue_comment events targeting master/main, github.ref resolves to the same default-branch ref (e.g. refs/heads/master). This means every workflow run — whether triggered by a push or a PR comment — lands in the identical concurrency group. With cancel-in-progress: false all concurrent backport runs queue up sequentially, including backport commands on different, unrelated PRs.

The fix is to move concurrency to each job and use a key that naturally scopes to the triggering entity:

⚙️ Proposed fix: job-level concurrency with distinct keys 
-concurrency:
-  group: backport-${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
 jobs:
   backport-on-push:
+    concurrency:
+      group: backport-push-${{ github.sha }}
+      cancel-in-progress: false
     if: github.event_name == 'push'
     uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
     ...

   backport-on-comment:
+    concurrency:
+      group: backport-comment-${{ github.event.issue.number }}
+      cancel-in-progress: false
     if: >
       ...
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backport.yml around lines 12 - 13, The current
workflow-level concurrency key "backport-${{ github.workflow }}-${{ github.ref
}}" serializes unrelated backport runs; move the concurrency block from
top-level into each job and replace the key with a run- or event-scoped
identifier (e.g. use "backport-${{ github.workflow }}-${{ github.run_id }}" for
unique runs, or "backport-${{ github.workflow }}-issue-${{
github.event.issue.number }}" / "backport-${{ github.workflow }}-pr-${{
github.event.pull_request.number }}" for comment/PR triggers) and keep
"cancel-in-progress: false" or adjust as needed so only identical triggered
entities serialize instead of all runs.


permissions:
contents: write
pull-requests: write

jobs:
backport-on-push:
if: github.event_name == 'push'
uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Pin the reusable workflow to a commit SHA, not @master.

Both job references use a mutable branch pointer. Any push to the master branch of openwisp/openwisp-utils — including a compromised commit — takes effect immediately on all consuming repos without any review gate. Note that there is risk to this approach even if you trust the author, because a tag can be moved or deleted if a bad actor gains access to the repository storing the action.

Pin each call to a specific commit SHA and track the SHA deliberately:

🔒 Proposed fix: pin to a commit SHA 
-    uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
+    uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@<COMMIT_SHA>  # renovate: tag=master

Also applies to: 37-37

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backport.yml at line 22, Replace the mutable branch
pointer in the reusable workflow reference "uses:
openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master" with a
specific commit SHA (e.g. @<commit-sha>) to pin the invocation to an immutable
revision; fetch the desired commit SHA from the openwisp/openwisp-utils
repository (the commit that matches the workflow version you want) and update
both occurrences of that uses: line (the one shown and the other at lines
referenced in the review) so the workflow calls the exact commit instead of
`@master`.

with:
commit_sha: ${{ github.sha }}
secrets:
app_id: ${{ secrets.OPENWISP_BOT_APP_ID }}
private_key: ${{ secrets.OPENWISP_BOT_PRIVATE_KEY }}

backport-on-comment:
if: >
github.event_name == 'issue_comment' &&
github.event.issue.pull_request &&
github.event.issue.pull_request.merged_at != null &&
github.event.issue.state == 'closed' &&
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Redundant state == 'closed' guard — remove it.

github.event.issue.state == 'closed' is fully implied by github.event.issue.pull_request.merged_at != null on line 33: a PR can only have a non-null merged_at when it is closed.

♻️ Proposed cleanup 
     if: >
       github.event_name == 'issue_comment' &&
       github.event.issue.pull_request &&
       github.event.issue.pull_request.merged_at != null &&
-      github.event.issue.state == 'closed' &&
       contains(fromJSON('["MEMBER", "OWNER"]'), github.event.comment.author_association) &&
       startsWith(github.event.comment.body, '/backport')
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
github.event.issue.state == 'closed' &&
if: >
github.event_name == 'issue_comment' &&
github.event.issue.pull_request &&
github.event.issue.pull_request.merged_at != null &&
contains(fromJSON('["MEMBER", "OWNER"]'), github.event.comment.author_association) &&
startsWith(github.event.comment.body, '/backport')
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backport.yml at line 34, Remove the redundant guard
expression "github.event.issue.state == 'closed'" from the workflow condition
because it is implied by the existing check
"github.event.issue.pull_request.merged_at != null"; update the conditional that
currently contains both expressions so it only checks
"github.event.issue.pull_request.merged_at != null" (leave the rest of the
surrounding condition unchanged).

contains(fromJSON('["MEMBER", "OWNER"]'), github.event.comment.author_association) &&
startsWith(github.event.comment.body, '/backport')
uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
with:
pr_number: ${{ github.event.issue.number }}
comment_body: ${{ github.event.comment.body }}
secrets:
app_id: ${{ secrets.OPENWISP_BOT_APP_ID }}
private_key: ${{ secrets.OPENWISP_BOT_PRIVATE_KEY }}
Loading