[ci] Added automated backport workflow

[atif09]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

openwisp/openwisp-utils#501

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow is introduced at .github/workflows/backport.yml that automates backporting fixes to a stable branch. The workflow contains two jobs: one that triggers on push events to the master branch and passes the commit SHA, and another that triggers on issue comments starting with /backport on merged pull requests and passes the pull request number and comment body. Both jobs delegate to a reusable workflow hosted in the openwisp/openwisp-utils repository, supplying bot credentials via secrets.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description is incomplete. While it includes the checklist and references an issue, it lacks a 'Description of Changes' section that explains what the backport workflow does and why it was added.	Add a 'Description of Changes' section explaining the backport workflow's purpose, functionality, and how it works with the referenced issue.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding an automated backport workflow to the CI configuration.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/backport.yml:
- Line 21: Replace the mutable refs to the external reusable workflow in the
uses fields (the occurrences of
"openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master") with
an immutable commit SHA or an immutable release tag before forwarding bot
secrets; update both occurrences (the one at the top and the second occurrence
referenced in the comment) so the workflow uses a full commit SHA (or pinned
release) instead of `@master`.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4549659 and ea7deea.

📒 Files selected for processing (1)

• .github/workflows/backport.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build and Upload Packages

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if the backport.yml file exists and examine the relevant lines
if [ -f ".github/workflows/backport.yml" ]; then
  echo "=== File found. Displaying full content ==="
  cat -n ".github/workflows/backport.yml"
else
  echo "File .github/workflows/backport.yml not found"
fi

Repository: openwisp/openwisp-config

Length of output: 1680

---

🏁 Script executed:

# Also verify the specific pattern using rg
echo "=== Checking for mutable refs (`@master/`@main/@develop/@HEAD) ==="
rg -nP --type=yaml '^\s*uses:\s*[^#\n]+@(?:master|main|develop|HEAD)\b' .github/workflows || echo "No matches found"

Repository: openwisp/openwisp-config

Length of output: 362

---

Pin external reusable workflow refs to immutable SHAs before passing bot secrets.

Lines 21 and 36 reference @master, which is mutable. Because this workflow forwards bot credentials (OPENWISP_BOT_APP_ID and OPENWISP_BOT_PRIVATE_KEY), branch drift or upstream compromise can change executed logic without a PR in this repo. Pin to a full commit SHA (or an immutable release ref).

🔒 Proposed fix

-    uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
+    uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@<FULL_COMMIT_SHA>

Apply the same change to line 36.

References:

• https://docs.github.com/en/actions/using-workflows/reusing-workflows
• https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backport.yml at line 21, Replace the mutable refs to the
external reusable workflow in the uses fields (the occurrences of
"openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master") with
an immutable commit SHA or an immutable release tag before forwarding bot
secrets; update both occurrences (the one at the top and the second occurrence
referenced in the comment) so the workflow uses a full commit SHA (or pinned
release) instead of `@master`.