Skip to content

[ci] Added automated backport workflow #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nemesifier merged 2 commits into from
Mar 4, 2026
Merged

[ci] Added automated backport workflow #247

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
454e2f7
[ci] Added automated backport workflow
atif09 Feb 22, 2026
ea7deea
[chores] Added blankline and removed main from workflow trigger branches
atif09 Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions .github/workflows/backport.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Backport fixes to stable branch

on:
push:
branches:
- master
issue_comment:
types: [created]

concurrency:
group: backport-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

permissions:
contents: write
pull-requests: write

jobs:
backport-on-push:
if: github.event_name == 'push'
uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if the backport.yml file exists and examine the relevant lines
if [ -f ".github/workflows/backport.yml" ]; then
  echo "=== File found. Displaying full content ==="
  cat -n ".github/workflows/backport.yml"
else
  echo "File .github/workflows/backport.yml not found"
fi

Repository: openwisp/openwisp-config

Length of output: 1680

🏁 Script executed:

# Also verify the specific pattern using rg
echo "=== Checking for mutable refs (`@master/`@main/@develop/@HEAD) ==="
rg -nP --type=yaml '^\s*uses:\s*[^#\n]+@(?:master|main|develop|HEAD)\b' .github/workflows || echo "No matches found"

Repository: openwisp/openwisp-config

Length of output: 362

Pin external reusable workflow refs to immutable SHAs before passing bot secrets.

Lines 21 and 36 reference @master, which is mutable. Because this workflow forwards bot credentials (OPENWISP_BOT_APP_ID and OPENWISP_BOT_PRIVATE_KEY), branch drift or upstream compromise can change executed logic without a PR in this repo. Pin to a full commit SHA (or an immutable release ref).

🔒 Proposed fix 
-    uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
+    uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@<FULL_COMMIT_SHA>

Apply the same change to line 36.

References:

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backport.yml at line 21, Replace the mutable refs to the
external reusable workflow in the uses fields (the occurrences of
"openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master") with
an immutable commit SHA or an immutable release tag before forwarding bot
secrets; update both occurrences (the one at the top and the second occurrence
referenced in the comment) so the workflow uses a full commit SHA (or pinned
release) instead of `@master`.

with:
commit_sha: ${{ github.sha }}
secrets:
app_id: ${{ secrets.OPENWISP_BOT_APP_ID }}
private_key: ${{ secrets.OPENWISP_BOT_PRIVATE_KEY }}

backport-on-comment:
if: >
github.event_name == 'issue_comment' &&
github.event.issue.pull_request &&
github.event.issue.pull_request.merged_at != null &&
github.event.issue.state == 'closed' &&
contains(fromJSON('["MEMBER", "OWNER"]'), github.event.comment.author_association) &&
startsWith(github.event.comment.body, '/backport')
uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
with:
pr_number: ${{ github.event.issue.number }}
comment_body: ${{ github.event.comment.body }}
secrets:
app_id: ${{ secrets.OPENWISP_BOT_APP_ID }}
private_key: ${{ secrets.OPENWISP_BOT_PRIVATE_KEY }}