[ci] Added automated backport workflow#270
Conversation
📝 WalkthroughWalkthroughA new GitHub Actions workflow file is added to automate backporting fixes to stable branches. The workflow is triggered on push events to master/main and on issue comments starting with Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
atif09
force-pushed
the
feature/backport-workflow
branch
from
5f248fa to
f243571
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/backport.yml:
- Line 44: Remove the extra trailing blank line in the backport.yml workflow
file to satisfy YAML lint’s empty-lines rule; open backport.yml and delete the
blank line at the end of the file so the file ends immediately after the last
non-empty line.
- Line 22: Replace the mutable reference
"openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master" with an
immutable full commit SHA (e.g.
"openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@<full-commit-sha>")
in both occurrences referenced in the workflow; locate the current upstream
commit you want to pin to, copy its full 40-character SHA and substitute it for
"@master" so the reusable workflow is pinned to that exact commit.
- Around line 30-36: The condition uses
github.event.issue.pull_request.merged_at which is not present on issue_comment
events; remove that check from the if and instead let the workflow trigger on
the comment and then fetch the full PR to verify merge status (use the PR number
from github.event.issue.pull_request and call the REST/GraphQL API in a step)
before proceeding with the backport logic; keep the existing checks for event
name, author association (contains(...)) and
startsWith(github.event.comment.body, '/backport'), and add a step that calls
the GitHub API to confirm the PR's merged state (e.g., check the PR resource's
merged boolean) before running backport steps.
ℹ️ Review info
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/backport.yml
📜 Review details
🧰 Additional context used
🪛 YAMLlint (1.38.0)
.github/workflows/backport.yml
[warning] 3-3: truthy value should be one of [false, true]
(truthy)
[error] 44-44: too many blank lines (1 > 0)
(empty-lines)
🔇 Additional comments (1)
.github/workflows/backport.yml (1)
11-18: Concurrency and baseline permissions are well-scoped for this workflow’s intent.
cancel-in-progress: falseand explicitcontents/pull-requestspermissions are appropriate here.
| jobs: | ||
| backport-on-push: | ||
| if: github.event_name == 'push' | ||
| uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GitHub official recommendations pinning third-party actions reusable workflows security best practices
💡 Result:
GitHub official security recommendations (third‑party actions + reusable workflows)
- Pin to a full-length commit SHA (immutable) for all third-party actions; this is GitHub’s primary recommendation to reduce supply-chain risk from moved/compromised tags. Verify the SHA comes from the action’s official repo (not a fork). [1]
- Audit the action/workflow source (including what it does with your repo contents and secrets) before adopting it. [1]
- If you must reference by tag, do so only if you trust the creator (GitHub notes tags can be moved/deleted if the repo is compromised; “Verified creator” is a useful signal). [1]
- Apply the same rules to reusable workflows you call via
OWNER/REPO/.github/workflows/workflow.yml@REF—GitHub explicitly says the third-party action guidance also applies to third-party reusable workflows. [1] - Use Dependabot version updates to keep referenced actions and reusable workflows up to date. [1]
- Enforce governance with “allowed actions and reusable workflows” policies, including:
- Require SHA pinning (enforcement can make unpinned workflows fail). [2]
- Allowlist/denylist specific actions/workflows (including explicit blocking). [2]
- Use patterns that match how you reference actions (
OWNER/REPO@TAG-or-SHA) and reusable workflows (OWNER/REPO/PATH/FILENAME@TAG-or-SHA). [3]
Sources
[1] GitHub Docs — Security hardening for GitHub Actions (Secure use reference) (docs.github.com)
[2] GitHub Changelog (2025‑08‑15) — Actions policy now supports blocking and SHA pinning actions (github.blog)
[3] GitHub Enterprise Cloud Docs — Enterprise policies: allowed actions & reusable workflows / require SHA pinning; syntax examples (docs.github.com)
Citations:
- 1: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
- 2: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/?utm_source=openai
- 3: https://docs.github.com/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-enterprise-account?utm_source=openai
Pin reusable workflow to a commit SHA instead of @master.
GitHub's official security guidance recommends pinning third-party actions and reusable workflows to full-length commit SHAs (immutable references) to reduce supply-chain risk. Using @master creates a mutable reference that can change unexpectedly if the upstream repository is modified or compromised. Replace @master with the specific commit SHA of the workflow version you intend to use.
Suggested fix
- uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
+ uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@<commit-sha>Also applies to: 37-37
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/backport.yml at line 22, Replace the mutable reference
"openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master" with an
immutable full commit SHA (e.g.
"openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@<full-commit-sha>")
in both occurrences referenced in the workflow; locate the current upstream
commit you want to pin to, copy its full 40-character SHA and substitute it for
"@master" so the reusable workflow is pinned to that exact commit.
| if: > | ||
| github.event_name == 'issue_comment' && | ||
| github.event.issue.pull_request && | ||
| github.event.issue.pull_request.merged_at != null && | ||
| github.event.issue.state == 'closed' && | ||
| contains(fromJSON('["MEMBER", "OWNER"]'), github.event.comment.author_association) && | ||
| startsWith(github.event.comment.body, '/backport') |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GitHub Actions issue_comment event github.event.issue.pull_request merged_at field availability
💡 Result:
In a workflow triggered by issue_comment, github.event.issue.pull_request is not a full pull request object, so you should not expect merged_at to be present.
- GitHub’s Actions docs call out
github.event.issue.pull_requestmainly as a truthy check to tell whether the comment came from a PR vs a plain issue. (docs.github.com) - In the underlying payload, that
issue.pull_requestvalue is only a small “PR links” object (e.g.,html_url,diff_url,patch_url, etc.), not fields likemerged,merged_at, etc. (matrix-org.github.io) - PR-only fields are generally available when the workflow is triggered by PR events (
pull_request,pull_request_target), notissue_comment. (docs.github.com)
What to do instead: if you need merged_at in an issue_comment workflow, make a REST/GraphQL API call to fetch the PR by number (github.event.issue.number) and read merged_at, or trigger on pull_request (e.g., types: [closed]) and use that event payload. (docs.github.com)
Citations:
- 1: https://docs.github.com/enterprise-server%403.16/actions/automating-your-workflow-with-github-actions/events-that-trigger-workflows?utm_source=openai
- 2: https://matrix-org.github.io/go-neb/pkg/github.com/google/go-github/github/index.html?utm_source=openai
- 3: https://docs.github.com/actions/learn-github-actions/contexts?utm_source=openai
- 4: https://docs.github.com/enterprise-server%403.16/actions/automating-your-workflow-with-github-actions/events-that-trigger-workflows?utm_source=openai
merged_at is unavailable in issue_comment events and prevents this job from running.
At Line 33, github.event.issue.pull_request.merged_at does not exist in the issue_comment event payload. The issue.pull_request object in issue_comment events contains only minimal fields (links like html_url, diff_url, patch_url), not PR status fields like merged_at. This condition will evaluate to false and block the job from executing.
Suggested fix
backport-on-comment:
if: >
github.event_name == 'issue_comment' &&
github.event.issue.pull_request &&
- github.event.issue.pull_request.merged_at != null &&
github.event.issue.state == 'closed' &&
contains(fromJSON('["MEMBER", "OWNER"]'), github.event.comment.author_association) &&
startsWith(github.event.comment.body, '/backport')If you need to verify PR merge status, make a REST or GraphQL API call to fetch the full PR object by number.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| if: > | |
| github.event_name == 'issue_comment' && | |
| github.event.issue.pull_request && | |
| github.event.issue.pull_request.merged_at != null && | |
| github.event.issue.state == 'closed' && | |
| contains(fromJSON('["MEMBER", "OWNER"]'), github.event.comment.author_association) && | |
| startsWith(github.event.comment.body, '/backport') | |
| if: > | |
| github.event_name == 'issue_comment' && | |
| github.event.issue.pull_request && | |
| github.event.issue.state == 'closed' && | |
| contains(fromJSON('["MEMBER", "OWNER"]'), github.event.comment.author_association) && | |
| startsWith(github.event.comment.body, '/backport') |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/backport.yml around lines 30 - 36, The condition uses
github.event.issue.pull_request.merged_at which is not present on issue_comment
events; remove that check from the if and instead let the workflow trigger on
the comment and then fetch the full PR to verify merge status (use the PR number
from github.event.issue.pull_request and call the REST/GraphQL API in a step)
before proceeding with the backport logic; keep the existing checks for event
name, author association (contains(...)) and
startsWith(github.event.comment.body, '/backport'), and add a step that calls
the GitHub API to confirm the PR's merged state (e.g., check the PR resource's
merged boolean) before running backport steps.
| secrets: | ||
| app_id: ${{ secrets.OPENWISP_BOT_APP_ID }} | ||
| private_key: ${{ secrets.OPENWISP_BOT_PRIVATE_KEY }} | ||
|
|
There was a problem hiding this comment.
Remove the extra trailing blank line to satisfy YAML lint.
Static analysis reports an empty-lines violation at Line 44.
🧰 Tools
🪛 YAMLlint (1.38.0)
[error] 44-44: too many blank lines (1 > 0)
(empty-lines)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/backport.yml at line 44, Remove the extra trailing blank
line in the backport.yml workflow file to satisfy YAML lint’s empty-lines rule;
open backport.yml and delete the blank line at the end of the file so the file
ends immediately after the last non-empty line.
2 participants
openwisp/openwisp-utils#501