Skip to content

[ci] Added automated backport workflow #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
atif09 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[ci] Added automated backport workflow #285

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
27562c2
[ci] Added automated backport workflow
atif09 Feb 22, 2026
a3f7368
[chores] Added blankline and removed main from workflow trigger branches
atif09 Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions .github/workflows/backport.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: Backport fixes to stable branch

on:
push:
branches:
- master
issue_comment:
types: [created]

concurrency:
group: backport-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

permissions:
contents: write
pull-requests: write

jobs:
backport-on-push:
if: github.event_name == 'push'
uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
Copy link

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, check if the file exists and read its content
if [ -f ".github/workflows/backport.yml" ]; then
  echo "=== File exists. Reading content with line numbers ==="
  cat -n ".github/workflows/backport.yml"
else
  echo "File not found: .github/workflows/backport.yml"
  echo "Available workflow files:"
  ls -la .github/workflows/ || echo "No .github/workflows directory"
fi

Repository: openwisp/openwisp-network-topology

Length of output: 1756

🏁 Script executed:

#!/bin/bash
# Search for all occurrences of the reusable workflow reference
echo "=== Searching for reusable-backport.yml references ==="
rg -n 'reusable-backport.yml' .github/workflows/ || echo "No matches found"

Repository: openwisp/openwisp-network-topology

Length of output: 1756

Pin reusable workflow references to immutable commit SHAs (not @master).

Using mutable refs like @master on lines 21 and 36 weakens supply-chain safety and introduces non-deterministic CI behavior. Pin each reference to a specific commit SHA from the openwisp/openwisp-utils repository.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backport.yml at line 21, The reusable workflow references
currently use mutable refs (`@master`); replace each occurrence of "uses:
openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master" with the
immutable commit SHA for the matching commit in the openwisp/openwisp-utils repo
(use the exact full 40-char SHA), and update both places where this reusable
workflow is referenced so the workflow is pinned to that specific commit SHA
rather than `@master`.

with:
commit_sha: ${{ github.sha }}
secrets:
app_id: ${{ secrets.OPENWISP_BOT_APP_ID }}
private_key: ${{ secrets.OPENWISP_BOT_PRIVATE_KEY }}

backport-on-comment:
if: >
github.event_name == 'issue_comment' &&
github.event.issue.pull_request &&
github.event.issue.pull_request.merged_at != null &&
github.event.issue.state == 'closed' &&
Comment on lines +29 to +33
Copy link

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

GitHub Actions issue_comment event payload structure pull_request merged_at field

💡 Result:

For a GitHub Actions workflow triggered by issue_comment, the event payload does not include a full pull request object, so you won’t have github.event.pull_request.merged_at.

What issue_comment payload contains

issue_comment fires for comments on issues or pull requests and its webhook payload is shaped like:

  • action (created / edited / deleted)
  • comment (the comment object)
  • issue (the issue object the comment belongs to)
  • plus repository, sender, etc. (docs.github.com)

How to tell it’s a PR comment

In Actions, PRs are treated as issues, so for PR comments you check:

  • github.event.issue.pull_request (present/truthy only for PRs) (docs.github.com)

Important: github.event.issue.pull_request here is not the PR itself; it’s a small stub/link to PR data (so it won’t have merged_at). (docs.github.com)

How to get merged_at

If you need the merge timestamp, you must fetch PR details separately (or use a different trigger):

  1. Fetch the PR via REST API (typical approach from issue.number):
  • Use the “Get a pull request” endpoint (GET /repos/{owner}/{repo}/pulls/{pull_number}) and read merged_at from the response. (docs.github.com)
  1. Or trigger on pull_request (e.g., types: [closed]) and use the PR payload there (but note GitHub’s Actions docs mention cases where the pull_request payload can be empty, such as some merged PRs / forks). (docs.github.com)

Citations:

github.event.issue.pull_request.merged_at is unavailable in issue_comment events—this condition will never be satisfied.

The issue_comment event payload includes only a stub/reference object for pull_request (to identify if the comment is on a PR), not the full PR details. The merged_at field is not present in this context, so the backport job will never run.

To fix this, either:

  1. Fetch the PR details via REST API using /repos/{owner}/{repo}/pulls/{pull_number} to check merged_at, or
  2. Switch the trigger to pull_request event with types: [closed] to access the full PR payload.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backport.yml around lines 29 - 33, The condition using
github.event.issue.pull_request.merged_at in the backport workflow will never be
true for the issue_comment event because that payload only contains a PR stub;
update the job to either (A) keep the issue_comment trigger but call the REST
API GET /repos/{owner}/{repo}/pulls/{pull_number} to retrieve the full PR and
check its merged_at before proceeding (use github.rest.pulls.get and inspect
response.data.merged_at), or (B) change the workflow trigger to the pull_request
event with types: [closed] so the full PR payload (including merged_at) is
available and then use github.event.pull_request.merged_at directly. Ensure you
remove the invalid reference to github.event.issue.pull_request.merged_at and
implement one of these two approaches in the backport job.

contains(fromJSON('["MEMBER", "OWNER"]'), github.event.comment.author_association) &&
startsWith(github.event.comment.body, '/backport')
uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
with:
pr_number: ${{ github.event.issue.number }}
comment_body: ${{ github.event.comment.body }}
secrets:
app_id: ${{ secrets.OPENWISP_BOT_APP_ID }}
private_key: ${{ secrets.OPENWISP_BOT_PRIVATE_KEY }}

Loading