Upgrade and secure the backport workflow (#547) (#548)

Signed-off-by: Miki <miki@amazon.com>
opensearch-project · Jul 12, 2023 · bde56e5 · bde56e5
1 parent 5e460c5
commit bde56e5
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -12,17 +12,32 @@ jobs:
       contents: write
       pull-requests: write
     name: Backport
+    # Only react to merged PRs for security reasons.
+    # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
+    if: >
+      github.event.pull_request.merged
+      && (
+        github.event.action == 'closed'
+        || (
+          github.event.action == 'labeled'
+          && contains(github.event.label.name, 'backport')
+        )
+      )
     steps:
       - name: GitHub App token
         id: github_app_token
         uses: tibdex/github-app-token@v1.5.0
         with:
           app_id: ${{ secrets.APP_ID }}
           private_key: ${{ secrets.APP_PRIVATE_KEY }}
+          # opensearch-trigger-bot installation ID
           installation_id: 22958780
 
       - name: Backport
-        uses: VachaShah/backport@v1.1.4
+        uses: VachaShah/backport@v2.2.0
         with:
           github_token: ${{ steps.github_app_token.outputs.token }}
-          branch_name: backport/backport-${{ github.event.number }}
+          head_template: backport/backport-<%= number %>-to-<%= base %>
+          files_to_skip: "CHANGELOG.md"
+          labels_template: "<%= JSON.stringify([...labels, 'autocut']) %>"
+          failure_labels: "failed backport"