From bd35e48668e0dc1c9368b9105a2cc0019b0ec532 Mon Sep 17 00:00:00 2001 From: RiskeyL <7a8y@163.com> Date: Wed, 27 May 2026 23:52:56 +0800 Subject: [PATCH 1/2] feat: add automated backporting to release branches --- .backportrc.json | 8 +++++++ .github/BACKPORT.md | 39 ++++++++++++++++++++++++++++++++++ .github/workflows/backport.yml | 13 ++++++++++++ .mintignore | 6 ++++++ 4 files changed, 66 insertions(+) create mode 100644 .backportrc.json create mode 100644 .github/BACKPORT.md create mode 100644 .github/workflows/backport.yml diff --git a/.backportrc.json b/.backportrc.json new file mode 100644 index 000000000..55f9a3215 --- /dev/null +++ b/.backportrc.json @@ -0,0 +1,8 @@ +{ + "branchLabelMapping": { + "^backport-to-(release/.+)$": "$1" + }, + "prTitle": "{commitMessages} (backport to {targetBranch})", + "targetPRLabels": ["backport"], + "autoMerge": false +} diff --git a/.github/BACKPORT.md b/.github/BACKPORT.md new file mode 100644 index 000000000..29d7d7de4 --- /dev/null +++ b/.github/BACKPORT.md @@ -0,0 +1,39 @@ +# Backporting to release branches + +Backports merged `main` changes onto long-term `release/*` branches as PRs. +Config lives in `.backportrc.json` and is shared by both methods below. + +## Immediate (one PR) + +Add a label `backport-to-release/` to the PR (before or after merge), +e.g. `backport-to-release/1.14.x`. On merge, the Backport workflow opens a +backport PR to that branch. Add multiple labels to fan out to several branches. +A clean cherry-pick opens the PR automatically; a conflict instead comments on +the source PR (finish it with the CLI below). + +> The label must exist before you can apply it. When labeling for a new branch +> the first time, create the label (the labels box offers "Create new label"). + +## Batch (many PRs at once) + +One-time local auth: create `~/.backport/config.json` with +`{ "accessToken": "" }`. + +Then gather and select interactively (targets passed at runtime, so any +`release/*` works without editing config): + +```bash +# By query, then arrow-key multi-select the PRs: +npx backport --pr-query "merged:>=2026-05-01 label:backport-pending" \ + --branch release/1.15.0 --branch release/1.14.x +# Or by path / single PR: +npx backport --path en/use-dify --branch release/1.14.x +npx backport --pr 792 --branch release/1.14.x +``` + +## Finishing a conflicting backport + +```bash +npx backport --pr --branch release/ +# resolve the conflict when prompted; the CLI pushes and opens the PR +``` diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml new file mode 100644 index 000000000..858cd8cdd --- /dev/null +++ b/.github/workflows/backport.yml @@ -0,0 +1,13 @@ +name: Backport merged PR +on: + pull_request_target: + types: [labeled, closed] +jobs: + backport: + if: github.event.pull_request.merged == true + runs-on: depot-ubuntu-24.04 + steps: + - uses: sorenlouv/backport-github-action@v12 + with: + github_token: ${{ secrets.BACKPORT_TOKEN }} + auto_backport_label_prefix: backport-to- diff --git a/.mintignore b/.mintignore index d5aeab16a..2017ebd57 100644 --- a/.mintignore +++ b/.mintignore @@ -13,3 +13,9 @@ # Non-public utility files under public asset directories /assets/migrate_weaviate_collections.py /logo/convertor.html + +# Internal contributor runbooks +/.github/BACKPORT.md + +# Backport tooling config +/.backportrc.json From 364b3c4ec4ea276c4c542d231149902da4919136 Mon Sep 17 00:00:00 2001 From: RiskeyL <7a8y@163.com> Date: Thu, 28 May 2026 00:00:44 +0800 Subject: [PATCH 2/2] fix: scope backport workflow token to least privilege --- .github/workflows/backport.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 858cd8cdd..43749ff81 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -2,6 +2,9 @@ name: Backport merged PR on: pull_request_target: types: [labeled, closed] +permissions: + contents: read + pull-requests: read jobs: backport: if: github.event.pull_request.merged == true