From 2e1b54cce8b4ace2fa4f280f073510f6fb6d1bf1 Mon Sep 17 00:00:00 2001
From: Paul Abel <p.abel@f5.com>
Date: Thu, 17 Apr 2025 16:36:30 +0100
Subject: [PATCH 1/2] cherry pick to chosen branch

---
 .github/workflows/cherry-pick.yml | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml
index 25713b4471..ce0427b323 100644
--- a/.github/workflows/cherry-pick.yml
+++ b/.github/workflows/cherry-pick.yml
@@ -1,9 +1,8 @@
 name: "Cherry-pick dependencies to release branch"
 on:
-  pull_request:
-    branches:
-      - main
-    types: ["closed"]
+  issue_comment:
+    types:
+      - created
 
 permissions:
   contents: read
@@ -15,7 +14,7 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-22.04
     name: Cherry pick into release branch
-    if: ${{ (contains(github.event.pull_request.labels.*.name, 'dependencies') || contains(github.event.pull_request.labels.*.name, 'needs cherry pick')) && github.event.pull_request.merged == true }}
+    if: ${{ github.event.issue.pull_request.merged_at != null }}
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -25,13 +24,21 @@ jobs:
 
       - name: Set release branch variable
         id: branch
+        env:
+          comment_body: ${{ github.event.comment.body }}
         run: |
-          branch=$(git branch -a | egrep '^\s+remotes/origin/release' | awk '{print $1}' | sort -u | tail -n 1)
-          release_branch=$(basename ${branch})
-          echo "branch=${release_branch}" >> $GITHUB_OUTPUT
-          cat $GITHUB_OUTPUT
+          regex="/cherry-pick to (release-[2-9]+\.[0-9]+)"
+          if [[ "${comment_body}" =~ $regex ]]; then
+            branch=${BASH_REMATCH[1]}
+            if git branch -a | egrep '^\s+remotes/origin/release' | grep -q "${branch}"; then
+              echo "branch=${branch}" >> $GITHUB_OUTPUT
+            else
+              echo "branch=" >> $GITHUB_OUTPUT
+            fi
+          fi
 
       - name: Cherry pick into ${{ steps.branch.outputs.branch }}
+        if: ${{ steps.branch.outputs.branch }}
         uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 # v1.0.10
         with:
           branch: ${{ steps.branch.outputs.branch }}

From 2bc57f179411221ac0935f1c77fe92a775764f39 Mon Sep 17 00:00:00 2001
From: Paul Abel <p.abel@f5.com>
Date: Thu, 17 Apr 2025 16:47:32 +0100
Subject: [PATCH 2/2] ensure the commentor is a member of nic or docs

---
 .github/workflows/cherry-pick.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml
index ce0427b323..b99f6d45ad 100644
--- a/.github/workflows/cherry-pick.yml
+++ b/.github/workflows/cherry-pick.yml
@@ -22,6 +22,18 @@ jobs:
           fetch-depth: 0
           token: ${{ secrets.NGINX_PAT }}
 
+      - name: Check if Actor is a Member of one of the teams
+        uses: im-open/is-actor-team-member@v1.2.0
+        with:
+          github-actor: ${{ github.actor }}
+          github-organization: ${{ github.repository_owner}}
+          github-team-slugs: |
+            [
+              "nic",
+              "nginx-docs"
+            ]
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set release branch variable
         id: branch
         env: