[ci] Added backport workflow

[atif09]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

openwisp/openwisp-utils#501

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file was added at .github/workflows/backport.yml to automate backporting fixes to stable branches. It triggers on pushes to the default branch and on issue comments that start with /backport for merged PRs by MEMBER/OWNER authors. The workflow defines two jobs (one for push events, one for comment events) that call a reusable backport workflow from an external repository, passing either a commit SHA or PR number plus the comment body and required bot secrets.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub as GitHub (event)
    participant Repo as Repository
    participant Reusable as Reusable Backport Workflow
    participant Runner as Actions Runner

    GitHub->>Repo: push to default branch OR issue_comment (/backport)
    Repo->>Reusable: invoke reusable backport workflow (with commit SHA or PR number + comment)
    Reusable->>Runner: request runner with provided inputs & secrets
    Runner->>Reusable: execute backport steps
    Reusable->>Repo: create backport PR(s) / post status

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete. It includes the checklist and issue reference, but lacks a 'Description of Changes' section explaining what was added and why.	Add a 'Description of Changes' section explaining the backport workflow's purpose, triggers, and how it integrates with the project.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change - a new GitHub Actions workflow for backporting fixes to the stable branch.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

coverage: 97.426%. remained the same
when pulling 462bdb3 on atif09:feature/backport-workflow
into a5bdb31 on openwisp:master.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/backport.yml:
- Around line 11-13: The concurrency group currently uses github.ref which
equals the default branch for issue_comment events and serializes all
comment-triggered backport jobs; modify the concurrency group expression used in
the concurrency block (the group field) to include a PR-specific key such as
github.event.issue.number when available (falling back to github.ref) so
different PRs can run in parallel while still preventing concurrent runs for the
same PR (e.g., change the group expression to use github.event.issue.number ||
github.ref).
- Line 22: The workflow uses the reusable workflow reference
"openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master" which
should be pinned to a stable tag or commit SHA to avoid breaking changes; update
that "uses:" reference in .github/workflows/backport.yml (and the other
occurrence noted) to a specific tag or commit (e.g., `@v1.0.0` or @<commit-sha>)
and ensure both instances are changed consistently.
- Around line 30-36: The if-condition uses
github.event.issue.pull_request.merged_at which doesn't exist on issue_comment
events so the check always fails; remove the merged_at clause from the
conditional and instead verify merge status by fetching the PR via the GitHub
API before invoking the reusable workflow (e.g., add an actions/github-script
step that calls github.rest.pulls.get with context.repo and context.issue.number
and exits if pr.data.merged is false), or alternatively switch the workflow
trigger to pull_request (action: closed) and use
github.event.pull_request.merged directly; update the existing conditional that
contains github.event.issue.pull_request, github.event.issue.state,
contains(...), and startsWith(...) accordingly.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a5bdb31 and b6eaacd.

📒 Files selected for processing (1)

• .github/workflows/backport.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=4.2.0

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/backport.yml (2)

21-21: 🧹 Nitpick | 🔵 Trivial

Pin reusable workflow reference instead of @master.

Using @master for reusable workflow imports can introduce unplanned breakages from upstream changes. Pin to a tag or commit SHA in both references.

Suggested fix

-    uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
+    uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@<pinned-tag-or-sha>
...
-    uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
+    uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@<pinned-tag-or-sha>

Also applies to: 36-36

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backport.yml at line 21, The workflow uses an unpinned
reusable workflow reference ("uses:
openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master");
replace the `@master` ref with a fixed tag or commit SHA (e.g., `@vX.Y.Z` or
@<commit-sha>) so the import is immutable; update both occurrences of the same
"uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master"
line (the one shown and the one reported at the later occurrence) to the chosen
pinned tag/SHA.

---

29-33: ⚠️ Potential issue | 🔴 Critical

issue_comment merge check is invalid and prevents the comment job from running.

On Line 32, github.event.issue.pull_request.merged_at is not present for issue_comment payloads, so this condition fails and backport-on-comment is effectively blocked.

Suggested fix

   backport-on-comment:
     if: >
       github.event_name == 'issue_comment' &&
       github.event.issue.pull_request &&
-      github.event.issue.pull_request.merged_at != null &&
       github.event.issue.state == 'closed' &&
       contains(fromJSON('["MEMBER", "OWNER"]'), github.event.comment.author_association) &&
       startsWith(github.event.comment.body, '/backport')

If you need strict “merged PR only” enforcement, add a pre-check job that fetches the PR via API and gates this job via needs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backport.yml around lines 29 - 33, The current job
'backport-on-comment' uses an if condition that references
github.event.issue.pull_request.merged_at which is not present on issue_comment
payloads and therefore blocks the job; remove the merged_at check from the
top-level if (keep github.event_name == 'issue_comment' &&
github.event.issue.pull_request && github.event.issue.state == 'closed') and
implement a small pre-check job (e.g. verify-pr-merged) that fetches the PR via
the GitHub API using the issue.pull_request.url, sets an output like
merged=true/false, then make backport-on-comment depend on
needs.verify-pr-merged and add a runtime guard using
needs.verify-pr-merged.outputs.merged == 'true' so the workflow only runs for
actually merged PRs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/backport.yml:
- Line 21: The workflow uses an unpinned reusable workflow reference ("uses:
openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master");
replace the `@master` ref with a fixed tag or commit SHA (e.g., `@vX.Y.Z` or
@<commit-sha>) so the import is immutable; update both occurrences of the same
"uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master"
line (the one shown and the one reported at the later occurrence) to the chosen
pinned tag/SHA.
- Around line 29-33: The current job 'backport-on-comment' uses an if condition
that references github.event.issue.pull_request.merged_at which is not present
on issue_comment payloads and therefore blocks the job; remove the merged_at
check from the top-level if (keep github.event_name == 'issue_comment' &&
github.event.issue.pull_request && github.event.issue.state == 'closed') and
implement a small pre-check job (e.g. verify-pr-merged) that fetches the PR via
the GitHub API using the issue.pull_request.url, sets an output like
merged=true/false, then make backport-on-comment depend on
needs.verify-pr-merged and add a runtime guard using
needs.verify-pr-merged.outputs.merged == 'true' so the workflow only runs for
actually merged PRs.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b6eaacd and 462bdb3.

📒 Files selected for processing (1)

• .github/workflows/backport.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.1.0