From 1e2db83e493c5ca7001c45903d9274949ca7ee9f Mon Sep 17 00:00:00 2001 From: Teppei Fukuda Date: Thu, 6 Jun 2024 14:08:55 +0400 Subject: [PATCH] ci: automate backporting process (#6781) Signed-off-by: knqyf263 --- .github/workflows/backport.yaml | 38 +++++++++++++ docs/community/maintainer/backporting.md | 59 ++++++++++++++++++++ misc/backport/backport.sh | 71 ++++++++++++++++++++++++ misc/triage/labels.yaml | 7 ++- mkdocs.yml | 1 + 5 files changed, 175 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/backport.yaml create mode 100644 docs/community/maintainer/backporting.md create mode 100755 misc/backport/backport.sh diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml new file mode 100644 index 000000000000..127b10012429 --- /dev/null +++ b/.github/workflows/backport.yaml @@ -0,0 +1,38 @@ +name: Automatic Backporting + +on: + issue_comment: + types: [created] + +jobs: + backport: + name: Backport PR + if: | + github.event.issue.pull_request && + github.event.issue.pull_request.merged_at != null && + startsWith(github.event.comment.body, '@aqua-bot backport release/') && + (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER') + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Extract branch name + run: | + BRANCH_NAME=$(echo ${{ github.event.comment.body }} | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}') + echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV + + - name: Set up Git user + run: | + git config --global user.email "actions@github.com" + git config --global user.name "GitHub Actions" + + - name: Run backport script + run: ./misc/backport/backport.sh ${{ env.BRANCH_NAME }} ${{ github.event.issue.number }} + env: + # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN + # This allows the created PR to trigger tests and other workflows + GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }} \ No newline at end of file diff --git a/docs/community/maintainer/backporting.md b/docs/community/maintainer/backporting.md new file mode 100644 index 000000000000..bc70f26a9836 --- /dev/null +++ b/docs/community/maintainer/backporting.md @@ -0,0 +1,59 @@ +# Backporting Process + +This document outlines the backporting process for Trivy, including when to create patch releases and how to perform the backporting. + +## When to Create Patch Releases + +In general, small changes should not be backported and should be included in the next minor release. +However, patch releases should be made in the following cases: + +* Fixes for HIGH or CRITICAL vulnerabilities in Trivy itself or Trivy's dependencies +* Fixes for bugs that cause panic during Trivy execution or otherwise interfere with normal usage + +In these cases, the fixes should be backported using the procedure [described below](#backporting-procedure). +At the maintainer's discretion, other bug fixes may be included in the patch release containing these hotfixes. + +## Versioning + +Trivy follows [Semantic Versioning](https://semver.org/), using version numbers in the format MAJOR.MINOR.PATCH. +When creating a patch release, the PATCH part of the version number is incremented. +For example, if a fix is being distributed for v0.50.0, the patch release would be v0.50.1. + +## Backporting Procedure + +1. A release branch (e.g., `release/v0.50`) is automatically created when a new minor version is released. +1. Create a pull request (PR) against the main branch with the necessary fixes. If the fixes are already merged into the main branch, skip this step. +1. Once the PR with the fixes is merged, comment `@aqua-bot backport ` on the PR (e.g., `@aqua-bot backport release/v0.50`). This will trigger the automated backporting process using GitHub Actions. +1. The automated process will create a new PR with the backported changes. Ensure that all tests pass for this PR. +1. Once the tests pass, merge the automatically created PR into the release branch. +1. Merge [a release PR](release-flow.md) on the release branch and release the patch version. + +!!! note + Even if a conflict occurs, a PR is created by forceful commit, in which case the conflict should be resolved manually. + If you want to re-run a backport of the same PR, close the existing PR, delete the branch and re-run it. + +### Example +To better understand the backporting procedure, let's walk through an example using the releases of v0.50. + +```mermaid +gitGraph: + commit id:"Feature 1" + commit id:"v0.50.0 release" tag:"v0.50.0" + + branch "release/v0.50" + + checkout main + commit id:"Bugfix 1" + + checkout "release/v0.50" + cherry-pick id:"Bugfix 1" + + checkout main + commit id:"Feature 2" + commit id:"Bugfix 2" + commit id:"Feature 3" + + checkout "release/v0.50" + cherry-pick id:"Bugfix 2" + commit id:"v0.50.1 release" tag:"v0.50.1" +``` \ No newline at end of file diff --git a/misc/backport/backport.sh b/misc/backport/backport.sh new file mode 100755 index 000000000000..263a27d8b653 --- /dev/null +++ b/misc/backport/backport.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +set -e + +BRANCH_NAME=$1 +PR_NUMBER=$2 + +echo "Backporting PR #$PR_NUMBER to branch $BRANCH_NAME" + +# Get the merge commit hash of the pull request +echo "Fetching merge commit hash of PR #$PR_NUMBER..." +COMMIT_HASH=$(gh api /repos/"$GITHUB_REPOSITORY"/pulls/"$PR_NUMBER" | jq -r '.merge_commit_sha') +echo "Merge commit hash: $COMMIT_HASH" + +# Get the title of the original pull request +echo "Fetching title of PR #$PR_NUMBER..." +ORIGINAL_PR_TITLE=$(gh api /repos/"$GITHUB_REPOSITORY"/pulls/"$PR_NUMBER" | jq -r '.title') +echo "Original PR title: $ORIGINAL_PR_TITLE" + +# Checkout the base branch +echo "Checking out base branch: $BRANCH_NAME" +git checkout "$BRANCH_NAME" + +# Create a new branch with the PR number and branch name +NEW_BRANCH="backport-pr-$PR_NUMBER-to-$BRANCH_NAME" + +echo "Creating new branch: $NEW_BRANCH" +git switch -c "$NEW_BRANCH" + +# Create the pull request title +PR_TITLE="$ORIGINAL_PR_TITLE [backport: $BRANCH_NAME]" + +# Create the pull request description +PR_DESCRIPTION="# Backport + +This will backport the following commits from \`main\` to \`$BRANCH_NAME\`: + - https://github.com/$GITHUB_REPOSITORY/pull/$PR_NUMBER" + +echo "Cherry-picking commit: $COMMIT_HASH" +if git cherry-pick "$COMMIT_HASH"; then + echo "Cherry-pick successful" +else + echo "Cherry-pick failed due to conflicts, force-committing changes" + + # Add only conflicted files + git diff --name-only --diff-filter=U | xargs git add + + # Force-commit the changes with conflicts + git commit -m "Force-committed changes with conflicts for cherry-pick of $COMMIT_HASH" + + PR_DESCRIPTION="$PR_DESCRIPTION + +## ⚠️ Warning +Conflicts occurred during the cherry-pick and were force-committed without proper resolution. Please carefully review the changes, resolve any remaining conflicts, and ensure the code is in a valid state." +fi + +echo "Pushing new branch to origin: $NEW_BRANCH" +git push origin "$NEW_BRANCH" + +echo "Pull request title: $PR_TITLE" + +echo "Pull request description:" +echo "$PR_DESCRIPTION" + +# Create a new pull request with the original PR title, backport suffix, and description +echo "Creating pull request..." +gh pr create --base "$BRANCH_NAME" --head "$NEW_BRANCH" --title "$PR_TITLE" --body "$PR_DESCRIPTION" --repo "$GITHUB_REPOSITORY" --label "backport" + +# Add a comment to the original PR +echo "Adding comment to the original PR #$PR_NUMBER" +gh pr comment "$PR_NUMBER" --body "Backport PR created: https://github.com/$GITHUB_REPOSITORY/pull/$(gh pr view "$NEW_BRANCH" --json number --jq .number)" \ No newline at end of file diff --git a/misc/triage/labels.yaml b/misc/triage/labels.yaml index e2babc4cab12..ef61e1563bf2 100644 --- a/misc/triage/labels.yaml +++ b/misc/triage/labels.yaml @@ -127,10 +127,15 @@ labels: color: 0ebdb0 description: Issues relating to virtual machine scanning -# others +# community - name: good first issue color: 7057ff description: Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. - name: help wanted color: 006b75 description: Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. + +# release +- name: backport + color: A8F7BC + description: Backport PRs \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 664924cab59a..92bbbb24ac21 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -200,6 +200,7 @@ nav: - Add Service Support: community/contribute/checks/service-support.md - Maintainer: - Release Flow: community/maintainer/release-flow.md + - Backporting: community/maintainer/backporting.md - Help Wanted: community/maintainer/help-wanted.md - Triage: community/maintainer/triage.md theme: