---
# Derived from
# https://github.com/NixOS/nixpkgs/blob/b05ffc63b7e95fde20433ac6a7b4ef1712695d56/.github/workflows/backport.yml
name: Backport

on:
  pull_request_target:
    types: [closed, labeled]

permissions:
  contents: read
  pull-requests: write

defaults:
  run:
    shell: bash

jobs:
  backport:
    runs-on: ubuntu-24.04

    if: >
      (
        vars.APP_ID &&
        github.event.pull_request.merged == true &&
        (
          github.event.action != 'labeled' ||
          startsWith(github.event.label.name, 'backport: ')
        )
      )

    steps:
      # Use a GitHub App rather than the default token so that GitHub Actions
      # workflows may run on the created pull request.
      - uses: actions/create-github-app-token@v2
        id: app-token
        with:
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          permission-contents: write
          permission-pull-requests: write

      - uses: actions/checkout@v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          token: ${{ steps.app-token.outputs.token }}

      - uses: korthout/backport-action@v3.4.1
        id: backport
        with:
          github_token: ${{ steps.app-token.outputs.token }}
          label_pattern: "^backport: ([^ ]+)$"
          pull_title: "[${target_branch}] ${pull_title}"
          pull_description: "This is an automated backport of #${pull_number}."

      - name: "Add 'has: port to stable' label"
        if: steps.backport.outputs.created_pull_numbers != ''
        uses: actions/github-script@v8.0.0
        with:
          # Not using the app on purpose to avoid triggering another workflow
          # run after adding this label.
          script: |
            await github.rest.issues.addLabels({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.payload.pull_request.number,
              labels: [ 'has: port to stable' ]
            })