[ci] Added automated backport workflow

[atif09]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

openwisp/openwisp-utils#501

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow is added to automate backporting fixes to a stable branch. The workflow contains two jobs triggered by different events: one activates on push events to master/main branches, while the other responds to comments starting with "/backport" on closed pull requests. Both jobs execute the same reusable backport workflow from openwisp/openwisp-utils, passing relevant inputs such as commit SHA or pull request number, and supplying required authentication credentials through app ID and private key secrets.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is incomplete. It includes the checklist and issue reference but lacks a 'Description of Changes' section explaining the workflow's purpose and functionality.	Add a detailed 'Description of Changes' section explaining what the backport workflow does, how it works, and why it was added.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[ci] Added automated backport workflow' clearly and concisely describes the main change: introduction of a CI workflow for automated backporting.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/backport.yml:
- Around line 11-13: The concurrency group is too coarse and causes unrelated
comment-triggered backport runs to collide; update the concurrency.group value
(the existing "group: backport-${{ github.workflow }}-${{ github.ref }}" entry)
to include the PR identifier for comment events or the commit sha for push
events by using a GitHub Actions expression that selects
github.event.issue.number (or github.event.pull_request.number) when
github.event_name == 'issue_comment' and falls back to github.sha for other
events so each comment-run for a specific PR gets a distinct concurrency key.
- Around line 33-34: Remove the redundant `github.event.issue.state == 'closed'`
condition from the workflow `if` expression and rely solely on
`github.event.issue.pull_request.merged_at != null`; update the `if` clause so
it no longer includes `github.event.issue.state` (keep the
`github.event.issue.pull_request.merged_at != null` check intact) to simplify
the logic in the backport workflow.
- Line 22: Pin the referenced reusable workflow to an immutable commit SHA:
replace the branch reference in the "uses:
openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master" lines
(used by jobs backport-on-push and backport-on-comment) with the full-length
commit SHA of the intended revision; update both occurrences and optionally add
Dependabot config for github-actions to keep the SHA current.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3ffe032 and 3882e63.

📒 Files selected for processing (1)

• .github/workflows/backport.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.2.0

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Concurrency key doesn't distinguish between comment-triggered runs for different PRs.

issue_comment events run in the context of the default branch, meaning github.ref always resolves to e.g. refs/heads/master regardless of which PR received the comment. With the current key, all comment-triggered backport runs — even those for completely unrelated PRs — share a single concurrency slot and queue behind one another. Additionally, a push event and a comment event on master would also collide into the same group.

Include the PR number (for comment events) or github.sha (for push events) to produce distinct concurrency groups per operation:

♻️ Suggested fix

 concurrency:
-  group: backport-${{ github.workflow }}-${{ github.ref }}
+  group: >-
+    backport-${{ github.workflow }}-
+    ${{ github.event_name == 'issue_comment'
+        && github.event.issue.number
+        || github.sha }}
   cancel-in-progress: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	concurrency:
	group: backport-${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: false
	concurrency:
	group: >-
	backport-${{ github.workflow }}-
	${{ github.event_name == 'issue_comment'
	&& github.event.issue.number
	|| github.sha }}
	cancel-in-progress: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backport.yml around lines 11 - 13, The concurrency group
is too coarse and causes unrelated comment-triggered backport runs to collide;
update the concurrency.group value (the existing "group: backport-${{
github.workflow }}-${{ github.ref }}" entry) to include the PR identifier for
comment events or the commit sha for push events by using a GitHub Actions
expression that selects github.event.issue.number (or
github.event.pull_request.number) when github.event_name == 'issue_comment' and
falls back to github.sha for other events so each comment-run for a specific PR
gets a distinct concurrency key.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

head -40 .github/workflows/backport.yml | cat -n

Repository: openwisp/django-loci

Length of output: 1510

---

Pin the reusable workflow to a commit SHA instead of @master.

Pinning an action to a full-length commit SHA is the only way to use an action as an immutable release. Using @master means any future change (or compromise) to openwisp/openwisp-utils is immediately picked up by this workflow, which runs with contents: write + pull-requests: write permissions and access to OPENWISP_BOT_PRIVATE_KEY. Pin actions to a full-length commit SHA-1 hash instead of branch references to prevent code changes by a malicious actor.

This applies to both line 22 (backport-on-push job) and line 37 (backport-on-comment job).

Example fix

-    uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master
+    uses: openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@<FULL_COMMIT_SHA>

Consider adding Dependabot configuration for github-actions to keep the pinned SHA up-to-date automatically.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backport.yml at line 22, Pin the referenced reusable
workflow to an immutable commit SHA: replace the branch reference in the "uses:
openwisp/openwisp-utils/.github/workflows/reusable-backport.yml@master" lines
(used by jobs backport-on-push and backport-on-comment) with the full-length
commit SHA of the intended revision; update both occurrences and optionally add
Dependabot config for github-actions to keep the SHA current.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

state == 'closed' is redundant given merged_at != null.

A merged PR (merged_at != null) is always in the closed state, so line 34 provides no additional filtering. It can be removed without changing behavior.

♻️ Suggested cleanup

       github.event.issue.pull_request &&
       github.event.issue.pull_request.merged_at != null &&
-      github.event.issue.state == 'closed' &&
       contains(fromJSON('["MEMBER", "OWNER"]'), github.event.comment.author_association) &&

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backport.yml around lines 33 - 34, Remove the redundant
`github.event.issue.state == 'closed'` condition from the workflow `if`
expression and rely solely on `github.event.issue.pull_request.merged_at !=
null`; update the `if` clause so it no longer includes
`github.event.issue.state` (keep the `github.event.issue.pull_request.merged_at
!= null` check intact) to simplify the logic in the backport workflow.

[coveralls]

coverage: 99.824%. remained the same
when pulling 3882e63 on atif09:feature/backport-workflow
into 3ffe032 on openwisp:master.