ci: automate backporting process (#6781)

Signed-off-by: knqyf263 <[email protected]>

.github/workflows/backport.yaml

@@ -0,0 +1,38 @@
+name: Automatic Backporting
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  backport:
+    name: Backport PR
+    if: |
+      github.event.issue.pull_request &&
+      github.event.issue.pull_request.merged_at != null &&
+      startsWith(github.event.comment.body, '@aqua-bot backport release/') &&
+      (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER')
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Extract branch name
+        run: |
+          BRANCH_NAME=$(echo ${{ github.event.comment.body }} | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
+          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
+
+      - name: Set up Git user
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "GitHub Actions"
+
+      - name: Run backport script
+        run: ./misc/backport/backport.sh ${{ env.BRANCH_NAME }} ${{ github.event.issue.number }}
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows the created PR to trigger tests and other workflows
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}

docs/community/maintainer/backporting.md

@@ -0,0 +1,59 @@
+# Backporting Process
+
+This document outlines the backporting process for Trivy, including when to create patch releases and how to perform the backporting.
+
+## When to Create Patch Releases
+
+In general, small changes should not be backported and should be included in the next minor release.
+However, patch releases should be made in the following cases:
+
+* Fixes for HIGH or CRITICAL vulnerabilities in Trivy itself or Trivy's dependencies
+* Fixes for bugs that cause panic during Trivy execution or otherwise interfere with normal usage
+
+In these cases, the fixes should be backported using the procedure [described below](#backporting-procedure).
+At the maintainer's discretion, other bug fixes may be included in the patch release containing these hotfixes.
+
+## Versioning
+
+Trivy follows [Semantic Versioning](https://semver.org/), using version numbers in the format MAJOR.MINOR.PATCH.
+When creating a patch release, the PATCH part of the version number is incremented.
+For example, if a fix is being distributed for v0.50.0, the patch release would be v0.50.1.
+
+## Backporting Procedure
+
+1. A release branch (e.g., `release/v0.50`) is automatically created when a new minor version is released.
+1. Create a pull request (PR) against the main branch with the necessary fixes. If the fixes are already merged into the main branch, skip this step.
+1. Once the PR with the fixes is merged, comment `@aqua-bot backport <release-branch>` on the PR (e.g., `@aqua-bot backport release/v0.50`). This will trigger the automated backporting process using GitHub Actions.
+1. The automated process will create a new PR with the backported changes. Ensure that all tests pass for this PR.
+1. Once the tests pass, merge the automatically created PR into the release branch.
+1. Merge [a release PR](release-flow.md) on the release branch and release the patch version.
+
+!!! note
+    Even if a conflict occurs, a PR is created by forceful commit, in which case the conflict should be resolved manually.
+    If you want to re-run a backport of the same PR, close the existing PR, delete the branch and re-run it.
+
+### Example
+To better understand the backporting procedure, let's walk through an example using the releases of v0.50.
+
+```mermaid
+gitGraph:
+  commit id:"Feature 1"
+  commit id:"v0.50.0 release" tag:"v0.50.0"
+
+  branch "release/v0.50"
+  
+  checkout main
+  commit id:"Bugfix 1"
+
+  checkout "release/v0.50"
+  cherry-pick id:"Bugfix 1"
+
+  checkout main
+  commit id:"Feature 2"
+  commit id:"Bugfix 2"
+  commit id:"Feature 3"
+
+  checkout "release/v0.50"
+  cherry-pick id:"Bugfix 2"
+  commit id:"v0.50.1 release" tag:"v0.50.1"
+```

misc/backport/backport.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+set -e
+
+BRANCH_NAME=$1
+PR_NUMBER=$2
+
+echo "Backporting PR #$PR_NUMBER to branch $BRANCH_NAME"
+
+# Get the merge commit hash of the pull request
+echo "Fetching merge commit hash of PR #$PR_NUMBER..."
+COMMIT_HASH=$(gh api /repos/"$GITHUB_REPOSITORY"/pulls/"$PR_NUMBER" | jq -r '.merge_commit_sha')
+echo "Merge commit hash: $COMMIT_HASH"
+
+# Get the title of the original pull request
+echo "Fetching title of PR #$PR_NUMBER..."
+ORIGINAL_PR_TITLE=$(gh api /repos/"$GITHUB_REPOSITORY"/pulls/"$PR_NUMBER" | jq -r '.title')
+echo "Original PR title: $ORIGINAL_PR_TITLE"
+
+# Checkout the base branch
+echo "Checking out base branch: $BRANCH_NAME"
+git checkout "$BRANCH_NAME"
+
+# Create a new branch with the PR number and branch name
+NEW_BRANCH="backport-pr-$PR_NUMBER-to-$BRANCH_NAME"
+
+echo "Creating new branch: $NEW_BRANCH"
+git switch -c "$NEW_BRANCH"
+
+# Create the pull request title
+PR_TITLE="$ORIGINAL_PR_TITLE [backport: $BRANCH_NAME]"
+
+# Create the pull request description
+PR_DESCRIPTION="# Backport
+
+This will backport the following commits from \`main\` to \`$BRANCH_NAME\`:
+ - https://github.com/$GITHUB_REPOSITORY/pull/$PR_NUMBER"
+
+echo "Cherry-picking commit: $COMMIT_HASH"
+if git cherry-pick "$COMMIT_HASH"; then
+  echo "Cherry-pick successful"
+else
+  echo "Cherry-pick failed due to conflicts, force-committing changes"
+
+  # Add only conflicted files
+  git diff --name-only --diff-filter=U | xargs git add
+
+  # Force-commit the changes with conflicts
+  git commit -m "Force-committed changes with conflicts for cherry-pick of $COMMIT_HASH"
+
+  PR_DESCRIPTION="$PR_DESCRIPTION
+
+## ⚠️ Warning
+Conflicts occurred during the cherry-pick and were force-committed without proper resolution. Please carefully review the changes, resolve any remaining conflicts, and ensure the code is in a valid state."
+fi
+
+echo "Pushing new branch to origin: $NEW_BRANCH"
+git push origin "$NEW_BRANCH"
+
+echo "Pull request title: $PR_TITLE"
+
+echo "Pull request description:"
+echo "$PR_DESCRIPTION"
+
+# Create a new pull request with the original PR title, backport suffix, and description
+echo "Creating pull request..."
+gh pr create --base "$BRANCH_NAME" --head "$NEW_BRANCH" --title "$PR_TITLE" --body "$PR_DESCRIPTION" --repo "$GITHUB_REPOSITORY" --label "backport"
+
+# Add a comment to the original PR
+echo "Adding comment to the original PR #$PR_NUMBER"
+gh pr comment "$PR_NUMBER" --body "Backport PR created: https://github.com/$GITHUB_REPOSITORY/pull/$(gh pr view "$NEW_BRANCH" --json number --jq .number)"

misc/triage/labels.yaml

@@ -127,10 +127,15 @@ labels:
   color: 0ebdb0
   description: Issues relating to virtual machine scanning
 
-# others
+# community
 - name: good first issue
   color: 7057ff
   description: Denotes an issue ready for a new contributor, according to the "help wanted" guidelines.
 - name: help wanted
   color: 006b75
   description: Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
+
+# release
+- name: backport
+  color: A8F7BC
+  description: Backport PRs

mkdocs.yml

@@ -200,6 +200,7 @@ nav:
           - Add Service Support: community/contribute/checks/service-support.md
       - Maintainer:
           - Release Flow: community/maintainer/release-flow.md
+          - Backporting: community/maintainer/backporting.md
           - Help Wanted: community/maintainer/help-wanted.md
           - Triage: community/maintainer/triage.md
 theme: