Extract backport action from dotnet/runtime into arcade

[akoeplinger]

• [ ] This issue is blocking
• [ ] This issue is causing unreasonable pain

In dotnet/runtime we're using a GitHub Action that allows you to comment /backport to <branch> on your PR and the action will open a new PR targetting the respective branch.

@wtgodbe asked me about having the same for aspnetcore and while we can just copy the GH Action files over I feel like this would be a better fit for some common arcade solution.

I can think of two approaches: 1) Extract the action code into a separate repository (this is how GH Actions are usually shared: https://docs.github.com/en/actions/learn-github-actions/finding-and-customizing-actions#using-release-management-for-your-custom-actions) 2) Flow the code into repos via arcade's eng/common

The implementation in dotnet/runtime lives in these two files/folders:

• https://github.com/dotnet/runtime/tree/main/eng/actions/backport
• https://github.com/dotnet/runtime/blob/main/.github/workflows/backport.yml

[riarenas]

Removed the First responder label so this gets triaged, and it also doesn't seem appropriate to be handled in FR.

Currently we are not supposed to be using GitHub Actions, so I don't think it'd be appropriate for Arcade to distribute it. Perhaps it's something that we could add to dotnet/versions?

@markwilkie @tkapin this is what @lukas-lansky brought up today during our sync.

[markwilkie]

Having this be part of eng/common is probably not (yet) warranted given the unsupported nature of gh actions and future changes. However, having the code live in the arcade repo (basically #1) probably seems fine I think.

@mmitche - thoughts on this? Mostly thinking about any security ramifications of using gh actions to backport.

[mmitche]

I'm fine by it. There have been some Action related security issues in the past. However, IIRC when I looked at them before, none would apply in that case. However, we should re-evaluate it before pulling it into arcade. See https://securitylab.github.com/research/github-actions-untrusted-input/

[akoeplinger]

However, having the code live in the arcade repo (basically #1) probably seems fine I think.

Note that we can't put it in dotnet/arcade if we go that route but it needs to be a separate, standalone repo since GH Actions expects an action.yml in the root of the repo.

[markwilkie]

it needs to be a separate, standalone repo since GH Actions expects an action.yml in the root of the repo.

Oh, I see yea.

[markwilkie]

What are the next steps here @akoeplinger ?

[MattGal]

[Async Triage] : I lack context but am commenting as those are the rules. Seems like a good thing to extract from runtime and not FR, to echo previous comments.

[jakubstilec]

[Async Triage]: Created teams chat

[MattGal]

[Async Triage]: commented in chat.

[markwilkie]

Thoughts on next steps @akoeplinger ? This issue is languishing a bit...

[markwilkie]

closing due to diminished interest.