From: Michał Kępień <michal@isc.org>
Date: Thu, 21 May 2026 09:13:30 +0000 (+0200)
Subject: Support autorebasing backported security MRs
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=995f5f6864c1a83ea2fddff53a8e58530fc39057;p=thirdparty%2Fbind9.git

Support autorebasing backported security MRs

Autorebasing a backported security fix enables convenient refreshing of
cherry-pick references, which makes it trivial for developers to satisfy
Danger rules just before the merge request is merged.  Add a manual CI
job that is only created for backported merge requests targeting
security-* branches.

(cherry picked from commit dd723d93cbebff4e10d8837645229fb9497fb197)
---

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 211e9dcf4ee..5e42957f0da 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2533,7 +2533,7 @@ merged-metadata:
     - git range-diff --color=always "${BASE_COMMIT}" "${CI_COMMIT_SHA}" HEAD
     - if ! git push --force-with-lease -o ci.variable="AUTOREBASED=1" origin "HEAD:${CI_COMMIT_REF_NAME}"; then touch .git-push-failed; exit 1; fi
   after_script:
-    - if [ "${CI_JOB_STATUS}" = "success" ]; then exit 0; fi
+    - if [ "${CI_JOB_STATUS}" = "success" ] || [ "${CI_PIPELINE_SOURCE}" = "merge_request_event" ]; then exit 0; fi
     - |
       REASON_DETAILS=""
       if git rebase --abort; then
@@ -2565,6 +2565,20 @@ merged-metadata:
     - |
       curl -s -o /dev/null -X POST -H content-type:application/json -d '{"channel":"bind-9-team", "text": "'"${MSG}"'" }' "${MATTERMOST_WEBHOOK_URL}"
 
+autorebase-merge-request:
+  <<: *autorebase
+  stage: quick-checks
+  resource_group: null
+  before_script:
+    - git fetch --depth="${GIT_DEPTH}" origin "${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}" "${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}"
+    - export BASE_PROJECT="isc-private/bind9"
+    - export BASE_COMMIT="$(git rev-parse "origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}")"
+    - export REWRITE_CHERRY_PICKS_FROM="security-main,security-bind-9.20"
+  rules:
+    - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^security-(bind-9\.[0-9]+)$/'
+      when: manual
+      allow_failure: true
+
 autorebase-trigger-security:
   <<: *autorebase_common
   rules:
diff --git a/dangerfile.py b/dangerfile.py
index c4db6a3856c..e6470a3279e 100644
--- a/dangerfile.py
+++ b/dangerfile.py
@@ -297,6 +297,8 @@ if is_backport:
                 if not is_full_backport:
                     message(msg)
                 else:
+                    if target_branch.startswith("security-"):
+                        msg += ":bulb: Try running the `autorebase-merge-request` job. "
                     msg += (
                         "Please use `-x` when cherry-picking to include "
                         "the full original commit ID. Alternatively, use the "