Support autorebasing backported security MRs

Autorebasing a backported security fix enables convenient refreshing of cherry-pick references, which makes it trivial for developers to satisfy Danger rules just before the merge request is merged. Add a manual CI job that is only created for backported merge requests targeting security-* branches. (cherry picked from commit dd723d93cb)
2026-05-27 12:13:20 -04:00 · 2026-05-21 11:13:30 +02:00 · 2026-05-21 11:13:30 +02:00 · 0b63ecd2bb
commit 0b63ecd2bb
parent ab2aa2f4cc
2 changed files with 17 additions and 1 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -2737,7 +2737,7 @@ merged-metadata:
    - git range-diff --color=always "${BASE_COMMIT}" "${CI_COMMIT_SHA}" HEAD
    - if ! git push --force-with-lease -o ci.variable="AUTOREBASED=1" origin "HEAD:${CI_COMMIT_REF_NAME}"; then touch .git-push-failed; exit 1; fi
  after_script:
-    - if [ "${CI_JOB_STATUS}" = "success" ]; then exit 0; fi
+    - if [ "${CI_JOB_STATUS}" = "success" ] || [ "${CI_PIPELINE_SOURCE}" = "merge_request_event" ]; then exit 0; fi
    - |
      REASON_DETAILS=""
      if git rebase --abort; then
@ -2769,6 +2769,20 @@ merged-metadata:
    - |
      curl -s -o /dev/null -X POST -H content-type:application/json -d '{"channel":"bind-9-team", "text": "'"${MSG}"'" }' "${MATTERMOST_WEBHOOK_URL}"

+autorebase-merge-request:
+  <<: *autorebase
+  stage: quick-checks
+  resource_group: null
+  before_script:
+    - git fetch --depth="${GIT_DEPTH}" origin "${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}" "${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}"
+    - export BASE_PROJECT="isc-private/bind9"
+    - export BASE_COMMIT="$(git rev-parse "origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}")"
+    - export REWRITE_CHERRY_PICKS_FROM="security-main"
+  rules:
+    - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^security-(bind-9\.[0-9]+)$/'
+      when: manual
+      allow_failure: true
+
 autorebase-trigger-security:
  <<: *autorebase_common
  rules:
--- a/dangerfile.py
+++ b/dangerfile.py
@ -296,6 +296,8 @@ if is_backport:
                if not is_full_backport:
                    message(msg)
                else:
+                    if target_branch.startswith("security-"):
+                        msg += ":bulb: Try running the `autorebase-merge-request` job. "
                    msg += (
                        "Please use `-x` when cherry-picking to include "
                        "the full original commit ID. Alternatively, use the "