1 files changed, 134 insertions, 0 deletions
diff --git a/infra/libkookie/nixpkgs/.github/workflows/rebase.yml b/infra/libkookie/nixpkgs/.github/workflows/rebase.yml
new file mode 100644
index 000000000000..50d066dd754f
--- /dev/null
+++ b/infra/libkookie/nixpkgs/.github/workflows/rebase.yml
@@ -0,0 +1,134 @@
+on:
+  issue_comment:
+    types:
+      - created
+
+# This action allows people with write access to the repo to rebase a PRs base branch
+# by commenting `/rebase ${branch}` on the PR while avoiding CODEOWNER notifications.
+
+jobs:
+  rebase:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS' && github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
+    steps:
+      - uses: peter-evans/create-or-update-comment@v1
+        with:
+          comment-id: ${{ github.event.comment.id }}
+          reactions: eyes
+      - uses: scherermichael-oss/action-has-permission@1.0.6
+        id: check-write-access
+        with:
+          required-permission: write
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: check permissions
+        run: |
+          echo "Commenter doesn't have write access to the repo"
+          exit 1
+        if: "! steps.check-write-access.outputs.has-permission"
+      - name: setup
+        run: |
+          curl "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.issue.number }}" 2>/dev/null >pr.json
+          cat <<EOF >>"$GITHUB_ENV"
+          CAN_MODIFY=$(jq -r '.maintainer_can_modify' pr.json)
+          COMMITS=$(jq -r '.commits' pr.json)
+          CURRENT_BASE=$(jq -r '.base.ref' pr.json)
+          PR_BRANCH=$(jq -r '.head.ref' pr.json)
+          COMMENT_BRANCH=$(echo ${{ github.event.comment.body }} | awk "/^\/rebase / {print \$2}")
+          PULL_REQUEST=${{ github.event.issue.number }}
+          EOF
+          rm pr.json
+      - name: check branch
+        env:
+          PERMANENT_BRANCHES: "haskell-updates|master|nixos|nixpkgs|python-unstable|release|staging"
+          VALID_BRANCHES: "haskell-updates|master|python-unstable|release-20.09|staging|staging-20.09|staging-next"
+        run: |
+          message() {
+            cat <<EOF
+          Can't rebase $PR_BRANCH from $CURRENT_BASE onto $COMMENT_BRANCH (PR:$PULL_REQUEST COMMITS:$COMMITS)
+          EOF
+          }
+          if ! [[ "$COMMENT_BRANCH" =~ ^($VALID_BRANCHES)$ ]]; then
+            cat <<EOF
+          Check that the branch from the comment is valid:
+
+          $(message)
+
+          This action can only rebase onto these branches:
+
+          $VALID_BRANCHES
+
+          \`/rebase \${branch}\` must be at the start of the line
+          EOF
+            exit 1
+          fi
+          if [[ "$COMMENT_BRANCH" == "$CURRENT_BASE" ]]; then
+            cat <<EOF
+          Check that the branch from the comment isn't the current base branch:
+
+          $(message)
+          EOF
+            exit 1
+          fi
+          if [[ "$COMMENT_BRANCH" == "$PR_BRANCH" ]]; then
+            cat <<EOF
+          Check that the branch from the comment isn't the current branch:
+
+          $(message)
+          EOF
+            exit 1
+          fi
+          if [[ "$PR_BRANCH" =~ ^($PERMANENT_BRANCHES) ]]; then
+            cat <<EOF
+          Check that the PR branch isn't a permanent branch:
+
+          $(message)
+          EOF
+            exit 1
+          fi
+          if [[ "$CAN_MODIFY" != "true" ]]; then
+            cat <<EOF
+          Check that maintainers can edit the PR branch:
+
+          $(message)
+          EOF
+            exit 1
+          fi
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: rebase pull request
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+          git fetch origin
+          gh pr checkout "$PULL_REQUEST"
+          git rebase \
+            --onto="$(git merge-base origin/"$CURRENT_BASE" origin/"$COMMENT_BRANCH")" \
+            "HEAD~$COMMITS"
+          git push --force
+          curl \
+            -X POST \
+            -H "Accept: application/vnd.github.v3+json" \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            -d "{ \"base\": \"$COMMENT_BRANCH\" }" \
+            "https://api.github.com/repos/${{ github.repository }}/pulls/$PULL_REQUEST"
+          curl \
+            -X PATCH \
+            -H "Accept: application/vnd.github.v3+json" \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            -d '{ "state": "closed" }' \
+            "https://api.github.com/repos/${{ github.repository }}/pulls/$PULL_REQUEST"
+      - uses: peter-evans/create-or-update-comment@v1
+        with:
+          issue-number: ${{ github.event.issue.number }}
+          body: |
+            Rebased, please reopen the pull request to restart CI
+      - uses: peter-evans/create-or-update-comment@v1
+        if: failure()
+        with:
+          issue-number: ${{ github.event.issue.number }}
+          body: |
+            [Failed to rebase](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})