.github/workflows/rebase.yml: rebase for multiple branches

- Error if the commenter doesn't have write access or maintainers can't edit the PR branch.

- Close and comment on PR after rebase so that actions are run when it's reopened.
  This doesn't happen currently as we're using the default github token which isn't allowed to trigger other actions.

- Disallow unwanted rebases.
  e.g. invalid branches, redundant rebases or rebasing permanent branches onto permanent branches.

.github/workflows/rebase-staging.yml

@@ -1,60 +0,0 @@
-on:
-  issue_comment:
-    types:
-      - created
-
-# This action allows people with write access to the repo to rebase a PRs base branch from
-# master to staging by commenting `/rebase-staging` on the PR while avoiding CODEOWNER notifications.
-
-jobs:
-  rebase:
-    runs-on: ubuntu-latest
-    if: github.repository_owner == 'NixOS' && github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase-staging')
-    steps:
-      - uses: peter-evans/create-or-update-comment@v1
-        with:
-          comment-id: ${{ github.event.comment.id }}
-          reactions: eyes
-      - uses: scherermichael-oss/action-has-permission@1.0.6
-        id: check-write-access
-        with:
-          required-permission: write
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: check base branch is master
-        if: steps.check-write-access.outputs.has-permission
-        run: |
-          if [ "$(curl https://api.github.com/repos/NixOS/nixpkgs/pulls/${{ github.event.issue.number }} | jq -r '.base.ref')" != "master" ]; then
-            echo "This action only works when the current base branch is master."
-            exit 1
-          fi
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-        if: steps.check-write-access.outputs.has-permission
-      - name: rebase pull request
-        if: steps.check-write-access.outputs.has-permission
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PULL_REQUEST: ${{ github.event.issue.number }}
-        run: |
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
-          git fetch origin
-          gh pr checkout "$PULL_REQUEST"
-          git rebase \
-            --onto="$(git merge-base origin/master origin/staging)" \
-            "HEAD~$(git rev-list --count HEAD ^master)"
-          git push --force
-          curl \
-            -X POST \
-            -H "Accept: application/vnd.github.v3+json" \
-            -H "Authorization: token $GITHUB_TOKEN" \
-            -d '{ "base": "staging" }' \
-            "https://api.github.com/repos/NixOS/nixpkgs/pulls/$PULL_REQUEST"
-      - uses: peter-evans/create-or-update-comment@v1
-        if: ${{ failure() }}
-        with:
-          issue-number: ${{ github.event.issue.number }}
-          body: |
-            [Failed to rebase on `staging`](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }})

.github/workflows/rebase.yml

@@ -0,0 +1,134 @@
+on:
+  issue_comment:
+    types:
+      - created
+
+# This action allows people with write access to the repo to rebase a PRs base branch
+# by commenting `/rebase ${branch}` on the PR while avoiding CODEOWNER notifications.
+
+jobs:
+  rebase:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS' && github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
+    steps:
+      - uses: peter-evans/create-or-update-comment@v1
+        with:
+          comment-id: ${{ github.event.comment.id }}
+          reactions: eyes
+      - uses: scherermichael-oss/action-has-permission@1.0.6
+        id: check-write-access
+        with:
+          required-permission: write
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: check permissions
+        run: |
+          echo "Commenter doesn't have write access to the repo"
+          exit 1
+        if: "! steps.check-write-access.outputs.has-permission"
+      - name: setup
+        run: |
+          curl "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.issue.number }}" 2>/dev/null >pr.json
+          cat <<EOF >>"$GITHUB_ENV"
+          CAN_MODIFY=$(jq -r '.maintainer_can_modify' pr.json)
+          COMMITS=$(jq -r '.commits' pr.json)
+          CURRENT_BASE=$(jq -r '.base.ref' pr.json)
+          PR_BRANCH=$(jq -r '.head.ref' pr.json)
+          COMMENT_BRANCH=$(echo ${{ github.event.comment.body }} | awk "/^\/rebase / {print \$2}")
+          PULL_REQUEST=${{ github.event.issue.number }}
+          EOF
+          rm pr.json
+      - name: check branch
+        env:
+          PERMANENT_BRANCHES: "haskell-updates|master|nixos|nixpkgs|python-unstable|release|staging"
+          VALID_BRANCHES: "haskell-updates|master|python-unstable|release-20.09|staging|staging-20.09|staging-next"
+        run: |
+          message() {
+            cat <<EOF
+          Can't rebase $PR_BRANCH from $CURRENT_BASE onto $COMMENT_BRANCH (PR:$PULL_REQUEST COMMITS:$COMMITS)
+          EOF
+          }
+          if ! [[ "$COMMENT_BRANCH" =~ ^($VALID_BRANCHES)$ ]]; then
+            cat <<EOF
+          Check that the branch from the comment is valid:
+
+          $(message)
+
+          This action can only rebase onto these branches:
+
+          $VALID_BRANCHES
+
+          \`/rebase \${branch}\` must be at the start of the line
+          EOF
+            exit 1
+          fi
+          if [[ "$COMMENT_BRANCH" == "$CURRENT_BASE" ]]; then
+            cat <<EOF
+          Check that the branch from the comment isn't the current base branch:
+
+          $(message)
+          EOF
+            exit 1
+          fi
+          if [[ "$COMMENT_BRANCH" == "$PR_BRANCH" ]]; then
+            cat <<EOF
+          Check that the branch from the comment isn't the current branch:
+
+          $(message)
+          EOF
+            exit 1
+          fi
+          if [[ "$PR_BRANCH" =~ ^($PERMANENT_BRANCHES) ]]; then
+            cat <<EOF
+          Check that the PR branch isn't a permanent branch:
+
+          $(message)
+          EOF
+            exit 1
+          fi
+          if [[ "$CAN_MODIFY" != "true" ]]; then
+            cat <<EOF
+          Check that maintainers can edit the PR branch:
+
+          $(message)
+          EOF
+            exit 1
+          fi
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: rebase pull request
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+          git fetch origin
+          gh pr checkout "$PULL_REQUEST"
+          git rebase \
+            --onto="$(git merge-base origin/"$CURRENT_BASE" origin/"$COMMENT_BRANCH")" \
+            "HEAD~$COMMITS"
+          git push --force
+          curl \
+            -X POST \
+            -H "Accept: application/vnd.github.v3+json" \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            -d "{ \"base\": \"$COMMENT_BRANCH\" }" \
+            "https://api.github.com/repos/${{ github.repository }}/pulls/$PULL_REQUEST"
+          curl \
+            -X PATCH \
+            -H "Accept: application/vnd.github.v3+json" \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            -d '{ "state": "closed" }' \
+            "https://api.github.com/repos/${{ github.repository }}/pulls/$PULL_REQUEST"
+      - uses: peter-evans/create-or-update-comment@v1
+        with:
+          issue-number: ${{ github.event.issue.number }}
+          body: |
+            Rebased, please reopen the pull request to restart CI
+      - uses: peter-evans/create-or-update-comment@v1
+        if: failure()
+        with:
+          issue-number: ${{ github.event.issue.number }}
+          body: |
+            [Failed to rebase](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})