Security fix syncing extended to 1.x branch
A new automation workflow mirrors security patches from the private repository into the public 1.x release branch, ensuring older stable versions stay protected.
Security patches committed to the private repository were reaching the master branch automatically, but the 1.x stable release line had no such protection. A new GitHub Actions workflow closes this gap by watching for merged PRs on the private 1.x branch, cherry-picking those commits, and opening corresponding pull requests against the public repository's 1.x branch. The automation uses a GitHub App token for authentication across both repositories and alerts the security team via Slack if anything fails during the sync process.
View Original GitHub Description
Summary
Adds a GitHub Actions workflow (sec-publish-fix-1x.yml) that mirrors the existing sec-publish-fix.yml but targets the 1.x branch. When a PR is merged into 1.x on n8n-private, the workflow cherry-picks the commit and opens a PR against 1.x on the public n8n repo.
Changes from the master variant:
- Triggers on PRs merged into
1.xinstead ofmaster - Uses
private-1x-branch name prefix to avoid collisions - Fetches and targets
public-repo/1.xinstead ofpublic-repo/master - Failure message includes
(1.x)for clarity in Slack alerts
Related Linear tickets, Github issues, and Community forum posts
<!-- Link to Linear ticket: https://linear.app/n8n/issue/[TICKET-ID] -->Review / Merge checklist
- PR title and summary are descriptive. (conventions)
- Docs updated or follow-up ticket created.
- Tests included.
- PR Labeled with
release/backport(if the PR is an urgent fix that needs to be backported)