Gitpulse
Merged
Size
S
Change Breakdown
CI/CD90%
Config10%
#28403ci: Add security publish fix workflow for 1.x branch (backport to 1.x)

Security fix sync workflow added for 1.x branch

N8
n8n-assistant
·Apr 13, 2026

A new GitHub Actions workflow automates cherry-picking security fixes from n8n-private to the public 1.x branch, eliminating manual cross-repo propagation.

Security fixes merged into the private repository's 1.x branch will now propagate automatically to the public repository. A new GitHub Actions workflow monitors for merged pull requests on 1.x in the private repo, cherry-picks the commit, and opens a corresponding pull request against the public n8n-io/n8n repository's 1.x branch.

Previously, maintaining security fixes across both branches required manual cherry-picking. The workflow handles branch name generation using a private-1x- timestamp prefix to avoid collisions, configures the GitHub Actions bot identity for commits, and posts failure notifications to the #alerts-security Slack channel when issues arise. This automation reduces the operational burden on maintainers and decreases the risk of security fixes falling out of sync between repositories.

The change applies to the CI/CD infrastructure, specifically the GitHub Actions workflows directory.

View Original GitHub Description

Description

Backport of #27604 to 1.x.

Checklist for the author (@Matsuuu) to go through.

  • Review the backport changes
  • Fix possible conflicts
  • Merge to target branch

After this PR has been merged, it will be picked up in the next patch release for release track.

Original description

Summary

Adds a GitHub Actions workflow (sec-publish-fix-1x.yml) that mirrors the existing sec-publish-fix.yml but targets the 1.x branch. When a PR is merged into 1.x on n8n-private, the workflow cherry-picks the commit and opens a PR against 1.x on the public n8n repo.

Changes from the master variant:

  • Triggers on PRs merged into 1.x instead of master
  • Uses private-1x- branch name prefix to avoid collisions
  • Fetches and targets public-repo/1.x instead of public-repo/master
  • Failure message includes (1.x) for clarity in Slack alerts

Related Linear tickets, Github issues, and Community forum posts

<!-- Link to Linear ticket: https://linear.app/n8n/issue/[TICKET-ID] -->

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse