Add backport workflow

.github/workflows/backport.yml

@@ -0,0 +1,34 @@
+name: Backport
+
+on:
+  # NOTE(negz): This is a risky target, but we run this action only when and if
+  # a PR is closed, then filter down to specifically merged PRs. We also don't
+  # invoke any scripts, etc from within the repo. I believe the fact that we'll
+  # be able to review PRs before this runs makes this fairly safe.
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  pull_request_target:
+    types: [closed]
+  # See also commands.yml for the /backport triggered variant of this workflow.
+
+jobs:
+  # NOTE(negz): I tested many backport GitHub actions before landing on this
+  # one. Many do not support merge commits, or do not support pull requests with
+  # more than one commit. This one does. It also handily links backport PRs with
+  # new PRs, and provides commentary and instructions when it can't backport.
+  # The main gotchas with this action are that it _only_ supports merge commits,
+  # and that PRs _must_ be labelled before they're merged to trigger a backport.
+  open-pr:
+    runs-on: ubuntu-18.04
+    if: github.event.pull_request.merged
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Open Backport PR
+        uses: zeebe-io/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_workspace: ${{ github.workspace }}
+          version: v0.0.4