ci: Automatically backport labeled PRs to stable branches

Add a new GHA workflow that can automatically create a new PR to
backport a PR with the "backport release-5.2.x.x" label (for example) to
the stable release-5.2.x.x branch. The backport should be triggered when
the original PR is merged.

According to https://github.com/NixOS/nixpkgs/pull/360260, we will need
to create a GitHub App bot account to get other GHA workflows (e.g.
pre-commit hooks, clang/gcc build) to run on the backport PRs. Packit
workflows probably do not need this.

.github/workflows/backport.yml

@@ -0,0 +1,34 @@
+# Based on https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/backport.yml
+
+name: Backport merged pull requests
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
+permissions: {}
+
+jobs:
+  backport:
+    name: Backport pull request
+    if: github.repository_owner == 'rpm-software-management' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
+    runs-on: ubuntu-latest
+    steps:
+      # Use a GitHub App to create the PR so that CI gets triggered
+      # The App is scoped to Repository > Contents and Pull Requests: write
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.RSM_CI_APP_ID }}
+          private-key: ${{ secrets.RSM_CI_APP_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Create backport PRs
+        uses: korthout/backport-action@v3
+        with:
+          # Config README: https://github.com/korthout/backport-action#backport-action
+          add_author_as_assignee: true
+          github_token: ${{ steps.app-token.outputs.token }}