.github: workflows: add workflows for automatic rebase

The "build-and-publish-rebased.yml" workflow has to be triggered via
"workflow_run" event and not on the "create" or "push" events, because
the "create" and "push" events seems to expect the
"build-and-publish-rebased.yml" be present on the branch that is being
created or on the branch the commits are being pushed on.

The condition on the "github.event.workflow_run.conclusion" is needed
so the workflow will not try to build the component from the branch
"tb-dev-rebased" after the "rebase.yml" fails. If the "rebase.yml"
fails it is almost certain the "tb-dev-rebased" either will not exist
or will contain commmits we do not want to build from. So this condition
will prevent surplus fails.

---

Regarding the "rebase.yml".

We cannot simply rebase commits from TrenchBoot/grub on top of the
commits in the QubesOS/qubes-grub2, because:

1. The actual history for grub component is held in patches in the
   QubesOS/qubes-grub2 repository, so we need to do a convertion from
   patches to commits every time we want to try to rebase.
2. We want to track the changes to the other files from the
   QubesOS/qubes-grub2 except the patches for the grub component, as
   versions of these files might be closesly related to the changes in
   the patches for the grub component.

Other changes that should be done due to history format difference
between the QubesOS/qubes-grub2 and TrenchBoot/grub should will be resolved
by TrenchBoot the follwoing commit when the actual rebase happen:

2f477ee

Signed-off-by: Danil Klimuk <daniil.klimuk@3mdeb.com>

Author: DaniilKl

.github/workflows/build-and-publish-rebased.yml

@@ -0,0 +1,46 @@
+name: Build the last successful automatic rebase of tb-dev branch
+
+on:
+  workflow_dispatch:
+  workflow_run:                                                                                      
+    workflows:                                                                                       
+      - 'Rebase on top of QubesOS main and build RPMs'                                               
+    types:                                                                                           
+      - completed 
+
+jobs:
+  get-version:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success'
+    outputs:
+      version: ${{ steps.read-version.outputs.version }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: 'aem-next-rebased'
+      - name: Read version of the QubesOS Component from version file
+        id: read-version
+        run: echo "version=$(cat version)" >> $GITHUB_OUTPUT
+  qubes-dom0-package:
+    uses: TrenchBoot/.github/.github/workflows/qubes-dom0-packagev2.yml@master
+    with:
+      qubes-component: 'grub2'
+      qubes-component-branch: 'tb-dev-rebased'
+      qubes-pkg-src-dir: '.'
+      qubes-pkg-version: ${{ needs.get-version.outputs.version }}
+  trigger-gitea-cicd:
+    needs: qubes-dom0-package
+    uses: TrenchBoot/.github/.github/workflows/trigger-woodpecker-pipeline.yml@master
+    secrets:
+      woodpecker-token: ${{ secrets.WOODPECKER_TOKEN }}
+    with:
+      api-url:  'https://ci.3mdeb.com'
+      owner:    'zarhus'
+      repo:     'trenchboot-release-cicd-pipeline'
+      ref:      'sign-and-publish-rc-rpms'
+      inputs: >-
+        --input GITHUB_REPO=grub
+        --input GITHUB_SHA=${{ github.sha }}
+        --input GITHUB_RUN_ID=${{ github.run_id }}
+        --input QUBES_COMPONENT=grub2
+        --input WORKFLOW=sign-and-publish-test-rpms

.github/workflows/rebase.yml

@@ -0,0 +1,101 @@
+name: Rebase on top of QubesOS main and build RPMs
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 6'
+
+jobs:
+  prep-rebase:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout qubes-grub2
+        uses: actions/checkout@v6
+        with:
+          repository: QubesOS/qubes-grub2
+          path: qubes-grub2
+
+      - name: Checkout downstream grub repository
+        uses: actions/checkout@v6
+        with:
+          repository: TrenchBoot/grub
+          token: ${{ secrets.TRENCHBOOT_REBASE_TOKEN }}
+          path: grub
+
+      - name: Read upstream version from qubes-grub2
+        id: version
+        run: echo "version=$(tr -d '[:space:]' < qubes-grub2/version)" >> "$GITHUB_OUTPUT"
+
+      - name: Add upstream remote and fetch version tag
+        working-directory: grub
+        env:
+          UPSTREAM_TAG: grub-${{ steps.version.outputs.version }}
+        run: |
+          git remote add upstream https://git.savannah.gnu.org/git/grub.git
+          git fetch upstream "refs/tags/${UPSTREAM_TAG}:refs/tags/${UPSTREAM_TAG}"
+      - name: Remove unused Source1 sig declaration from grub2 spec
+        run: sed -i '/^Source1:[[:space:]]*.*\.sig/d' qubes-grub2/grub2.spec.in
+      - name: Apply qubes-grub2 patches on top of upstream tag
+        working-directory: grub
+        env:
+          UPSTREAM_TAG: grub-${{ steps.version.outputs.version }}
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email 'github-actions[bot]@users.noreply.github.com'
+          git checkout -b qubes-grub2-with-patches-rebase-prep "$UPSTREAM_TAG"
+          SPEC="../qubes-grub2/grub2.spec.in"
+          mapfile -t PATCHES < <(grep -E '^Patch[0-9]+:' "$SPEC" | awk '{print $2}')
+          for patch_file in "${PATCHES[@]}"; do
+            git am "../qubes-grub2/${patch_file}"
+            escaped=$(printf '%s' "$patch_file" | sed 's/\./\\./g')
+            sed -i "/^Patch[0-9]*:[[:space:]]*${escaped}[[:space:]]*$/d" "$SPEC"
+            rm -f "../qubes-grub2/${patch_file}"
+          done
+      - name: Copy QubesOS RPM files to downstream repository
+        run: |
+          cp -r qubes-grub2/* grub/
+          cd grub
+          git add -A
+          git commit -m "QubesOS RPM files and Qubes builder metadata"
+      - name: Push qubes-grub2-with-patches branch to downstream
+        working-directory: grub
+        run: |
+          git push origin qubes-grub2-with-patches-rebase-prep || \
+          echo "Cannot prepare for automatic rebase!" >&2
+  try-rebase:
+    needs: prep-rebase
+    uses: TrenchBoot/.github/.github/workflows/rebase.yml@master
+    secrets:
+      first-remote-token: ${{secrets.TRENCHBOOT_REBASE_TOKEN}}
+    permissions:
+      # For creation/deletion/pushing to branches and creating PRs
+      contents: write
+    with:
+      downstream-repo: 'https://github.com/TrenchBoot/grub.git'
+      downstream-branch: 'tb-dev'
+      upstream-repo: 'https://github.com/TrenchBoot/grub.git'
+      upstream-branch: 'qubes-grub2-with-patches-rebase-prep'
+      commit-user-name: 'github-actions[bot]'
+      commit-user-email: 'github-actions[bot]@users.noreply.github.com'
+      cicd-trigger-resume: '7. Rerun the workflow https://github.com/TrenchBoot/grub/actions/runs/${{ github.run_id }} to resume automated rebase.'
+  cleanup-on-rebase-failure:
+    needs: try-rebase
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout downstream grub repository
+        uses: actions/checkout@v6
+        with:
+          repository: TrenchBoot/grub
+          token: ${{ secrets.TRENCHBOOT_REBASE_TOKEN }}
+          path: grub
+      - name: Delete qubes-grub2-with-patches branch from downstream
+        working-directory: grub
+        env:
+          TOKEN: ${{ secrets.TRENCHBOOT_REBASE_TOKEN }}
+        run: |
+          git push "https://${TOKEN}@github.com/TrenchBoot/grub.git" \
+            --delete qubes-grub2-with-patches-rebase-prep