.github: workflows: add workflows for automatic rebase

DaniilKl · DaniilKl · commit f69ced86bdff · 2026-04-27T10:56:18.000+02:00
Regarding the "rebase.yml". We cannot simply rebase commits from TrenchBoot/grub on top of the commits in the QubesOS/qubes-grub2, because: 1. The actual history for the grub component is held in patches in the QubesOS/qubes-grub2 repository, so we need to do a conversion from patches to commits every time we want to try to rebase. 2. We want to track the changes to the other files from the QubesOS/qubes-grub2, except for the patches for the grub component, as versions of these files might be closely related to the changes in the patches for the grub component. Other changes that should be made due to the history format difference between the QubesOS/qubes-grub2 and TrenchBoot/grub should will be resolved by the follwoing commit when the actual rebase happens: 2f477ee Signed-off-by: Danil Klimuk <daniil.klimuk@3mdeb.com>
diff --git a/.github/workflows/rebase-build-and-publish-rebased.yml b/.github/workflows/rebase-build-and-publish-rebased.yml
@@ -0,0 +1,152 @@
+name: Build the last successful automatic rebase of tb-dev branch
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: >
+          Set this input to do a dry run without building the packages to test
+          the rebase.
+        required: false
+        type: boolean
+        default: false
+  schedule:
+    - cron: '0 0 * * 6'
+
+concurrency:
+  group: automatic-rebase
+
+jobs:
+  prep-rebase:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout qubes-grub2
+        uses: actions/checkout@v6
+        with:
+          repository: QubesOS/qubes-grub2
+          path: qubes-grub2
+      - name: Checkout downstream grub repository
+        uses: actions/checkout@v6
+        with:
+          repository: TrenchBoot/grub
+          token: ${{ secrets.TRENCHBOOT_REBASE_TOKEN }}
+          path: grub
+      - name: Read upstream version from qubes-grub2
+        id: version
+        working-directory: qubes-grub2
+        run: echo "version=$(cat version)" >> "$GITHUB_OUTPUT"
+      - name: Add upstream remote and fetch version tag
+        working-directory: grub
+        env:
+          UPSTREAM_TAG: grub-${{ steps.version.outputs.version }}
+        run: |
+          git remote add upstream https://gitlab.freedesktop.org/gnu-grub/grub.git
+          git fetch upstream "refs/tags/${UPSTREAM_TAG}:refs/tags/${UPSTREAM_TAG}"
+      - name: Apply qubes-grub2 patches on top of upstream tag
+        working-directory: grub
+        env:
+          UPSTREAM_TAG: grub-${{ steps.version.outputs.version }}
+        run: |
+          git checkout -b qubes-grub2-with-patches-rebase-prep "$UPSTREAM_TAG"
+          SPEC="../qubes-grub2/grub2.spec.in"
+          mapfile -t PATCHES < <(grep -E '^Patch[0-9]+:' "$SPEC" | awk '{print $2}')
+          for patch_file in "${PATCHES[@]}"; do
+            git apply "../qubes-grub2/${patch_file}"
+            escaped=$(printf '%s' "$patch_file" | sed 's/\./\\./g')
+            sed -i "/^Patch[0-9]*:[[:space:]]*${escaped}[[:space:]]*$/d" "$SPEC"
+            rm -f "../qubes-grub2/${patch_file}"
+          done
+      - name: Copy QubesOS RPM files to downstream repository
+        run: |
+          cp -r qubes-grub2/* grub/
+          cd grub
+          git add -A
+          GIT_AUTHOR_NAME="github-actions[bot]" \
+          GIT_AUTHOR_EMAIL="github-actions[bot]@users.noreply.github.com" \
+          GIT_AUTHOR_DATE="2024-01-01T00:00:00" \
+          GIT_COMMITTER_NAME="github-actions[bot]" \
+          GIT_COMMITTER_EMAIL="github-actions[bot]@users.noreply.github.com" \
+          GIT_COMMITTER_DATE="2024-01-01T00:00:00" \
+          git commit --no-gpg-sign -m "QubesOS patches, QubesOS RPM files and Qubes builder metadata"
+      - name: Push qubes-grub2-with-patches branch to downstream
+        working-directory: grub
+        run: git push origin qubes-grub2-with-patches-rebase-prep
+  try-rebase:
+    needs: prep-rebase
+    uses: TrenchBoot/.github/.github/workflows/rebase.yml@v1
+    secrets:
+      first-remote-token: ${{secrets.TRENCHBOOT_REBASE_TOKEN}}
+    permissions:
+      # For creation/deletion/pushing to branches and creating PRs
+      contents: write
+    with:
+      downstream-repo: 'https://github.com/TrenchBoot/grub.git'
+      downstream-branch: 'tb-dev'
+      upstream-repo: 'https://github.com/TrenchBoot/grub.git'
+      upstream-branch: 'qubes-grub2-with-patches-rebase-prep'
+      commit-user-name: 'github-actions[bot]'
+      commit-user-email: 'github-actions[bot]@users.noreply.github.com'
+      cicd-trigger-resume: '7. Rerun the workflow https://github.com/TrenchBoot/grub/actions/runs/${{ github.run_id }} to resume automated rebase.'
+  cleanup-after-rebase-attempt:
+    needs: try-rebase
+    if: always()
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout downstream grub repository
+        uses: actions/checkout@v6
+        with:
+          repository: TrenchBoot/grub
+          token: ${{ secrets.TRENCHBOOT_REBASE_TOKEN }}
+          path: grub
+      - name: Delete qubes-grub2-with-patches branch from downstream
+        working-directory: grub
+        env:
+          TOKEN: ${{ secrets.TRENCHBOOT_REBASE_TOKEN }}
+        run: |
+          git push "https://${TOKEN}@github.com/TrenchBoot/grub.git" \
+            --delete qubes-grub2-with-patches-rebase-prep
+  get-version:
+    runs-on: ubuntu-latest
+    needs: try-rebase
+    if: ${{ needs.try-rebase.outputs.rebase-exit-code == '0' && inputs.dry_run != 'true' }}
+    outputs:
+      version: ${{ steps.read-version.outputs.version }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: 'tb-dev-rebased'
+      - name: Read version of the QubesOS Component from version file
+        id: read-version
+        # The tb-dev-rebased should already have the version file either created
+        # in the prep-rebase or try-rebase jobs (it will be probably created by
+        # the prep-rebase as this file is a part of QubesOS repository) on which
+        # it depennds:
+        run: echo "version=$(cat version)" >> "$GITHUB_OUTPUT"
+  qubes-dom0-package:
+    needs: get-version
+    uses: TrenchBoot/.github/.github/workflows/qubes-dom0-packagev2.yml@v1
+    with:
+      qubes-component: 'grub2'
+      qubes-component-branch: 'tb-dev-rebased'
+      qubes-pkg-src-dir: '.'
+      qubes-pkg-version: ${{ needs.get-version.outputs.version }}
+  trigger-woodpecker-cicd:
+    needs: qubes-dom0-package
+    uses: TrenchBoot/.github/.github/workflows/trigger-woodpecker-pipeline.yml@v1
+    secrets:
+      woodpecker-token: ${{ secrets.WOODPECKER_TOKEN }}
+    with:
+      api-url:  'https://ci.3mdeb.com'
+      owner:    'zarhus'
+      repo:     'trenchboot-release-cicd-pipeline'
+      ref:      'master'
+      inputs: >-
+        --input GITHUB_REPO=grub
+        --input GITHUB_SHA=${{ github.sha }}
+        --input GITHUB_RUN_ID=${{ github.run_id }}
+        --input QUBES_COMPONENT=grub2
+        --input WORKFLOW=sign-and-publish-test-rpms
