This document provides detailed information about each reusable workflow in qcom-build-utils.
Reusable workflows are defined in .github/workflows/ and are designed to be called from package repositories. They orchestrate the build, test, and deployment process for Debian packages.
- qcom-build-pkg-reusable-workflow
- qcom-promote-upstream-reusable-workflow
- qcom-upstream-pr-pkg-build-reusable-workflow
- qcom-container-build-and-upload
- qcom-preflight-checks
File: .github/workflows/qcom-build-pkg-reusable-workflow.yml
Purpose: The main workflow for building Debian packages from package repositories. This workflow is called by both pre-merge and post-merge workflows in package repositories.
flowchart TD
A[Workflow Called] --> B[Checkout qcom-build-utils]
B --> C[Checkout Package Repository]
C --> D[Build Debian Package<br/>build_package action]
D --> E{run-abi-checker?}
E -->|Yes| F[Run ABI Checker<br/>abi_checker action]
E -->|No| G{push-to-repo?}
F --> G
G -->|Yes| H[Push to Repository<br/>push_to_repo action]
G -->|No| I{is-post-merge?}
H --> I
I -->|Yes| J[Create debian/version tag]
I -->|No| K[End]
J --> K
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
qcom-build-utils-ref |
string | Yes | - | The ref (branch/tag) of qcom-build-utils to use |
debian-ref |
string | Yes | debian/qcom-next |
The debian branch/tag to build |
distro-codename |
string | No | noble |
Ubuntu distribution codename (noble, jammy, questing, etc.) |
run-lintian |
boolean | No | false |
Whether to run lintian during build |
run-abi-checker |
boolean | No | false |
Whether to check ABI compatibility |
push-to-repo |
boolean | No | false |
Whether to push built package to repository |
is-post-merge |
boolean | No | false |
True if triggered by merge to debian/qcom-next |
runner |
string | No | lecore-prd-u2404-arm64-xlrg-od-ephem |
GitHub runner to use |
REPO_URL:https://qualcomm-linux.github.io/pkg-oss-staging-repo/REPO_NAME:qualcomm-linux/pkg-oss-staging-repo
- Checkout qcom-build-utils: Sparse checkout of
.githubandscriptsdirectories - Checkout Package Repository: Full checkout with tags for version information
- Build Debian Package: Uses
build_packagecomposite action - Run ABI Checker (conditional): Compares ABI with repository version
- Push to Repository (conditional): Uploads package to staging repository
- Tag Version (post-merge only): Creates
debian/{version}git tag
jobs:
build:
uses: qualcomm-linux/qcom-build-utils/.github/workflows/qcom-build-pkg-reusable-workflow.yml@development
with:
qcom-build-utils-ref: development
debian-ref: ${{github.head_ref}}
run-abi-checker: true
push-to-repo: false
is-post-merge: falsejobs:
build:
uses: qualcomm-linux/qcom-build-utils/.github/workflows/qcom-build-pkg-reusable-workflow.yml@development
with:
qcom-build-utils-ref: development
debian-ref: debian/qcom-next
push-to-repo: true
run-abi-checker: true
is-post-merge: trueFile: .github/workflows/qcom-promote-upstream-reusable-workflow.yml
Purpose: Automates the promotion of a new upstream version into the package repository. This workflow imports an upstream tag, merges it into the packaging branch, and creates a PR for review.
flowchart TD
A[Workflow Called with upstream-tag] --> B[Normalize Tag Version<br/>v1.0.0 → 1.0.0]
B --> C[Checkout qcom-build-utils]
C --> D[Checkout Package Repository]
D --> E[Checkout debian/qcom-next and upstream/latest]
E --> F{Tag already exists?}
F -->|Yes| G[Fail: Tag already integrated]
F -->|No| H[Add Upstream Repository as Remote]
H --> I[Fetch Upstream Tags]
I --> J{upstream/latest exists?}
J -->|No| K[Create upstream/latest from tag]
J -->|Yes| L[Fast-forward merge to tag]
K --> M[Checkout debian/qcom-next]
L --> M
M --> N[Create debian/pr/version-1 branch]
N --> O[Merge upstream tag into debian branch]
O --> P[Promote Changelog with gbp dch]
P --> Q[Push upstream/latest branch]
Q --> R[Push upstream/version tag]
R --> S[Push debian/pr/version-1 branch]
S --> T[Create Pull Request]
T --> U[End]
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
qcom-build-utils-ref |
string | Yes | - | The ref of qcom-build-utils to use |
upstream-tag |
string | Yes | - | The tag in upstream repo to promote (e.g., v1.0.0) |
upstream-repo |
string | Yes | - | The upstream git repository address (e.g., org/repo) |
promote-changelog |
boolean | No | false |
Whether to run gbp dch to update changelog |
| Secret | Required | Description |
|---|---|---|
PAT |
No | GitHub Personal Access Token for authenticating against private upstream repositories. Not required when the upstream repository is public. |
NORMALIZED_VERSION: Version with 'v' prefix removed
- Normalize Tag Version: Remove 'v' prefix from version tag
- Checkout Repositories: Clone qcom-build-utils and package repository
- Validate Tag: Ensure tag doesn't already exist in the package repo
- Add Upstream Remote: Configure upstream repository as git remote
- Fetch Upstream Tags: Get all tags from upstream
- Pre-populate upstream/latest: Create or fast-forward upstream/latest branch
- Merge Upstream: Create PR branch and merge upstream tag
- Promote Changelog: Update debian/changelog with new version
- Push Branches and Tags: Push upstream/latest and PR branch
- Create PR: Open pull request for manual review
jobs:
promote:
uses: qualcomm-linux/qcom-build-utils/.github/workflows/qcom-promote-upstream-reusable-workflow.yml@development
with:
qcom-build-utils-ref: development
upstream-tag: v2.1.0
upstream-repo: qualcomm-linux/my-upstream-project
promote-changelog: true- Creates a PR branch:
debian/pr/{version}-1 - Creates an upstream tag:
upstream/{version} - Automatically updates the changelog
- PR must be reviewed and merged manually
- Uses git-buildpackage (gbp) tools for Debian packaging operations
File: .github/workflows/qcom-upstream-pr-pkg-build-reusable-workflow.yml
Purpose: Validates that upstream repository pull requests don't break the Debian package build. This workflow is called from the upstream repository's PR workflow.
flowchart TD
A[PR in Upstream Repo] --> B[Checkout qcom-build-utils]
B --> C[Checkout Package Repository]
C --> D[Checkout Upstream PR Branch]
D --> E[Tag PR as upstream/pr]
E --> F[Add Upstream as Remote to Package Repo]
F --> G[Checkout debian/qcom-next]
G --> H[Create debian/upstream-pr branch]
H --> I[Parse Current Version]
I --> J[Import PR with gbp<br/>Version: upstream~prNNN]
J --> K[Merge upstream/latest into debian/upstream-pr]
K --> L[Update Changelog with PR version]
L --> M[Build Debian Package]
M --> N[Run ABI Checker]
N --> O[Report Results to PR]
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
qcom-build-utils-ref |
string | Yes | - | The ref of qcom-build-utils to use |
upstream-repo |
string | Yes | - | The upstream repository triggering the workflow |
upstream-repo-ref |
string | Yes | - | The ref (PR branch) in upstream repo |
pkg-repo |
string | Yes | - | The package repository to test against |
pr-number |
number | Yes | - | The PR number in upstream repo |
run-lintian |
boolean | No | false |
Whether to run lintian |
distro-codename |
string | No | noble |
Distribution codename |
runner |
string | No | ubuntu-latest |
Runner to use |
REPO_URL: APT repository URL for ABI checkingupstream_version: Extracted upstream version from changelogdistro_revision: Extracted distribution revision from changelog
- Checkout Repositories: Clone qcom-build-utils, package repo, and upstream PR
- Tag Upstream PR: Create
upstream/prtag on the PR branch - Add Remote: Add upstream repo as remote to package repo
- Merge PR Changes: Create test branch and merge PR into debian/qcom-next
- Version Manipulation: Create special version with
~pr{number}suffix - Import with gbp: Use git-buildpackage to import the PR
- Promote Changelog: Update changelog for test build
- Build Package: Build the package with PR changes
- Run ABI Check: Verify ABI compatibility
- Report Status: Return success/failure to the upstream PR
Called from upstream repository's workflow (e.g., .github/workflows/pkg-build-pr-check.yml):
name: Package Build PR Check
on:
pull_request:
branches: [ main ]
jobs:
package-build-pr-check:
uses: qualcomm-linux/qcom-build-utils/.github/workflows/qcom-upstream-pr-pkg-build-reusable-workflow.yml@development
with:
qcom-build-utils-ref: development
upstream-repo: ${{github.repository}}
upstream-repo-ref: ${{github.head_ref}}
pkg-repo: ${{vars.PKG_REPO_GITHUB_NAME}}
pr-number: ${{github.event.pull_request.number}}Setup Requirements:
The PKG_REPO_GITHUB_NAME variable is the key to linking upstream and package repositories:
- Configure in upstream repository: Go to Settings → Secrets and variables → Actions → Variables
- Create variable:
- Name:
PKG_REPO_GITHUB_NAME - Value: Package repository in format
organization/repo-name(e.g.,qualcomm-linux/pkg-example)
- Name:
- Use in workflow: Reference as
${{vars.PKG_REPO_GITHUB_NAME}}in thepkg-repoparameter
graph LR
A[Upstream Repo<br/>Variable Set] -->|PKG_REPO_GITHUB_NAME| B[Workflow reads<br/>vars.PKG_REPO_GITHUB_NAME]
B -->|Passes to| C[qcom-upstream-pr-pkg-build<br/>reusable workflow]
C -->|Clones and tests| D[Package Repository<br/>e.g., pkg-example]
style A fill:#e1f5ff
style D fill:#ffe6e6
Example: See qcom-example-package-source for a complete example
- Creates special version with
~pr{number}to indicate test build - The
~character ensures version sorts lower than release versions - Filters out
.git,.github, anddebianfolders from upstream - Does not push built packages to repository
- Only validates that the build succeeds
File: .github/workflows/qcom-container-build-and-upload.yml
Purpose: Builds and publishes the Docker container images used for building Debian packages. These containers include all necessary tools and dependencies.
flowchart TD
A[Trigger: PR/Push/Schedule/Manual] --> B{Check if Build Needed}
B -->|docker/ changed| C[Build Needed]
B -->|Schedule/Manual| C
B -->|No changes| D[Skip Build]
C --> E[Build amd64 Image on ubuntu-latest]
C --> F[Build arm64 Image on self-hosted ARM runner]
E --> G[Test Build: pkg-example noble]
E --> H[Test Build: pkg-example questing]
F --> I[Test Build: pkg-example noble]
F --> J[Test Build: pkg-example questing]
G --> K{Event Type}
H --> K
I --> K
J --> K
K -->|push to main| L[Push to GHCR]
K -->|PR or other| M[Don't Push]
L --> N[End]
M --> N
D --> N
- Schedule: Monday at 00:00 UTC (weekly rebuild)
- Pull Request: On PRs to
mainordevelopmentbranches - Push: On push to
mainbranch - Manual: Via
workflow_dispatch
QCOM_ORG_NAME:qualcomm-linuxIMAGE_NAME:pkg-builder
Determines whether container rebuild is necessary:
- For PRs: Check if
docker/folder changed - For Pushes: Check if
.github/docker/folder changed - For Schedule/Manual: Always build
- Runs on:
ubuntu-latest(x86_64) - Builds:
amd64container images natively - Tests: Builds
pkg-examplefor noble and questing - Pushes: Only on non-PR events
- Runs on:
["self-hosted", "lecore-prd-u2404-arm64-xlrg-od-ephem"] - Builds:
arm64container images natively - Tests: Builds
pkg-examplefor noble and questing - Pushes: Only on non-PR events
Built images are tagged as:
ghcr.io/qualcomm-linux/pkg-builder:amd64-nobleghcr.io/qualcomm-linux/pkg-builder:amd64-questingghcr.io/qualcomm-linux/pkg-builder:arm64-nobleghcr.io/qualcomm-linux/pkg-builder:arm64-questing
- Cross-compilation using QEMU was attempted but had reliability issues
- Native builds on appropriate architecture runners are used instead
- Images include all tools for Debian package building (sbuild, gbp, etc.)
- Test builds with
pkg-exampleensure container functionality before publishing
File: .github/workflows/qcom-preflight-checks.yml
Purpose: Runs security and quality checks on the qcom-build-utils repository itself. This workflow uses Qualcomm's centralized preflight checks.
flowchart TD
A[PR or Push to main/latest] --> B[qcom-preflight-checks-reusable-workflow]
B --> C[Repolinter]
B --> D[Semgrep]
B --> E[Copyright License Detector]
B --> F[PR Email Check]
B --> G[Dependency Review]
C --> H[Report Results]
D --> H
E --> H
F --> H
G --> H
- Pull Request: On PRs to
mainorlatestbranches - Push: On push to
mainorlatestbranches - Manual: Via
workflow_dispatch
| Check | Purpose |
|---|---|
repolinter |
Validates repository structure and required files |
semgrep |
Static analysis for security vulnerabilities |
copyright-license-detector |
Verifies license headers and compliance |
pr-check-emails |
Validates commit author emails |
dependency-review |
Checks for vulnerable dependencies in PRs |
| Secret | Description |
|---|---|
SEMGREP_APP_TOKEN |
Token for Semgrep security scanning |
- Uses external reusable workflow from
qualcomm/qcom-reusable-workflows - Version pinned to
v1.1.4for stability - All checks are enabled by default
- Security scanning results are written to security events
All reusable workflows are called using the same pattern:
jobs:
job-name:
uses: qualcomm-linux/qcom-build-utils/.github/workflows/{workflow-name}.yml@{ref}
with:
# Input parameters
qcom-build-utils-ref: development
# ... other inputsPackage repositories need these organization secrets configured:
SEMGREP_APP_TOKEN- For security scanning (used by qcom-preflight-checks)
DEB_PKG_BOT_CI_USERNAME- Username for container registryDEB_PKG_BOT_CI_NAME- Name for git commitsDEB_PKG_BOT_CI_EMAIL- Email for git commits
- Pin workflow versions: Use specific refs (tags or commit SHAs) for production
- Use development ref for testing: Test changes with
@developmentref - Enable ABI checking: Always run ABI checker in pre-merge and post-merge
- Test before pushing: Use
push-to-repo: falsefor pre-merge builds - Review automation: Even automated PRs should be reviewed before merging