token: switch over to GITHUB_TOKEN

simonbeaudoin0935 · simonbeaudoin0935 · commit 4906fb06419a · 2026-04-08T11:22:12.000-07:00
Signed-off-by: Simon Beaudoin &lt;sbeaudoi@qti.qualcomm.com&gt;
diff --git a/.github/workflows/qcom-promote-prebuilt-reusable-workflow.yml b/.github/workflows/qcom-promote-prebuilt-reusable-workflow.yml
@@ -231,7 +231,7 @@ jobs:
         run: |
           cd ./package-repo
 
-          gh auth login --with-token <<< "${{secrets.DEB_PKG_BOT_CI_TOKEN}}"
+          gh auth login --with-token <<< "${{secrets.GITHUB_TOKEN}}"
 
           PR_TITLE="Promotion to ${{env.NEW_DEBIAN_VERSION}} (Artifactory tag: ${{inputs.new-tag}})"
 
diff --git a/.github/workflows/qcom-promote-upstream-reusable-workflow.yml b/.github/workflows/qcom-promote-upstream-reusable-workflow.yml
@@ -31,6 +31,10 @@ on:
         type: string
         required: true
 
+    secrets:
+      UPSTREAM_REPO_READ_PAT:
+        required: false
+
 permissions:
   contents: write
   packages: read
@@ -87,10 +91,13 @@ jobs:
           path: ./package-repo
           fetch-depth: 0
 
+      - name: Authenticate with GitHub
+        run : |
+          gh auth login --with-token <<< "${{secrets.GITHUB_TOKEN}}"
+
       - name: Show branches/tags and checkout debian/upstream latest
+        working-directory: ./package-repo
         run: |
-          cd ./package-repo
-
           git branch
           git tag
           git checkout ${{inputs.debian-branch}}
@@ -102,18 +109,16 @@ jobs:
           fi
 
       - name: Make sure the upstream tag is not already part of the repo
+        working-directory: ./package-repo
         run: |
-          cd ./package-repo
-
           if (git tag --list | grep "${{inputs.upstream-tag}}"); then
             echo "❌ The supplied upstream tag is wrong as it pertains to this repo already."
             exit 1
           fi
 
       - name: Validate the upstream tag promotion state
+        working-directory: ./package-repo
         run: |
-          cd ./package-repo
-
           # Check if the upstream/<normalized_version> tag does not already exists
           if ! git tag --list | grep "upstream/${{env.NORMALIZED_VERSION}}"; then
             echo "✅ The upstream tag '${{inputs.upstream-tag}}' has not been promoted yet. Continuing."
@@ -136,7 +141,6 @@ jobs:
           echo "ℹ️ This is likely a second attempt to promote the same upstream tag, where the first attempt already added the upstream tag in the upstram branch"
 
           # Check if there is a PR open for this already
-          gh auth login --with-token <<< "${{secrets.DEB_PKG_BOT_CI_TOKEN}}"
           PRS=$(gh pr list --head "debian/pr/${{env.NORMALIZED_VERSION}}-1" --state open --json number --jq '.[].number')
           if [ -n "$PRS" ]; then
             echo "❌ An open PR already exists for this promotion attempt: $PRS"
@@ -161,23 +165,38 @@ jobs:
           fi
 
       - name: Add Upstream Link As A Remote And Fetch Tags
+        working-directory: ./package-repo
         run: |
-          cd ./package-repo
-          git remote add upstream-source https://x-access-token:${{secrets.DEB_PKG_BOT_CI_TOKEN}}@github.com/${{inputs.upstream-repo}}.git
-          git fetch upstream-source "+refs/tags/*:refs/tags/*"
+          if [ -n "${{secrets.UPSTREAM_REPO_READ_PAT}}" ]; then
+            echo "ℹ️ Adding upstream remote with token authentication. This is because the upstream repository may be private and require authentication to fetch tags."
+            git remote add upstream-source https://x-access-token:${{secrets.UPSTREAM_REPO_READ_PAT}}@github.com/${{inputs.upstream-repo}}.git
+            if ! git fetch upstream-source "+refs/tags/*:refs/tags/*"; then
+              echo "❌ Failed to fetch tags from '${{inputs.upstream-repo}}' with the supplied token."
+              echo "❌ Ensure that the UPSTREAM_REPO_READ_PAT token has the necessary read permission on the repository."
+              echo "❌ For more information about this token, see the README.md in qcom-build-utils repo."
+              exit 1
+            fi
+          else
+            echo "ℹ️ Adding upstream remote without token authentication, repo is assumed to be public"
+            git remote add upstream-source https://github.com/${{inputs.upstream-repo}}.git
+            if ! git fetch upstream-source "+refs/tags/*:refs/tags/*"; then
+              echo "❌ Failed to fetch from '${{inputs.upstream-repo}}'."
+              echo "❌ The repository may be private. If so, supply a UPSTREAM_REPO_READ_PAT secret with read access in the secrets of this repo."
+              exit 1
+            fi
+          fi
 
       - name: Ensure the tag exists in the upstream repo
+        working-directory: ./package-repo
         run: |
-          cd ./package-repo
-
           if ! git rev-parse --verify "refs/tags/${{inputs.upstream-tag}}" >/dev/null 2>&1; then
             echo "❌ The specified upstream tag '${{inputs.upstream-tag}}' does not exist in the upstream repository."
             exit 1
           fi
           
       - name: Pre-populate the upstream/latest branch if first promotion
+        working-directory: ./package-repo
         run: |
-          cd ./package-repo
 
           # If the upstream/latest branch does not exist yet, create it and give it
           # the history of upstream directly, instead of creating an --allow-empty commit
@@ -191,9 +210,8 @@ jobs:
           fi
 
       - name: Merge upstream tag into packaging branch
+        working-directory: ./package-repo
         run: |
-          cd ./package-repo
-
           git config user.name "${{vars.DEB_PKG_BOT_CI_NAME}}"
           git config user.email "${{vars.DEB_PKG_BOT_CI_EMAIL}}"
 
@@ -204,9 +222,8 @@ jobs:
           ../qcom-build-utils/scripts/merge_debian_packaging_upstream ${{inputs.upstream-tag}}
 
       - name: Promote Changelog
+        working-directory: ./package-repo
         run: |
-          cd ./package-repo
-
           export DEBFULLNAME="${{vars.DEB_PKG_BOT_CI_NAME}}"
           export DEBEMAIL="${{vars.DEB_PKG_BOT_CI_EMAIL}}"
 
@@ -219,9 +236,8 @@ jobs:
           git commit -a -s -m "Update changelog version to ${{env.NORMALIZED_VERSION}}-1 and UNRELEASED suite"
 
       - name: Push Upstream/latest and debian PR Branch
+        working-directory: ./package-repo
         run: |
-          cd ./package-repo
-
           if [ "${{env.UPSTREAM_TAG_ALREADY_EXISTS}}" = "false" ]; then
               # This is the happy path where no previous promotion attempt was detected
 
@@ -237,12 +253,8 @@ jobs:
           git push origin debian/pr/${{env.NORMALIZED_VERSION}}-1
 
       - name: Open Promotion PR
+        working-directory: ./package-repo
         run: |
-          cd ./package-repo
-
-          # TODO remove this redundant login
-          gh auth login --with-token <<< "${{secrets.DEB_PKG_BOT_CI_TOKEN}}"
-
           ../qcom-build-utils/scripts/create_promotion_pr.py \
             --base-branch "${{inputs.debian-branch}}" \
             --upstream-tag "${{inputs.upstream-tag}}" \
diff --git a/.github/workflows/qcom-release-reusable-workflow.yml b/.github/workflows/qcom-release-reusable-workflow.yml
@@ -323,7 +323,7 @@ jobs:
       - name: Notify qcom-distro-images of new release via repository dispatch
         uses: peter-evans/repository-dispatch@v3
         with:
-          token: ${{secrets.DEB_PKG_BOT_CI_TOKEN}}
+          token: ${{secrets.GITHUB_TOKEN}}
           repository: qualcomm-linux/qcom-distro-images
           event-type: pkg-repo-release
           client-payload: >-
diff --git a/.github/workflows/qcom-upstream-pr-pkg-build-reusable-workflow.yml b/.github/workflows/qcom-upstream-pr-pkg-build-reusable-workflow.yml
@@ -65,7 +65,7 @@ jobs:
       options: --privileged
       credentials:
         username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        password: ${{ ITHUB_TOKEN }}
 
     steps:
 
