test

Signed-off-by: Simon Beaudoin <sbeaudoi@qti.qualcomm.com>

Author: simonbeaudoin0935

.github/workflows/qcom-promote-upstream-reusable-workflow.yml

@@ -32,12 +32,13 @@ on:
         required: true
 
     secrets:
-      UPSTREAM_REPO_READ_PAT:
+      PAT:
         required: false
 
 permissions:
   contents: write
   packages: read
+  pull-requests: write
 
 env:
   NORMALIZED_VERSION: ""
@@ -87,12 +88,11 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: ./package-repo
-          token: ${{secrets.GITHUB_TOKEN}}
           fetch-depth: 0
 
       - name: Authenticate with GitHub
         run : |
-          gh auth login --with-token <<< "${{secrets.GITHUB_TOKEN}}"
+          gh auth login --with-token <<< "${{secrets.PAT}}"
 
       - name: Show branches/tags and checkout debian/upstream latest
         working-directory: ./package-repo
@@ -166,9 +166,9 @@ jobs:
       - name: Add Upstream Link As A Remote And Fetch Tags
         working-directory: ./package-repo
         run: |
-          if [ -n "${{secrets.UPSTREAM_REPO_READ_PAT}}" ]; then
+          if [ -n "${{secrets.PAT}}" ]; then
             echo "ℹ️ Adding upstream remote with token authentication. This is because the upstream repository may be private and require authentication to fetch tags."
-            REPO_URL=https://x-access-token:${{secrets.UPSTREAM_REPO_READ_PAT}}@github.com/${{inputs.upstream-repo}}.git
+            REPO_URL=https://x-access-token:${{secrets.PAT}}@github.com/${{inputs.upstream-repo}}.git
           else
             echo "ℹ️ Adding upstream remote without token authentication, repo is assumed to be public"
             REPO_URL=https://github.com/${{inputs.upstream-repo}}.git
@@ -180,15 +180,14 @@ jobs:
 
           # Override the global extraheader set by actions/checkout (GITHUB_TOKEN) which would otherwise
           # take precedence over the credentials embedded in the URL and prevent access to external repos.
-          # if ! git -c http.https://github.com/.extraheader="" fetch upstream-source "+refs/tags/*:refs/tags/*"; then
-          if ! git fetch upstream-source "+refs/tags/*:refs/tags/*"; then
+          if ! git -c http.https://github.com/.extraheader="" fetch upstream-source "+refs/tags/*:refs/tags/*"; then
             echo "❌ Failed to fetch tags from '${{inputs.upstream-repo}}'."
 
-            if [ -n "${{secrets.UPSTREAM_REPO_READ_PAT}}" ]; then
-              echo "❌ Ensure that the UPSTREAM_REPO_READ_PAT token has the  permission on the repository."
+            if [ -n "${{secrets.PAT}}" ]; then
+              echo "❌ Ensure that the PAT token has the  permission on the repository."
               echo "❌ For more information about this token, see the README.md in qcom-build-utils repo."
             else
-              echo "❌ Make sure the upstream repository is public or if it is private that the UPSTREAM_REPO_READ_PAT token is set and has the necessary permissions."
+              echo "❌ Make sure the upstream repository is public or if it is private that the PAT token is set and has the necessary permissions."
             fi
 
             exit 1
@@ -202,7 +201,7 @@ jobs:
             exit 1
           fi
           
-      - name: Pre-populate the upstream/latest branch if first promotion
+      - name: Merge upstream tag into upstream/latest
         working-directory: ./package-repo
         run: |
 
@@ -214,7 +213,24 @@ jobs:
           else
             # The branch exists, check it out and promote it to the upstream tag
             git checkout upstream/latest
-            git merge --ff-only ${{inputs.upstream-tag}}
+            git merge ${{inputs.upstream-tag}}
+          fi
+
+      - name: Strip .github/workflows from upstream/latest
+        working-directory: ./package-repo
+        run: |
+          # Since Github does not allow pushing workflows using the GITHUB_TOKEN, remove .github/workflows if present.
+
+          git config user.name "${{vars.DEB_PKG_BOT_CI_NAME}}"
+          git config user.email "${{vars.DEB_PKG_BOT_CI_EMAIL}}"
+
+          git checkout upstream/latest
+
+          # Remove .github/workflows/ if present to avoid GITHUB_TOKEN push restrictions.
+          # The upstream source repo workflows are not relevant to the packaging repo.
+          if [ -d .github/workflows ]; then
+            git rm -rf .github/workflows
+            git commit -s -m "Remove .github/workflows from upstream source"
           fi
 
       - name: Merge upstream tag into packaging branch