Skip to content
.github/workflows/qcom-promote-upstream-reusable-workflow.yml

token: switch over to GITHUB_TOKEN #3

Sign in to view logs

token: switch over to GITHUB_TOKEN

token: switch over to GITHUB_TOKEN #3

Workflow file for this run

.github/workflows/qcom-promote-upstream-reusable-workflow.yml at fc59c97
name: Qualcomm Upstream Version Promotion Reusable Workflow

Check failure on line 1 in .github/workflows/qcom-promote-upstream-reusable-workflow.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/qcom-promote-upstream-reusable-workflow.yml

Invalid workflow file 

(Line: 41, Col: 3): Unexpected value 'workflows'
description: |
The purpose of this workflow is to take a given tag that exists in the upstream repository
that the package repo tracks, and then import it with git-buildpackage so that it makes its
way in the upstream and debian branch. It also takes care of increasing the version number
in the changelog file. The tracked upstream repo needs to be properly configured in the
debian/watch file.
on:
workflow_call:
inputs:
qcom-build-utils-ref:
description: The ref name that was used to invoke this reusable workflow
type: string
required: true
debian-branch:
description: The debian branch to apply the promotion to. For example branch "debian/qcom-next"
type: string
required: false
default: debian/qcom-next
upstream-tag:
description: The tag in the upstream repo to promote to.
type: string
required: true
upstream-repo:
description: The upstream git repo adress
type: string
required: true
secrets:
UPSTREAM_REPO_READ_PAT:
required: false
permissions:
contents: write
packages: read
workflows: write
env:
NORMALIZED_VERSION: ""
UPSTREAM_TAG_ALREADY_EXISTS: false
jobs:
promote-upstream-version:
runs-on: ubuntu-24.04-arm
defaults:
run:
shell: bash
container:
# This docker image is built and published by the qualcomm-linux/docker-pkg-build repo CI workflow
image: ghcr.io/qualcomm-linux/pkg-builder:noble
credentials:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
steps:
# Normalizing a tag : (e.g ) v1.0.0 -> 1.0.0
- name: Normalize Tag Version
run: |
echo "ℹ️ Input upstream-tag is : ${{inputs.upstream-tag}}"
NORMALIZED_VERSION=$(echo "${{inputs.upstream-tag}}" | sed 's/^v//')
echo "NORMALIZED_VERSION=$NORMALIZED_VERSION" >> $GITHUB_ENV
echo "ℹ️ Normalized version : $NORMALIZED_VERSION"
- name: Checkout qcom-build-utils
uses: actions/checkout@v4
with:
repository: qualcomm-linux/qcom-build-utils
ref: ${{inputs.qcom-build-utils-ref}}
path: ./qcom-build-utils
fetch-depth: 1
sparse-checkout: |
.github
scripts
# Fetch all history for all tags and branches
- name: Checkout Repository
uses: actions/checkout@v4
with:
path: ./package-repo
fetch-depth: 0
- name: Authenticate with GitHub
run : |
gh auth login --with-token <<< "${{secrets.GITHUB_TOKEN}}"
- name: Show branches/tags and checkout debian/upstream latest
working-directory: ./package-repo
run: |
git branch
git tag
git checkout ${{inputs.debian-branch}}
echo "Listing all the current tags :"
git tag --list
if git ls-remote --exit-code --heads origin upstream/latest; then
git checkout upstream/latest # Checkout this branch just to make sure it exists locally after its been fetched as gbp will need it later
git checkout - # Then revert back to the inputs.debian-branch branch as we will need to have it checked out for gbp later
fi
- name: Make sure the upstream tag is not already part of the repo
working-directory: ./package-repo
run: |
if (git tag --list | grep "${{inputs.upstream-tag}}"); then
echo "❌ The supplied upstream tag is wrong as it pertains to this repo already."
exit 1
fi
- name: Validate the upstream tag promotion state
working-directory: ./package-repo
run: |
# Check if the upstream/<normalized_version> tag does not already exists
if ! git tag --list | grep "upstream/${{env.NORMALIZED_VERSION}}"; then
echo "✅ The upstream tag '${{inputs.upstream-tag}}' has not been promoted yet. Continuing."
exit 0
fi
echo "⚠️ It appears like this repo has already integrated the upstream tag '${{inputs.upstream-tag}}'"
LATEST_UPSTREAM_TAG=$(git tag --list 'upstream/*' | sort -V | tail -1)
echo "ℹ️ The latest upstream tag in the repo is: $LATEST_UPSTREAM_TAG"
if [ "$LATEST_UPSTREAM_TAG" != "upstream/${{env.NORMALIZED_VERSION}}" ]; then
echo "❌ However, the existing tag 'upstream/${{env.NORMALIZED_VERSION}}' is NOT the latest upstream tag"
echo "❌ This means we are trying to promote an older tag. Aborting."
exit 1
fi
echo "ℹ️ The existing tag 'upstream/${{env.NORMALIZED_VERSION}}' is the latest upstream tag already."
echo "ℹ️ This is likely a second attempt to promote the same upstream tag, where the first attempt already added the upstream tag in the upstram branch"
# Check if there is a PR open for this already
PRS=$(gh pr list --head "debian/pr/${{env.NORMALIZED_VERSION}}-1" --state open --json number --jq '.[].number')
if [ -n "$PRS" ]; then
echo "❌ An open PR already exists for this promotion attempt: $PRS"
echo "❌ Please merge or close the existing PR before attempting to promote the same upstream tag again."
exit 1
fi
# If we reach this point, it means the upstream tag exists but no PR is open for it
echo "⚠️ The upstream tag 'upstream/${{env.NORMALIZED_VERSION}}' already exists but no PR is open for it."
echo "⚠️ This likely means the previous promotion PR was closed without merging."
echo "⚠️ We will proceed with the promotion, but please ensure to merge the resulting PR to avoid confusion like this."
# Keep track that the upstream tag already exists
echo "UPSTREAM_TAG_ALREADY_EXISTS=true" >> $GITHUB_ENV
# Perform a last check to see if the debian/pr/<version>-1 branch already exists locally (which would mean its also present remotely)
if git ls-remote --exit-code --heads origin "debian/pr/${{env.NORMALIZED_VERSION}}-1"; then
echo "❌ The debian/pr/${{env.NORMALIZED_VERSION}}-1 branch already exists remotely."
echo "❌ This likely means the previous promotion PR branch was not deleted after closing the PR."
echo "❌ Please delete the remote branch before attempting to promote the same upstream tag again."
exit 1
fi
- name: Add Upstream Link As A Remote And Fetch Tags
working-directory: ./package-repo
run: |
if [ -n "${{secrets.UPSTREAM_REPO_READ_PAT}}" ]; then
echo "ℹ️ Adding upstream remote with token authentication. This is because the upstream repository may be private and require authentication to fetch tags."
REPO_URL=https://x-access-token:${{secrets.UPSTREAM_REPO_READ_PAT}}@github.com/${{inputs.upstream-repo}}.git
else
echo "ℹ️ Adding upstream remote without token authentication, repo is assumed to be public"
REPO_URL=https://github.com/${{inputs.upstream-repo}}.git
fi
git remote add upstream-source $REPO_URL
echo "ℹ️ Fetching tags from upstream repository using token authentication."
# Override the global extraheader set by actions/checkout (GITHUB_TOKEN) which would otherwise
# take precedence over the credentials embedded in the URL and prevent access to external repos.
if ! git -c http.https://github.com/.extraheader="" fetch upstream-source "+refs/tags/*:refs/tags/*"; then
echo "❌ Failed to fetch tags from '${{inputs.upstream-repo}}'."
if [ -n "${{secrets.UPSTREAM_REPO_READ_PAT}}" ]; then
echo "❌ Ensure that the UPSTREAM_REPO_READ_PAT token has the permission on the repository."
echo "❌ For more information about this token, see the README.md in qcom-build-utils repo."
else
echo "❌ Make sure the upstream repository is public or if it is private that the UPSTREAM_REPO_READ_PAT token is set and has the necessary permissions."
fi
exit 1
fi
- name: Ensure the tag exists in the upstream repo
working-directory: ./package-repo
run: |
if ! git rev-parse --verify "refs/tags/${{inputs.upstream-tag}}" >/dev/null 2>&1; then
echo "❌ The specified upstream tag '${{inputs.upstream-tag}}' does not exist in the upstream repository."
exit 1
fi
- name: Pre-populate the upstream/latest branch if first promotion
working-directory: ./package-repo
run: |
# If the upstream/latest branch does not exist yet, create it and give it
# the history of upstream directly, instead of creating an --allow-empty commit
# which will be dragged along.
if ! git ls-remote --exit-code --heads origin upstream/latest; then
git branch upstream/latest ${{inputs.upstream-tag}}
else
# The branch exists, check it out and promote it to the upstream tag
git checkout upstream/latest
git merge --ff-only ${{inputs.upstream-tag}}
fi
- name: Merge upstream tag into packaging branch
working-directory: ./package-repo
run: |
git config user.name "${{vars.DEB_PKG_BOT_CI_NAME}}"
git config user.email "${{vars.DEB_PKG_BOT_CI_EMAIL}}"
git checkout ${{inputs.debian-branch}}
git checkout -b debian/pr/${{env.NORMALIZED_VERSION}}-1
../qcom-build-utils/scripts/merge_debian_packaging_upstream ${{inputs.upstream-tag}}
- name: Promote Changelog
working-directory: ./package-repo
run: |
export DEBFULLNAME="${{vars.DEB_PKG_BOT_CI_NAME}}"
export DEBEMAIL="${{vars.DEB_PKG_BOT_CI_EMAIL}}"
# use ignore branch because we are not on default debian branch
dch \
--distribution=UNRELEASED \
--newversion=${{env.NORMALIZED_VERSION}}-1 \
'New upstream release'
git commit -a -s -m "Update changelog version to ${{env.NORMALIZED_VERSION}}-1 and UNRELEASED suite"
- name: Push Upstream/latest and debian PR Branch
working-directory: ./package-repo
run: |
if [ "${{env.UPSTREAM_TAG_ALREADY_EXISTS}}" = "false" ]; then
# This is the happy path where no previous promotion attempt was detected
# Push upstream/latest branch promoted to the tag
git push origin upstream/latest
git tag upstream/${{env.NORMALIZED_VERSION}} upstream/latest
# Push that new tag
git push origin upstream/${{env.NORMALIZED_VERSION}}
fi
git push origin debian/pr/${{env.NORMALIZED_VERSION}}-1
- name: Open Promotion PR
working-directory: ./package-repo
run: |
../qcom-build-utils/scripts/create_promotion_pr.py \
--base-branch "${{inputs.debian-branch}}" \
--upstream-tag "${{inputs.upstream-tag}}" \
--normalized-version "${{env.NORMALIZED_VERSION}}"