From 0d54a78ae5928d6c4cb8d208ad4cd42f1b0fe7dd Mon Sep 17 00:00:00 2001
From: Danil Klimuk <daniil.klimuk@3mdeb.com>
Date: Wed, 15 Apr 2026 12:16:49 +0200
Subject: [PATCH] .github: workflows: add workflows for automatic rebase

Regarding the "rebase.yml".

We cannot simply rebase commits from TrenchBoot/grub on top of the
commits in the QubesOS/qubes-grub2, because:

1. The actual history for the grub component is held in patches in the
   QubesOS/qubes-grub2 repository, so we need to do a conversion from
   patches to commits every time we want to try to rebase.
2. We want to track the changes to the other files from the
   QubesOS/qubes-grub2, except for the patches for the grub component, as
   versions of these files might be closely related to the changes in
   the patches for the grub component.

Other changes that should be made due to the history format difference
between the QubesOS/qubes-grub2 and TrenchBoot/grub should will be resolved
by the follwoing commit when the actual rebase happens:

TrenchBoot/grub@2f477ee

Signed-off-by: Danil Klimuk <daniil.klimuk@3mdeb.com>
---
 .../rebase-build-and-publish-rebased.yml      | 158 ++++++++++++++++++
 1 file changed, 158 insertions(+)
 create mode 100644 .github/workflows/rebase-build-and-publish-rebased.yml

diff --git a/.github/workflows/rebase-build-and-publish-rebased.yml b/.github/workflows/rebase-build-and-publish-rebased.yml
new file mode 100644
index 0000000000..2e2ecd92ea
--- /dev/null
+++ b/.github/workflows/rebase-build-and-publish-rebased.yml
@@ -0,0 +1,158 @@
+name: Build the last successful automatic rebase of tb-dev branch
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: >
+          Set this input to do a dry run without building the packages to test
+          the rebase.
+        required: false
+        type: boolean
+        default: false
+  schedule:
+    - cron: '0 0 * * 6'
+
+concurrency:
+  group: automatic-rebase
+
+jobs:
+  prep-rebase:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout qubes-grub2
+        uses: actions/checkout@v6
+        with:
+          repository: QubesOS/qubes-grub2
+          path: qubes-grub2
+      - name: Checkout downstream grub repository
+        uses: actions/checkout@v6
+        with:
+          repository: TrenchBoot/grub
+          token: ${{ secrets.TRENCHBOOT_REBASE_TOKEN }}
+          path: grub
+      - name: Read upstream version from qubes-grub2
+        id: version
+        working-directory: qubes-grub2
+        run: echo "version=$(cat version)" >> "$GITHUB_OUTPUT"
+      - name: Add upstream remote and fetch version tag
+        working-directory: grub
+        env:
+          UPSTREAM_TAG: grub-${{ steps.version.outputs.version }}
+        run: |
+          git remote add upstream https://gitlab.freedesktop.org/gnu-grub/grub.git
+          git fetch upstream "refs/tags/${UPSTREAM_TAG}:refs/tags/${UPSTREAM_TAG}"
+      - name: Apply qubes-grub2 patches on top of upstream tag
+        working-directory: grub
+        env:
+          UPSTREAM_TAG: grub-${{ steps.version.outputs.version }}
+        run: |
+          git checkout -b qubes-grub2-with-patches-rebase-prep "$UPSTREAM_TAG"
+          SPEC="../qubes-grub2/grub2.spec.in"
+          mapfile -t PATCHES < <(grep -E '^Patch[0-9]+:' "$SPEC" | awk '{print $2}')
+          for patch_file in "${PATCHES[@]}"; do
+            git apply "../qubes-grub2/${patch_file}"
+            escaped=$(printf '%s' "$patch_file" | sed 's/\./\\./g')
+            sed -i "/^Patch[0-9]*:[[:space:]]*${escaped}[[:space:]]*$/d" "$SPEC"
+            rm -f "../qubes-grub2/${patch_file}"
+          done
+      - name: Copy QubesOS RPM files to downstream repository
+        run: |
+          cp -r qubes-grub2/* grub/
+          cd grub
+          git add -A
+          GIT_AUTHOR_NAME="github-actions[bot]" \
+          GIT_AUTHOR_EMAIL="github-actions[bot]@users.noreply.github.com" \
+          GIT_AUTHOR_DATE="2024-01-01T00:00:00" \
+          GIT_COMMITTER_NAME="github-actions[bot]" \
+          GIT_COMMITTER_EMAIL="github-actions[bot]@users.noreply.github.com" \
+          GIT_COMMITTER_DATE="2024-01-01T00:00:00" \
+          git commit --no-gpg-sign -m "Do not rebase: QubesOS patches, QubesOS RPM files and Qubes builder metadata"
+      - name: Push qubes-grub2-with-patches branch to downstream
+        working-directory: grub
+        run: git push origin qubes-grub2-with-patches-rebase-prep
+  count-skip-commits:
+    needs: prep-rebase
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      skip-commits: ${{ steps.count.outputs.skip-commits }}
+    steps:
+      - name: Checkout tb-dev branch
+        uses: actions/checkout@v6
+        with:
+          repository: TrenchBoot/grub
+          ref: tb-dev
+          fetch-depth: 0
+      - name: Fetch qubes-grub2-with-patches-rebase-prep branch
+        run: git fetch origin qubes-grub2-with-patches-rebase-prep
+      - name: Count commits with "Do not rebase:" after merge-base with qubes-grub2-with-patches-rebase-prep
+        id: count
+        run: |
+          count=$(git rev-list --count --grep='Do not rebase:' origin/qubes-grub2-with-patches-rebase-prep..HEAD)
+          echo "skip-commits=${count}" >> "$GITHUB_OUTPUT"
+  try-rebase:
+    needs: count-skip-commits
+    uses: TrenchBoot/.github/.github/workflows/rebase.yml@v2
+    secrets:
+      first-remote-token: ${{secrets.TRENCHBOOT_REBASE_TOKEN}}
+    permissions:
+      # For creation/deletion/pushing to branches and creating PRs
+      contents: write
+    with:
+      downstream-repo: 'https://github.com/TrenchBoot/grub.git'
+      downstream-branch: 'tb-dev'
+      upstream-repo: 'https://github.com/TrenchBoot/grub.git'
+      upstream-branch: 'qubes-grub2-with-patches-rebase-prep'
+      commit-user-name: 'github-actions[bot]'
+      commit-user-email: 'github-actions[bot]@users.noreply.github.com'
+      cicd-trigger-resume: '7. Rerun the workflow https://github.com/TrenchBoot/grub/actions/runs/${{ github.run_id }} to resume automated rebase.'
+      skip-commits: ${{ needs.count-skip-commits.outputs.skip-commits }}
+  cleanup-after-rebase-attempt:
+    needs: try-rebase
+    if: always()
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout downstream grub repository
+        uses: actions/checkout@v6
+        with:
+          repository: TrenchBoot/grub
+          token: ${{ secrets.TRENCHBOOT_REBASE_TOKEN }}
+          path: grub
+      - name: Delete qubes-grub2-with-patches branch from downstream
+        working-directory: grub
+        env:
+          TOKEN: ${{ secrets.TRENCHBOOT_REBASE_TOKEN }}
+        run: |
+          git push "https://${TOKEN}@github.com/TrenchBoot/grub.git" \
+            --delete qubes-grub2-with-patches-rebase-prep
+  get-version:
+    runs-on: ubuntu-latest
+    needs: try-rebase
+    if: ${{ needs.try-rebase.outputs.rebase-exit-code == '0' && ! inputs.dry_run }}
+    outputs:
+      version: ${{ steps.read-version.outputs.version }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: 'tb-dev-rebased'
+      - name: Read version of the QubesOS Component from version file
+        id: read-version
+        # The tb-dev-rebased should already have the version file either created
+        # in the prep-rebase or try-rebase jobs (it will be probably created by
+        # the prep-rebase as this file is a part of QubesOS repository) on which
+        # it depennds:
+        run: echo "version=$(cat version)" >> "$GITHUB_OUTPUT"
+  qubes-dom0-package:
+    needs: get-version
+    uses: TrenchBoot/.github/.github/workflows/qubes-dom0-packagev2.yml@v2
+    with:
+      qubes-component: 'grub2'
+      qubes-component-branch: 'tb-dev-rebased'
+      qubes-pkg-src-dir: '.'
+      qubes-pkg-version: ${{ needs.get-version.outputs.version }}