Add workflow for automatic rebase.

.github/workflows/qubes-dom0-package.yml

@@ -42,11 +42,11 @@ jobs:
       contents: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 100 # need history for `git format-patch`
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           repository: TrenchBoot/.github
           path: shared

.github/workflows/qubes-dom0-packagev2.yml

@@ -23,6 +23,11 @@ on:
           Forced version of a package.
         required: false
         type: string
+      qubes-component-branch:
+        description: >
+          Forced repository branch to build component from
+        required: false
+        type: string
 
 jobs:
   build-and-package:
@@ -40,7 +45,7 @@ jobs:
           createrepo-c devscripts python3-docker reprepro \
           python3-pathspec mktorrent python3-lxml python3-dateutil
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           repository: QubesOS/qubes-builderv2
           ref: 80dd898cc0472dd99f161f1d1c7c44da64de93f2
@@ -79,6 +84,7 @@ jobs:
           PKG_DIR: ${{ inputs.qubes-pkg-src-dir }}
           PKG_REV: ${{ inputs.qubes-pkg-revision }}
           PKG_VER: ${{ inputs.qubes-pkg-version }}
+          BUILD_BRANCH: ${{ inputs.qubes-component-branch }}
           # Following 2 variables are used in double expansion '${${{ github.ref_type }}}',
           # do not change these names even though they don't follow the convention.
           branch: ${{ github.head_ref }}
@@ -88,11 +94,14 @@ jobs:
           # Switch from Qubes to Docker executor
           sed -i "/^executor:$/,+4d; /^#executor:$/,+3s/#//" builder.yml
 
-          branch_name=${${{ github.ref_type }}}
+          branch_name="${BUILD_BRANCH}"
           if [ -z "$branch_name" ]; then
-              # github.head_ref is set only for pull requests, this should
-              # handle pushes
-              branch_name=$(basename "$GITHUB_REF")
+              branch_name=${${{ github.ref_type }}}
+              if [ -z "$branch_name" ]; then
+                  # github.head_ref is set only for pull requests, this should
+                  # handle pushes
+                  branch_name=$(basename "$GITHUB_REF")
+              fi
           fi
 
           if [ -n "$PKG_DIR" ]; then

.github/workflows/rebase.yml

@@ -0,0 +1,112 @@
+---
+name: Try rebasing on updated upstream, report in case of conflicts
+
+on:
+  workflow_call:
+    secrets:
+      first-remote-token:
+        description: >
+          Personal access token for performing the following operations on the
+          downstream-repo: fetch the repository, create a branch, delete a
+          branch, create commits on a branch, push to a branch, open a PR, close
+          a PR, get list of PRs.
+        required: true
+    inputs:
+      downstream-repo:
+        description: >
+          <first_repo> parameter for the rebase.sh script.
+        required: true
+        type: string
+      downstream-branch:
+        description: >
+          <first_repo_branch> parameter for the rebase.sh script.
+        required: true
+        type: string
+      upstream-repo:
+        description: >
+          <second_repo> parameter for the rebase.sh script.
+        required: true
+        type: string
+      upstream-branch:
+        description: >
+          <second_repo_branch> parameter for the rebase.sh script.
+        required: true
+        type: string
+      commit-user-name:
+        description: >
+          NAME parameter for the --commit-user-name option of the rebase.sh
+          script.
+        required: true
+        type: string
+      commit-user-email:
+        description: >
+          EMAIL parameter for the --commit-user-email option of the rebase.sh
+          script.
+        required: true
+        type: string
+      cicd-trigger-resume:
+        description: >
+          MESSAGE parameter for the --cicd-trigger-resume option of the
+          rebase.sh script.
+        required: true
+        type: string
+      skip-commits:
+        description: >
+          N parameter for --skip option of the rebase.sh script.
+        required: false
+        type: string
+        default: '0'
+    outputs:
+      rebase-exit-code:
+        description: >
+          Exit code returned by the rebase.sh script. See the script's --help
+          output for the meaning of each code.
+        value: ${{ jobs.rebase-attempt.outputs.rebase-exit-code }}
+
+jobs:
+  rebase-attempt:
+    runs-on: ubuntu-latest
+    name: Try rebasing on updated upstream, report in case of conflicts
+    permissions:
+      # For creation/deletion/pushing to branches and creating PRs
+      contents: write
+    outputs:
+      rebase-exit-code: ${{ steps.rebase.outputs.exit-code }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          repository: TrenchBoot/.github
+          path: shared
+          ref: ${{ job.workflow_sha }}
+      - name: Run script for rebasing
+        id: rebase
+        env:
+          FIRST_REMOTE_TOKEN: ${{ secrets.first-remote-token }}
+          DOWNSTREAM_REPO: ${{ inputs.downstream-repo }}
+          DOWNSTREAM_BRANCH: ${{ inputs.downstream-branch }}
+          UPSTREAM_REPO: ${{ inputs.upstream-repo }}
+          UPSTREAM_BRANCH: ${{ inputs.upstream-branch }}
+          NAME: ${{ inputs.commit-user-name }}
+          EMAIL: ${{ inputs.commit-user-email }}
+          MESSAGE: ${{ inputs.cicd-trigger-resume }}
+          SKIP_COMMITS: ${{ inputs.skip-commits }}
+        run: |
+          set +e
+          shared/scripts/rebase.sh --first-remote-token "$FIRST_REMOTE_TOKEN" \
+          --commit-user-name "$NAME" \
+          --commit-user-email "$EMAIL" \
+          --cicd-trigger-resume "$MESSAGE" \
+          --skip "$SKIP_COMMITS" \
+          "$DOWNSTREAM_REPO" \
+          "$DOWNSTREAM_BRANCH" \
+          "$UPSTREAM_REPO" \
+          "$UPSTREAM_BRANCH"
+          rc=$?
+          echo "exit-code=${rc}" >> "$GITHUB_OUTPUT"
+          # The "No rebase needed" return code should be considered a success
+          # here, as we do not want to show that a job has failed in that case
+          # to avoid drawing attention of maintainers.
+          if [ "$rc" -eq "5" ]; then
+              exit "0"
+          fi
+          exit "${rc}"

README.md

@@ -68,21 +68,36 @@ package, hence significantly reduced set of parameters.
 There is also no need to use `qubes-builder-docker/` in this case because
 builder's repository contains its own Docker image.
 
-| Parameter            | Type   | Req. | Def. | Description
-| ---------            | ----   | ---- | ---- | -----------
-| `qubes-component`    | string | Yes  | -    | Name of QubesOS component as recognized by its build system.
-| `qubes-pkg-src-dir`  | string | No   | -    | Relative path to directory containing Qubes OS package.
-| `qubes-pkg-version`  | string | No   | auto | Version for RPM packages
-| `qubes-pkg-revision` | string | No   | `1`  | Revision for RPM packages
-
-Used by [TrenchBoot/qubes-antievilmaid][aem] and
-[TrenchBoot/secure-kernel-loader][skl].  The latter makes use of
-`qubes-pkg-src-dir` as Qubes OS package is stored within the repository itself.
+| Parameter                | Type   | Req. | Def. | Description
+| ---------                | ----   | ---- | ---- | -----------
+| `qubes-component`        | string | Yes  | -    | Name of QubesOS component as recognized by its build system.
+| `qubes-pkg-src-dir`      | string | No   | -    | Relative path to directory containing Qubes OS package.
+| `qubes-pkg-version`      | string | No   | auto | Version for RPM packages
+| `qubes-pkg-revision`     | string | No   | `1`  | Revision for RPM packages
+| `qubes-component-branch` | string | No   | -    | Forced repository branch to build component from
 
 [qubes-builder-v2]: https://github.com/QubesOS/qubes-builderv2
 [aem]: https://github.com/TrenchBoot/qubes-antievilmaid/blob/2b6b796e31789fca599986c9cfb0a3ceced5967d/.github/workflows/build.yml
 [skl]: https://github.com/TrenchBoot/secure-kernel-loader
 
+### rebase
+
+This workflow automates rebasing a downstream repository branch on top of an
+upstream branch. On success, it pushes the rebased branch. If conflicts arise,
+it opens a pull request against the downstream repository to ask for
+resolution.
+
+| Parameter              | Type   | Req. | Def. | Description
+| ---------              | ----   | ---- | ---- | -----------
+| `downstream-repo`      | string | Yes  | -    | URL of the repository to rebase (`<first_repo>` argument of `rebase.sh`).
+| `downstream-branch`    | string | Yes  | -    | Branch in the downstream repository to rebase (`<first_repo_branch>` argument of `rebase.sh`).
+| `upstream-repo`        | string | Yes  | -    | URL of the repository that provides the new base (`<second_repo>` argument of `rebase.sh`).
+| `upstream-branch`      | string | Yes  | -    | Branch in the upstream repository to rebase onto (`<second_repo_branch>` argument of `rebase.sh`).
+| `commit-user-name`     | string | Yes  | -    | Git author name used for rebase commits (`--commit-user-name` option of `rebase.sh`).
+| `commit-user-email`    | string | Yes  | -    | Git author e-mail used for rebase commits (`--commit-user-email` option of `rebase.sh`).
+| `cicd-trigger-resume`  | string | Yes  | -    | Human-readable message appended to the conflict PR describing how to resume the pipeline (`--cicd-trigger-resume` option of `rebase.sh`).
+| `first-remote-token`   | string | Yes  | -    | Personal access token with permissions to fetch, branch, commit, push, and open/close PRs on `downstream-repo`. Passed as a GitHub Actions secret.
+
 ## Usage
 
 Full details can be found in [GitHub's documentation][workflow-docs] on
@@ -91,20 +106,22 @@ modifications to workflows are necessary.
 
 [workflow-docs]: https://docs.github.com/en/actions/using-workflows/reusing-workflows
 
+### qubes-dom0-package or qubes-dom0-packagev2
+
 Create a workflow file like `.github/workflows/build.yml` inside of your
 repository.  It will have 3 parts: name, triggering conditions and invocation
 of one of the workflows defined here.  Let's use [TrenchBoot/grub][grub] as an
 example.
 
-### Name
+#### Name
 
 ```yaml
 name: Test build and package QubesOS RPMs
 ```
 
 Specify workflow title used for identification in UI.
 
-### Triggering conditions
+#### Triggering conditions
 
 ```yaml
 on:
@@ -118,7 +135,7 @@ on:
 Activate this workflow on push of any tag or a branch which starts with
 `intel-txt-aem` (including this branch, i.e. `*` can expand to an empty string).
 
-### Workflow invocation
+#### Workflow invocation
 
 ```yaml
 jobs:
@@ -134,6 +151,49 @@ jobs:
 Invoke v1 workflow from `master` branch of this repository with the set of
 parameters as described in a section above.
 
+### rebase
+
+`rebase` is typically one job in a larger workflow that first prepares the
+upstream branch to rebase onto, then calls this workflow, and finally cleans up
+any temporary branches.
+
+#### Triggering conditions
+
+There is no specific trigger condition that can be used to trigger pipelines
+that contain this reusable workflow. So the developer is free to decide. But
+there is one case: if the workflow that uses this reusable workflow has a
+condition on push event, then the token provided via `first-remote-token` should
+not have permissions to trigger CI/CDs. This is because the script used inside
+this reusable workflow pushes to the remote repository several times.
+
+#### Workflow invocation
+
+```yaml
+name: Rebase on top of QubesOS main
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 6'
+
+jobs:
+  try-rebase:
+    uses: TrenchBoot/.github/.github/workflows/rebase.yml@master
+    secrets:
+      first-remote-token: ${{secrets.TRENCHBOOT_REBASE_TOKEN}}
+    permissions:
+      # For creation/deletion/pushing to branches and creating PRs
+      contents: write
+    with:
+      downstream-repo: 'https://github.com/DaniilKl/qubes-antievilmaid.git'
+      downstream-branch: 'main'
+      upstream-repo: 'https://github.com/QubesOS/qubes-antievilmaid.git'
+      upstream-branch: 'main'
+      commit-user-name: 'github-actions[bot]'
+      commit-user-email: 'github-actions[bot]@users.noreply.github.com'
+      cicd-trigger-resume: '7. Rerun the workflow https://github.com/DaniilKl/qubes-antievilmaid/actions/runs/${{ github.run_id }} to resume automated rebase.'
+```
+
 ## Funding
 
 This project was partially funded through the