From d2b54778d134613f015d186166b426b0c0d3ccad Mon Sep 17 00:00:00 2001
From: Keerthi Gowda <kbalehal@qti.qualcomm.com>
Date: Thu, 28 May 2026 15:00:45 -0700
Subject: [PATCH 1/3] refactor: extract create-provenance to a script

Move the 'Create provenance file' inline shell block
(73 lines) into scripts/create-provenance.sh.

The workflow step is now a single line:
  run: ./qcom-build-utils/scripts/create-provenance.sh

All env vars (DISTRO_CODENAME, DEBIAN_BRANCH,
UPSTREAM_REPO, PKG_VERSION, PKG_REPO) are unchanged.
No behaviour change.

Signed-off-by: Keerthi Gowda <kbalehal@qti.qualcomm.com>
---
 .../qcom-release-reusable-workflow.yml        | 66 +-------------
 scripts/create-provenance.sh                  | 87 +++++++++++++++++++
 2 files changed, 88 insertions(+), 65 deletions(-)
 create mode 100755 scripts/create-provenance.sh

diff --git a/.github/workflows/qcom-release-reusable-workflow.yml b/.github/workflows/qcom-release-reusable-workflow.yml
index 706f6095..0f7c9944 100644
--- a/.github/workflows/qcom-release-reusable-workflow.yml
+++ b/.github/workflows/qcom-release-reusable-workflow.yml
@@ -309,71 +309,7 @@ jobs:
           UPSTREAM_REPO: ${{ vars.UPSTREAM_REPO_GITHUB_NAME }}
           PKG_VERSION: ${{ steps.changelog.outputs.version }}
           PKG_REPO: ${{ github.repository }}
-        run: |
-          mkdir build
-
-          cd package-repo
-
-          SOURCE=$(grep-dctrl -n -s Source -r '' debian/control | head -n1)
-          ALL_PKGS=$(grep-dctrl -n -s Package -r '' debian/control | sort -u)
-          ALL_PKGS_JSON=$(printf '%s\n' "$ALL_PKGS" | jq -c -R -s 'split("\n") | map(select(length>0))')
-
-          PACKAGE_REPO_TAG=$(git describe --tags --match "${DISTRO_CODENAME}/*" --abbrev=0 "${DEBIAN_BRANCH}")
-
-          if [[ -f "upstream.conf" ]]; then
-            echo "ℹ️ upstream.conf found — generating provenance for prebuilt binary package"
-            source upstream.conf
-
-            cat > ../build/provenance.json << EOF
-          {
-            "$SOURCE" : {
-              "source_pkg_version": "${PKG_VERSION}",
-
-              "upstream_type": "prebuilt_binary",
-              "upstream_repo": "$ARTIFACTORY",
-              "upstream_repo_tag": "$TAG",
-              "src_distro": "$DISTRO",
-              "src_package_name": "$PACKAGE_NAME",
-
-              "pkg_repo": "${PKG_REPO}",
-              "pkg_repo_tag": "$PACKAGE_REPO_TAG",
-              "pkg_repo_commit": "$(git rev-parse HEAD)",
-
-              "binary_pkgs": $ALL_PKGS_JSON
-            }
-          }
-          EOF
-          else
-            echo "ℹ️ No upstream.conf — generating provenance for source package"
-
-            NEAREST_UPSTREAM_BRANCH_TAG=$(git describe --tags --match 'upstream/*' --abbrev=0)
-            NEAREST_UPSTREAM_COMMIT=$(git rev-list -n 1 "$NEAREST_UPSTREAM_BRANCH_TAG")
-            NEAREST_UPSTREAM_TAG=$(git ls-remote --tags "https://github.com/${UPSTREAM_REPO}.git" | \
-              awk -v commit="$NEAREST_UPSTREAM_COMMIT" '$1 == commit && $2 ~ /refs\/tags\// { sub("refs/tags/", "", $2); print $2 }' | head -n1)
-
-            cat > ../build/provenance.json << EOF
-          {
-            "$SOURCE" : {
-              "source_pkg_version": "${PKG_VERSION}",
-
-              "upstream_type": "source",
-              "upstream_repo": "${UPSTREAM_REPO}",
-              "upstream_repo_tag": "$NEAREST_UPSTREAM_TAG",
-              "upstream_repo_commit": "$NEAREST_UPSTREAM_COMMIT",
-
-              "pkg_repo": "${PKG_REPO}",
-              "pkg_repo_tag": "$PACKAGE_REPO_TAG",
-              "pkg_repo_commit": "$(git rev-parse HEAD)",
-              "pkg_repo_upstream_tag": "$NEAREST_UPSTREAM_BRANCH_TAG",
-
-              "binary_pkgs": $ALL_PKGS_JSON
-            }
-          }
-          EOF
-          fi
-
-          echo "Content of the provenance file:"
-          cat ../build/provenance.json | sed 's/^/\x1b[34m/' | sed 's/$/\x1b[0m/'
+        run: ./qcom-build-utils/scripts/create-provenance.sh
 
       - name: Build Debian Packages
         uses: ./qcom-build-utils/.github/actions/build_package
diff --git a/scripts/create-provenance.sh b/scripts/create-provenance.sh
new file mode 100755
index 00000000..79065ecc
--- /dev/null
+++ b/scripts/create-provenance.sh
@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+# create-provenance.sh — Generate provenance.json for a Debian package release.
+#
+# Writes build/provenance.json (relative to the caller's working directory).
+# Supports both source packages and prebuilt binary packages (upstream.conf).
+#
+# Required environment variables:
+#   DISTRO_CODENAME   — suite name, e.g. resolute, noble, trixie
+#   DEBIAN_BRANCH     — packaging branch, e.g. qcom/ubuntu/resolute
+#   PKG_VERSION       — debian version string from changelog
+#   PKG_REPO          — GitHub repository slug, e.g. qualcomm-linux/pkg-kgsl
+#   UPSTREAM_REPO     — upstream GitHub repo slug (source packages only)
+
+set -euo pipefail
+
+: "${DISTRO_CODENAME:?DISTRO_CODENAME is required}"
+: "${DEBIAN_BRANCH:?DEBIAN_BRANCH is required}"
+: "${PKG_VERSION:?PKG_VERSION is required}"
+: "${PKG_REPO:?PKG_REPO is required}"
+
+mkdir -p build
+
+cd package-repo
+
+SOURCE=$(grep-dctrl -n -s Source -r '' debian/control | head -n1)
+ALL_PKGS=$(grep-dctrl -n -s Package -r '' debian/control | sort -u)
+ALL_PKGS_JSON=$(printf '%s\n' "$ALL_PKGS" | jq -c -R -s 'split("\n") | map(select(length>0))')
+
+PACKAGE_REPO_TAG=$(git describe --tags --match "${DISTRO_CODENAME}/*" --abbrev=0 "${DEBIAN_BRANCH}")
+
+if [[ -f "upstream.conf" ]]; then
+  echo "ℹ️ upstream.conf found — generating provenance for prebuilt binary package"
+  # shellcheck source=/dev/null
+  source upstream.conf
+
+  cat > ../build/provenance.json << EOF
+{
+  "$SOURCE" : {
+    "source_pkg_version": "${PKG_VERSION}",
+
+    "upstream_type": "prebuilt_binary",
+    "upstream_repo": "$ARTIFACTORY",
+    "upstream_repo_tag": "$TAG",
+    "src_distro": "$DISTRO",
+    "src_package_name": "$PACKAGE_NAME",
+
+    "pkg_repo": "${PKG_REPO}",
+    "pkg_repo_tag": "$PACKAGE_REPO_TAG",
+    "pkg_repo_commit": "$(git rev-parse HEAD)",
+
+    "binary_pkgs": $ALL_PKGS_JSON
+  }
+}
+EOF
+else
+  echo "ℹ️ No upstream.conf — generating provenance for source package"
+
+  : "${UPSTREAM_REPO:?UPSTREAM_REPO is required for source packages}"
+
+  NEAREST_UPSTREAM_BRANCH_TAG=$(git describe --tags --match 'upstream/*' --abbrev=0)
+  NEAREST_UPSTREAM_COMMIT=$(git rev-list -n 1 "$NEAREST_UPSTREAM_BRANCH_TAG")
+  NEAREST_UPSTREAM_TAG=$(git ls-remote --tags "https://github.com/${UPSTREAM_REPO}.git" | \
+    awk -v commit="$NEAREST_UPSTREAM_COMMIT" '$1 == commit && $2 ~ /refs\/tags\// { sub("refs/tags/", "", $2); print $2 }' | head -n1)
+
+  cat > ../build/provenance.json << EOF
+{
+  "$SOURCE" : {
+    "source_pkg_version": "${PKG_VERSION}",
+
+    "upstream_type": "source",
+    "upstream_repo": "${UPSTREAM_REPO}",
+    "upstream_repo_tag": "$NEAREST_UPSTREAM_TAG",
+    "upstream_repo_commit": "$NEAREST_UPSTREAM_COMMIT",
+
+    "pkg_repo": "${PKG_REPO}",
+    "pkg_repo_tag": "$PACKAGE_REPO_TAG",
+    "pkg_repo_commit": "$(git rev-parse HEAD)",
+    "pkg_repo_upstream_tag": "$NEAREST_UPSTREAM_BRANCH_TAG",
+
+    "binary_pkgs": $ALL_PKGS_JSON
+  }
+}
+EOF
+fi
+
+echo "Content of the provenance file:"
+cat ../build/provenance.json | sed 's/^/\x1b[34m/' | sed 's/$/\x1b[0m/'

From 776c4877c244ae81f537b20617775882531a1eac Mon Sep 17 00:00:00 2001
From: Keerthi Gowda <kbalehal@qti.qualcomm.com>
Date: Thu, 28 May 2026 15:01:56 -0700
Subject: [PATCH 2/3] refactor: extract push-provenance to a script

Move the 'Push provenance to qcom-distro-artifacts'
inline shell block (43 lines) into
scripts/push-provenance.sh.

The workflow step is now a single line:
  run: ./qcom-build-utils/scripts/push-provenance.sh

All env vars (GH_PAT, SUITE, BOT_NAME, BOT_EMAIL)
are unchanged. No behaviour change.

Signed-off-by: Keerthi Gowda <kbalehal@qti.qualcomm.com>
---
 .../qcom-release-reusable-workflow.yml        | 36 +-----------
 scripts/push-provenance.sh                    | 56 +++++++++++++++++++
 2 files changed, 57 insertions(+), 35 deletions(-)
 create mode 100755 scripts/push-provenance.sh

diff --git a/.github/workflows/qcom-release-reusable-workflow.yml b/.github/workflows/qcom-release-reusable-workflow.yml
index 0f7c9944..7c3dca9e 100644
--- a/.github/workflows/qcom-release-reusable-workflow.yml
+++ b/.github/workflows/qcom-release-reusable-workflow.yml
@@ -358,41 +358,7 @@ jobs:
           SUITE: ${{ inputs.suite }}
           BOT_NAME: ${{ vars.DEB_PKG_BOT_CI_NAME }}
           BOT_EMAIL: ${{ vars.DEB_PKG_BOT_CI_EMAIL }}
-        run: |
-          git clone "https://x-access-token:${GH_PAT}@github.com/qualcomm-linux/qcom-distro-artifacts.git" ./qcom-distro-artifacts
-
-          cd qcom-distro-artifacts
-
-          git config user.name "${BOT_NAME}"
-          git config user.email "${BOT_EMAIL}"
-
-          mkdir -p "${SUITE}"
-
-          SUITE_PROVENANCE="${SUITE}/provenance.json"
-          NEW_PROVENANCE="../build/provenance.json"
-
-          if [[ -f "${SUITE_PROVENANCE}" ]]; then
-            jq -s --indent 2 '.[0] * .[1]' "${SUITE_PROVENANCE}" "${NEW_PROVENANCE}" > /tmp/merged_provenance.json
-            mv /tmp/merged_provenance.json "${SUITE_PROVENANCE}"
-          else
-            cp "${NEW_PROVENANCE}" "${SUITE_PROVENANCE}"
-          fi
-
-          git add "${SUITE_PROVENANCE}"
-
-          if git diff --cached --quiet; then
-            echo "Provenance unchanged, nothing to commit"
-          else
-            SOURCE_PKG=$(jq -r 'keys[0]' "${NEW_PROVENANCE}")
-            VERSION=$(jq -r '.[keys[0]].source_pkg_version' "${NEW_PROVENANCE}")
-            git commit -m "provenance: update ${SOURCE_PKG} ${VERSION} for ${SUITE}"
-
-            for attempt in 1 2 3; do
-              git push origin main && break
-              echo "Push attempt ${attempt} failed, rebasing and retrying..."
-              git pull --rebase origin main
-            done
-          fi
+        run: ./qcom-build-utils/scripts/push-provenance.sh
 
       - name: Prepare build logs for upload
         working-directory: ./build/
diff --git a/scripts/push-provenance.sh b/scripts/push-provenance.sh
new file mode 100755
index 00000000..21243e72
--- /dev/null
+++ b/scripts/push-provenance.sh
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# push-provenance.sh — Push provenance.json to qcom-distro-artifacts.
+#
+# Clones qcom-distro-artifacts, merges the new provenance entry into the
+# suite-level provenance.json, and pushes with up to 3 rebase retries.
+#
+# Required environment variables:
+#   GH_PAT     — GitHub PAT with write access to qcom-distro-artifacts
+#   SUITE      — suite name, e.g. resolute, noble
+#   BOT_NAME   — git commit author name
+#   BOT_EMAIL  — git commit author email
+#
+# Expected input file:
+#   build/provenance.json  — written by create-provenance.sh
+
+set -euo pipefail
+
+: "${GH_PAT:?GH_PAT is required}"
+: "${SUITE:?SUITE is required}"
+: "${BOT_NAME:?BOT_NAME is required}"
+: "${BOT_EMAIL:?BOT_EMAIL is required}"
+
+git clone "https://x-access-token:${GH_PAT}@github.com/qualcomm-linux/qcom-distro-artifacts.git" ./qcom-distro-artifacts
+
+cd qcom-distro-artifacts
+
+git config user.name "${BOT_NAME}"
+git config user.email "${BOT_EMAIL}"
+
+mkdir -p "${SUITE}"
+
+SUITE_PROVENANCE="${SUITE}/provenance.json"
+NEW_PROVENANCE="../build/provenance.json"
+
+if [[ -f "${SUITE_PROVENANCE}" ]]; then
+  jq -s --indent 2 '.[0] * .[1]' "${SUITE_PROVENANCE}" "${NEW_PROVENANCE}" > /tmp/merged_provenance.json
+  mv /tmp/merged_provenance.json "${SUITE_PROVENANCE}"
+else
+  cp "${NEW_PROVENANCE}" "${SUITE_PROVENANCE}"
+fi
+
+git add "${SUITE_PROVENANCE}"
+
+if git diff --cached --quiet; then
+  echo "Provenance unchanged, nothing to commit"
+else
+  SOURCE_PKG=$(jq -r 'keys[0]' "${NEW_PROVENANCE}")
+  VERSION=$(jq -r '.[keys[0]].source_pkg_version' "${NEW_PROVENANCE}")
+  git commit -m "provenance: update ${SOURCE_PKG} ${VERSION} for ${SUITE}"
+
+  for attempt in 1 2 3; do
+    git push origin main && break
+    echo "Push attempt ${attempt} failed, rebasing and retrying..."
+    git pull --rebase origin main
+  done
+fi

From dacfe7f6c426f664fe99a63299a0caeda28f451e Mon Sep 17 00:00:00 2001
From: Keerthi Gowda <kbalehal@qti.qualcomm.com>
Date: Thu, 28 May 2026 15:38:01 -0700
Subject: [PATCH 3/3] fix: add license headers to provenance scripts

Add SPDX-License-Identifier: BSD-3-Clause-Clear header
to scripts/create-provenance.sh and scripts/push-provenance.sh
as required by the copyright check.

Signed-off-by: Keerthi Gowda <kbalehal@qti.qualcomm.com>
---
 scripts/create-provenance.sh | 3 +++
 scripts/push-provenance.sh   | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/scripts/create-provenance.sh b/scripts/create-provenance.sh
index 79065ecc..039ed3b3 100755
--- a/scripts/create-provenance.sh
+++ b/scripts/create-provenance.sh
@@ -1,4 +1,7 @@
 #!/usr/bin/env bash
+# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+#
+# SPDX-License-Identifier: BSD-3-Clause-Clear
 # create-provenance.sh — Generate provenance.json for a Debian package release.
 #
 # Writes build/provenance.json (relative to the caller's working directory).
diff --git a/scripts/push-provenance.sh b/scripts/push-provenance.sh
index 21243e72..9aee62ee 100755
--- a/scripts/push-provenance.sh
+++ b/scripts/push-provenance.sh
@@ -1,4 +1,7 @@
 #!/usr/bin/env bash
+# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+#
+# SPDX-License-Identifier: BSD-3-Clause-Clear
 # push-provenance.sh — Push provenance.json to qcom-distro-artifacts.
 #
 # Clones qcom-distro-artifacts, merges the new provenance entry into the