Skip to content

refactor: extract provenance steps to scripts #165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
keerthi-go wants to merge 3 commits into
base: main
Choose a base branch
from
Open

refactor: extract provenance steps to scripts #165

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d2b5477
refactor: extract create-provenance to a script
keerthi-go May 28, 2026
776c487
refactor: extract push-provenance to a script
keerthi-go May 28, 2026
dacfe7f
fix: add license headers to provenance scripts
keerthi-go May 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
102 changes: 2 additions & 100 deletions .github/workflows/qcom-release-reusable-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -309,71 +309,7 @@ jobs:
UPSTREAM_REPO: ${{ vars.UPSTREAM_REPO_GITHUB_NAME }}
PKG_VERSION: ${{ steps.changelog.outputs.version }}
PKG_REPO: ${{ github.repository }}
run: |
mkdir build

cd package-repo

SOURCE=$(grep-dctrl -n -s Source -r '' debian/control | head -n1)
ALL_PKGS=$(grep-dctrl -n -s Package -r '' debian/control | sort -u)
ALL_PKGS_JSON=$(printf '%s\n' "$ALL_PKGS" | jq -c -R -s 'split("\n") | map(select(length>0))')

PACKAGE_REPO_TAG=$(git describe --tags --match "${DISTRO_CODENAME}/*" --abbrev=0 "${DEBIAN_BRANCH}")

if [[ -f "upstream.conf" ]]; then
echo "ℹ️ upstream.conf found — generating provenance for prebuilt binary package"
source upstream.conf

cat > ../build/provenance.json << EOF
{
"$SOURCE" : {
"source_pkg_version": "${PKG_VERSION}",

"upstream_type": "prebuilt_binary",
"upstream_repo": "$ARTIFACTORY",
"upstream_repo_tag": "$TAG",
"src_distro": "$DISTRO",
"src_package_name": "$PACKAGE_NAME",

"pkg_repo": "${PKG_REPO}",
"pkg_repo_tag": "$PACKAGE_REPO_TAG",
"pkg_repo_commit": "$(git rev-parse HEAD)",

"binary_pkgs": $ALL_PKGS_JSON
}
}
EOF
else
echo "ℹ️ No upstream.conf — generating provenance for source package"

NEAREST_UPSTREAM_BRANCH_TAG=$(git describe --tags --match 'upstream/*' --abbrev=0)
NEAREST_UPSTREAM_COMMIT=$(git rev-list -n 1 "$NEAREST_UPSTREAM_BRANCH_TAG")
NEAREST_UPSTREAM_TAG=$(git ls-remote --tags "https://github.com/${UPSTREAM_REPO}.git" | \
awk -v commit="$NEAREST_UPSTREAM_COMMIT" '$1 == commit && $2 ~ /refs\/tags\// { sub("refs/tags/", "", $2); print $2 }' | head -n1)

cat > ../build/provenance.json << EOF
{
"$SOURCE" : {
"source_pkg_version": "${PKG_VERSION}",

"upstream_type": "source",
"upstream_repo": "${UPSTREAM_REPO}",
"upstream_repo_tag": "$NEAREST_UPSTREAM_TAG",
"upstream_repo_commit": "$NEAREST_UPSTREAM_COMMIT",

"pkg_repo": "${PKG_REPO}",
"pkg_repo_tag": "$PACKAGE_REPO_TAG",
"pkg_repo_commit": "$(git rev-parse HEAD)",
"pkg_repo_upstream_tag": "$NEAREST_UPSTREAM_BRANCH_TAG",

"binary_pkgs": $ALL_PKGS_JSON
}
}
EOF
fi

echo "Content of the provenance file:"
cat ../build/provenance.json | sed 's/^/\x1b[34m/' | sed 's/$/\x1b[0m/'
run: ./qcom-build-utils/scripts/create-provenance.sh

- name: Build Debian Packages
uses: ./qcom-build-utils/.github/actions/build_package
Expand Down Expand Up @@ -422,41 +358,7 @@ jobs:
SUITE: ${{ inputs.suite }}
BOT_NAME: ${{ vars.DEB_PKG_BOT_CI_NAME }}
BOT_EMAIL: ${{ vars.DEB_PKG_BOT_CI_EMAIL }}
run: |
git clone "https://x-access-token:${GH_PAT}@github.com/qualcomm-linux/qcom-distro-artifacts.git" ./qcom-distro-artifacts

cd qcom-distro-artifacts

git config user.name "${BOT_NAME}"
git config user.email "${BOT_EMAIL}"

mkdir -p "${SUITE}"

SUITE_PROVENANCE="${SUITE}/provenance.json"
NEW_PROVENANCE="../build/provenance.json"

if [[ -f "${SUITE_PROVENANCE}" ]]; then
jq -s --indent 2 '.[0] * .[1]' "${SUITE_PROVENANCE}" "${NEW_PROVENANCE}" > /tmp/merged_provenance.json
mv /tmp/merged_provenance.json "${SUITE_PROVENANCE}"
else
cp "${NEW_PROVENANCE}" "${SUITE_PROVENANCE}"
fi

git add "${SUITE_PROVENANCE}"

if git diff --cached --quiet; then
echo "Provenance unchanged, nothing to commit"
else
SOURCE_PKG=$(jq -r 'keys[0]' "${NEW_PROVENANCE}")
VERSION=$(jq -r '.[keys[0]].source_pkg_version' "${NEW_PROVENANCE}")
git commit -m "provenance: update ${SOURCE_PKG} ${VERSION} for ${SUITE}"

for attempt in 1 2 3; do
git push origin main && break
echo "Push attempt ${attempt} failed, rebasing and retrying..."
git pull --rebase origin main
done
fi
run: ./qcom-build-utils/scripts/push-provenance.sh

- name: Prepare build logs for upload
working-directory: ./build/
Expand Down
90 changes: 90 additions & 0 deletions scripts/create-provenance.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
#!/usr/bin/env bash
# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
#
# SPDX-License-Identifier: BSD-3-Clause-Clear
# create-provenance.sh — Generate provenance.json for a Debian package release.
#
# Writes build/provenance.json (relative to the caller's working directory).
# Supports both source packages and prebuilt binary packages (upstream.conf).
#
# Required environment variables:
# DISTRO_CODENAME — suite name, e.g. resolute, noble, trixie
# DEBIAN_BRANCH — packaging branch, e.g. qcom/ubuntu/resolute
# PKG_VERSION — debian version string from changelog
# PKG_REPO — GitHub repository slug, e.g. qualcomm-linux/pkg-kgsl
# UPSTREAM_REPO — upstream GitHub repo slug (source packages only)

set -euo pipefail

: "${DISTRO_CODENAME:?DISTRO_CODENAME is required}"
: "${DEBIAN_BRANCH:?DEBIAN_BRANCH is required}"
: "${PKG_VERSION:?PKG_VERSION is required}"
: "${PKG_REPO:?PKG_REPO is required}"

mkdir -p build

cd package-repo

SOURCE=$(grep-dctrl -n -s Source -r '' debian/control | head -n1)
ALL_PKGS=$(grep-dctrl -n -s Package -r '' debian/control | sort -u)
ALL_PKGS_JSON=$(printf '%s\n' "$ALL_PKGS" | jq -c -R -s 'split("\n") | map(select(length>0))')

PACKAGE_REPO_TAG=$(git describe --tags --match "${DISTRO_CODENAME}/*" --abbrev=0 "${DEBIAN_BRANCH}")

if [[ -f "upstream.conf" ]]; then
echo "ℹ️ upstream.conf found — generating provenance for prebuilt binary package"
# shellcheck source=/dev/null
source upstream.conf

cat > ../build/provenance.json << EOF
{
"$SOURCE" : {
"source_pkg_version": "${PKG_VERSION}",

"upstream_type": "prebuilt_binary",
"upstream_repo": "$ARTIFACTORY",
"upstream_repo_tag": "$TAG",
"src_distro": "$DISTRO",
"src_package_name": "$PACKAGE_NAME",

"pkg_repo": "${PKG_REPO}",
"pkg_repo_tag": "$PACKAGE_REPO_TAG",
"pkg_repo_commit": "$(git rev-parse HEAD)",

"binary_pkgs": $ALL_PKGS_JSON
}
}
EOF
else
echo "ℹ️ No upstream.conf — generating provenance for source package"

: "${UPSTREAM_REPO:?UPSTREAM_REPO is required for source packages}"

NEAREST_UPSTREAM_BRANCH_TAG=$(git describe --tags --match 'upstream/*' --abbrev=0)
NEAREST_UPSTREAM_COMMIT=$(git rev-list -n 1 "$NEAREST_UPSTREAM_BRANCH_TAG")
NEAREST_UPSTREAM_TAG=$(git ls-remote --tags "https://github.com/${UPSTREAM_REPO}.git" | \
awk -v commit="$NEAREST_UPSTREAM_COMMIT" '$1 == commit && $2 ~ /refs\/tags\// { sub("refs/tags/", "", $2); print $2 }' | head -n1)

cat > ../build/provenance.json << EOF
{
"$SOURCE" : {
"source_pkg_version": "${PKG_VERSION}",

"upstream_type": "source",
"upstream_repo": "${UPSTREAM_REPO}",
"upstream_repo_tag": "$NEAREST_UPSTREAM_TAG",
"upstream_repo_commit": "$NEAREST_UPSTREAM_COMMIT",

"pkg_repo": "${PKG_REPO}",
"pkg_repo_tag": "$PACKAGE_REPO_TAG",
"pkg_repo_commit": "$(git rev-parse HEAD)",
"pkg_repo_upstream_tag": "$NEAREST_UPSTREAM_BRANCH_TAG",

"binary_pkgs": $ALL_PKGS_JSON
}
}
EOF
fi

echo "Content of the provenance file:"
cat ../build/provenance.json | sed 's/^/\x1b[34m/' | sed 's/$/\x1b[0m/'
59 changes: 59 additions & 0 deletions scripts/push-provenance.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
#!/usr/bin/env bash
# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
#
# SPDX-License-Identifier: BSD-3-Clause-Clear
# push-provenance.sh — Push provenance.json to qcom-distro-artifacts.
#
# Clones qcom-distro-artifacts, merges the new provenance entry into the
# suite-level provenance.json, and pushes with up to 3 rebase retries.
#
# Required environment variables:
# GH_PAT — GitHub PAT with write access to qcom-distro-artifacts
# SUITE — suite name, e.g. resolute, noble
# BOT_NAME — git commit author name
# BOT_EMAIL — git commit author email
#
# Expected input file:
# build/provenance.json — written by create-provenance.sh

set -euo pipefail

: "${GH_PAT:?GH_PAT is required}"
: "${SUITE:?SUITE is required}"
: "${BOT_NAME:?BOT_NAME is required}"
: "${BOT_EMAIL:?BOT_EMAIL is required}"

git clone "https://x-access-token:${GH_PAT}@github.com/qualcomm-linux/qcom-distro-artifacts.git" ./qcom-distro-artifacts

cd qcom-distro-artifacts

git config user.name "${BOT_NAME}"
git config user.email "${BOT_EMAIL}"

mkdir -p "${SUITE}"

SUITE_PROVENANCE="${SUITE}/provenance.json"
NEW_PROVENANCE="../build/provenance.json"

if [[ -f "${SUITE_PROVENANCE}" ]]; then
jq -s --indent 2 '.[0] * .[1]' "${SUITE_PROVENANCE}" "${NEW_PROVENANCE}" > /tmp/merged_provenance.json
mv /tmp/merged_provenance.json "${SUITE_PROVENANCE}"
else
cp "${NEW_PROVENANCE}" "${SUITE_PROVENANCE}"
fi

git add "${SUITE_PROVENANCE}"

if git diff --cached --quiet; then
echo "Provenance unchanged, nothing to commit"
else
SOURCE_PKG=$(jq -r 'keys[0]' "${NEW_PROVENANCE}")
VERSION=$(jq -r '.[keys[0]].source_pkg_version' "${NEW_PROVENANCE}")
git commit -m "provenance: update ${SOURCE_PKG} ${VERSION} for ${SUITE}"

for attempt in 1 2 3; do
git push origin main && break
echo "Push attempt ${attempt} failed, rebasing and retrying..."
git pull --rebase origin main
done
fi
Loading