Add scripts to update the upstream kernel

These scripts are separated in 2 parts:
 * Get the latest kernel and try to rebase the apertis kernel on it
 * Push the changes and create merge requests for the pristine-lfs and
   apertis/v.*-security branches

Signed-off-by: Detlev Casanova <detlev.casanova@collabora.com>

tools/Makefile

@@ -10,7 +10,9 @@ TOOLS = \
 	apertis-pkg-pull-updates \
 	apertis-switch-coreutils-rust \
 	import-debian-package \
-	apertis-abi-compare
+	apertis-abi-compare \
+	apertis-push-upstream-kernel \
+	apertis-rebase-upstream-kernel
 
 all:
 

tools/apertis-push-upstream-kernel

+#!/bin/bash
+
+# This script pushes the branch that has been rebased on the latest kernel that
+# was generated by the apertis-rebase-upstream-kernel script.
+# It also updates the pristine-lfs branch and pushes it to the remote.
+# Finally, it creates merge requests for both branches.
+
+# A rebased-update/upstream/${APERTIS_RELEASE}-security/${UPSTREAM_VERSION}-kernel-update
+# branch must be checked out on the local linux git repository before running this script.
+
+# Arguments
+# $1: Path to apertis linux sources
+
+set -xe
+
+BUILD_DIR=$(mktemp -d)
+PACKAGING_TOOLS_DIR=$(mktemp -d)
+
+# Print script usage
+print_usage() {
+    echo "Usage:"
+    echo "  $0 <PATH_TO_LINUX_SOURCES>"
+}
+
+# After a rebase on the latest upstream kernel, some patches may have been
+# dropped.
+# This function removes them from the debian/patches/series file without
+# removing the file's comments.
+remove_dropped_patches() {
+    git restore debian/patches/series
+
+    git ls-files --deleted | while read deleted; do
+        git rm ${deleted}
+        patch=$(echo $deleted | sed 's%^debian/patches/%%')
+        sed -i "s%${patch}%%" debian/patches/series
+    done
+}
+
+# Update the patch list and release the new apertis version based on
+# the lastest upstream kernel with updated metadata.
+# args:
+#   $1: Apertis version to be released (e.g.: 5.15.42-0+apertis1)
+#   $2: Upstream kernel release (e.g.: 5.15)
+make_release() {
+    local APERTIS_VERSION="$1"
+    local UPSTREAM_RELEASE="$2"
+
+    git add -f debian/patches
+    git commit -s -m "Update the debian patches for ${APERTIS_VERSION} update"
+
+    dch -D apertis "Sync to linux v${UPSTREAM_RELEASE} LTS release."
+
+    # Update the metadata. This script is supposed to fail
+    debian/apertis/update-metadata || true
+
+    # Add all modified files
+    git ls-files --modified | xargs git add -f
+
+    git commit -s -m "Release linux version ${APERTIS_VERSION}"
+}
+
+# Build the dsc file and update the pristine-lfs branch with it.
+# args:
+#   $1: Apertis version to be released (e.g.: 5.15.42-0+apertis1)
+#   $2: Apertis release suite (e.g.: v2022)
+update_pristine_lfs() {
+    local APERTIS_VERSION="$1"
+    local APERTIS_RELEASE="$2"
+
+    # Install build dependencies
+    apt update
+    DEBIAN_FRONTEND=noninteractive apt -y --no-install-recommends build-dep ./
+
+    # Build DSC file
+    gbp buildpackage \
+        --git-ignore-new \
+        --git-debian-branch=apertis/${APERTIS_RELEASE}-security \
+        --git-prebuild='debian/rules debian/control || true' \
+        --git-export-dir="${BUILD_DIR}" \
+        --no-sign -us -S
+
+    git clone \
+        https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.apertis.org/infrastructure/packaging-tools.git \
+        ${PACKAGING_TOOLS_DIR}
+
+    # Update pristine-lfs branch
+    git fetch --depth=1 origin pristine-lfs
+    git branch pristine-lfs origin/pristine-lfs
+
+    ${PACKAGING_TOOLS_DIR}/import-tarballs "${BUILD_DIR}/linux_${APERTIS_VERSION}.dsc"
+}
+
+# Push new local branch and create the merge request for the -security branches
+# as well as the updated pristine branch.
+#   $1: Apertis release suite (e.g.: v2022)
+#   $2: Apertis version to be released (e.g.: 5.15.42-0+apertis1)
+#   $3: Upstream kernel version (e.g.: v5.15.42)
+create_merge_requests() {
+    local APERTIS_RELEASE="$1"
+    local APERTIS_VERSION="$2"
+    local UPSTREAM_VERSION="$3"
+
+    local TARGET_BRANCH="apertis/${APERTIS_RELEASE}-security"
+
+    # Push the updated pristine branch and create merge request
+    git push \
+        -o "merge_request.create" \
+        -o "merge_request.remove_source_branch" \
+        -o "merge_request.assignee_id=${GITLAB_USER_ID}" \
+        -o "merge_request.target=pristine-lfs" \
+        -o "merge_request.title=\"Draft: [pristine] Update upstream kernel to ${UPSTREAM_VERSION}\"" \
+        ${CI_AUTH_PROJECT_URL} \
+        pristine-lfs:updated/pristine-lfs/${UPSTREAM_VERSION}-kernel-update
+
+    # Push rebased branch and create merge request
+    git push \
+        -o "merge_request.create" \
+        -o "merge_request.remove_source_branch" \
+        -o "merge_request.assignee_id=${GITLAB_USER_ID}" \
+        -o "merge_request.target=${TARGET_BRANCH}" \
+        -o "merge_request.title=\"Draft: [apertis/v2022-security] Update upstream kernel to ${UPSTREAM_VERSION}\"" \
+        ${CI_AUTH_PROJECT_URL} \
+        rebased-update/upstream/${APERTIS_RELEASE}-security/${UPSTREAM_VERSION}-kernel-update:proposed-updates/upstream/${APERTIS_RELEASE}-security/${UPSTREAM_VERSION}-kernel-update
+
+    # Push the new tag
+    git tag ${APERTIS_VERSION}
+    git push ${CI_AUTH_PROJECT_URL} ${APERTIS_VERSION}
+}
+
+cleanup() {
+    # Remove temporary folders
+    rm -fr "${PACKAGING_TOOLS_DIR}" "${BUILD_DIR}"
+
+    # Go back to the previous folder
+    popd
+}
+
+trap cleanup EXIT
+
+if [ -z "$1" ]; then
+    echo "Path to apertis linux sources must be provided"
+    print_usage
+    exit 1
+fi
+LINUX_SOURCES="$1"
+
+pushd ${LINUX_SOURCES}
+
+APERTIS_RELEASE=$(git branch --show-current | sed 's#.*/upstream/\(v.*\)-security/.*#\1#')
+if [ -z "${APERTIS_RELEASE}" ]; then
+    echo "Cannot get apertis release suite. Check that you are running this script on a rebased-update/upstream/v*-security/v*-kernel-update branch."
+    exit 1
+fi
+
+# Get upstream release (e.g. 5.15)
+UPSTREAM_RELEASE=$(git branch --show-current | sed 's#.*/upstream/v.*-security/v\([0-9]\+\.[0-9]\+\)\.[0-9]\+-kernel-update$#\1#')
+if ! echo ${UPSTREAM_RELEASE} | grep -q '^[0-9]\+\.[0-9]\+$'; then
+    echo "Cannot get upstream release. Check that you are running this script on a rebased-update/upstream/v*-security/v*-kernel-update branch."
+    exit 1
+fi
+
+UPSTREAM_VERSION=$(git branch --show-current | sed 's#.*/upstream/v.*-security/v\([0-9]\+\.[0-9]\+\.[0-9]\+\)-kernel-update$#\1#')
+APERTIS_VERSION="${UPSTREAM_VERSION#v}-0+apertis1"
+
+remove_dropped_patches
+
+make_release \
+    ${APERTIS_VERSION} \
+    ${UPSTREAM_RELEASE}
+
+update_pristine_lfs \
+    ${APERTIS_VERSION} \
+    ${APERTIS_RELEASE}
+
+create_merge_requests \
+    ${APERTIS_RELEASE} \
+    ${APERTIS_VERSION} \
+    ${UPSTREAM_VERSION}

tools/apertis-rebase-upstream-kernel

+#!/bin/bash
+
+# This script is used to rebase the apertis kernel on the latest upstream kernel.
+# See more information there:
+# https://www.apertis.org/guides/buildingpatchingandmaintainingtheapertiskernel/#updating-the-kernel-from-an-upstream-stable-git-branch
+#
+# The apertis linux sources git local repository must have a apertis/v.*-security branch checked
+# out (e.g.: apertis/v2022-security).
+#
+# Arguments
+# $1: Path to apertis linux sources
+
+set -xe
+
+LINUX_STABLE_DIR=$(mktemp -d)
+
+# Print script usage
+print_usage() {
+    echo "Usage:"
+    echo "  $0 <PATH_TO_LINUX_SOURCES>"
+}
+
+# Fetch the latest version of the upstream release branch
+# args:
+#   $1: Upstream kernel release
+fetch_upstream_remote() {
+    local UPSTREAM_RELEASE="$1"
+
+    git clone \
+        -b "linux-${UPSTREAM_RELEASE}.y" \
+        --depth=1 \
+        git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git \
+        ${LINUX_STABLE_DIR}
+}
+
+# Push the branch so that it can be pulled from the remote to be manually rebased
+#   $1: Apertis release suite (e.g.: v2022)
+#   $2: Upstream kernel version (e.g.: v5.15.42)
+push_rebase_failed() {
+    local APERTIS_RELEASE="$1"
+    local UPSTREAM_VERSION="$2"
+
+    git push \
+        ${CI_AUTH_PROJECT_URL} \
+        apertis/${APERTIS_RELEASE}-security:failed-update/upstream/${APERTIS_RELEASE}-security/${UPSTREAM_VERSION}-kernel-update
+
+    echo "Could not rebase the patch queue on upstream/linux-${UPSTREAM_RELEASE}.y, a manual rebase is necessary:"
+    echo "  git pull
+  git checkout apertis/v2022-security
+  gbp pq import
+  git branch -m patch-queue/failed-update/upstream/${APERTIS_RELEASE}-security/${UPSTREAM_VERSION}-kernel-update
+  git checkout failed-update/upstream/${APERTIS_RELEASE}-security/${UPSTREAM_VERSION}-kernel-update
+  gbp pq rebase
+  [fix issues]
+  gbp pq export
+  [check and remove unused patches in debian/patches/series]
+  git checkout -b rebased-update/upstream/${APERTIS_RELEASE}-security/${UPSTREAM_VERSION}-kernel-update
+  git push -u origin rebased-update/upstream/${APERTIS_RELEASE}-security/${UPSTREAM_VERSION}-kernel-update"
+}
+
+# Create a branch with the correct name for the apertis-push-upstream-kernel script to continue work
+#   $1: Apertis release suite (e.g.: v2022)
+#   $2: Upstream kernel version (e.g.: v5.15.42)
+prepare_for_push() {
+    local APERTIS_RELEASE="$1"
+    local UPSTREAM_VERSION="$2"
+
+    git checkout -b rebased-update/upstream/${APERTIS_RELEASE}-security/${UPSTREAM_VERSION}-kernel-update
+}
+
+# Import the orig tarball and rebase patches on it
+# args:
+#   $1: Apertis release version (e.g.: 5.15.42-0+apertis1)
+#   $2: Apertis release suite (e.g.: v2022)
+#   $3: Upstream kernel release (e.g.: 5.15)
+#   $4: Upstream kernel version (e.g.: v5.15.42)
+import_orig_tarball() {
+    local APERTIS_VERSION="$1"
+    local APERTIS_RELEASE="$2"
+    local UPSTREAM_RELEASE="$3"
+    local UPSTREAM_VERSION="$4"
+
+    gbp pq import
+    gbp pq switch
+
+    dch -v "${APERTIS_VERSION}" ""
+    git add -f debian/changelog
+    git commit -s -m "Add changelog entry for update to ${APERTIS_VERSION}"
+
+    debian/bin/genorig.py ${LINUX_STABLE_DIR}
+
+    git fetch --depth=1 origin upstream/linux-${UPSTREAM_RELEASE}.y
+    git branch \
+        upstream/linux-${UPSTREAM_RELEASE}.y \
+        origin/upstream/linux-${UPSTREAM_RELEASE}.y
+
+    gbp import-orig \
+        -u ${UPSTREAM_VERSION#v} \
+        --upstream-branch=upstream/linux-${UPSTREAM_RELEASE}.y \
+        --debian-branch=apertis/${APERTIS_RELEASE}-security \
+        ../orig/linux_${UPSTREAM_VERSION#v}.orig.tar.xz
+
+    if ! gbp pq rebase; then
+        # push the branch as is and warn the user about the rebase error and what to do from here.
+        push_rebase_failed ${APERTIS_RELEASE} ${UPSTREAM_VERSION}
+        exit 1
+    fi
+
+    gbp pq export
+
+    prepare_for_push ${APERTIS_RELEASE} ${UPSTREAM_VERSION}
+}
+
+cleanup() {
+    # Remove temporary folders
+    rm -fr "${LINUX_STABLE_DIR}"
+
+    # Go back to the previous folder
+    popd
+}
+
+trap cleanup EXIT
+
+if [ -z "$1" ]; then
+    echo "Path to apertis linux sources must be provided"
+    print_usage
+    exit 1
+fi
+LINUX_SOURCES="$1"
+
+pushd ${LINUX_SOURCES}
+
+APERTIS_RELEASE=$(git branch --show-current | sed 's/apertis\/\(v.*\)-security$/\1/')
+
+if [ -z "${APERTIS_RELEASE}" ]; then
+    echo "Cannot get apertis release suite. Check that you are running this pipeline on an apertis/v*-security branch."
+    exit 1
+fi
+
+# Get upstream release (e.g. 5.15)
+UPSTREAM_RELEASE=$(git describe | sed 's#apertis/\([0-9]\+\.[0-9]\+\)\..*#\1#')
+if ! echo ${UPSTREAM_RELEASE} | grep -q '^[0-9]\+\.[0-9]\+$'; then
+    echo "Cannot get upstream release. Check that you are running this pipeline on an apertis/v*-security branch."
+    exit 1
+fi
+
+fetch_upstream_remote "${UPSTREAM_RELEASE}"
+
+UPSTREAM_VERSION=$(git -C ${LINUX_STABLE_DIR} describe linux-${UPSTREAM_RELEASE}.y)
+APERTIS_VERSION="${UPSTREAM_VERSION#v}-0+apertis1"
+
+import_orig_tarball \
+    ${APERTIS_VERSION} \
+    ${APERTIS_RELEASE} \
+    ${UPSTREAM_RELEASE} \
+    ${UPSTREAM_VERSION}