Merge pull request #1198 from linux-surface/more-space-please

Increase the available space on the GitHub runners, Update Fedora to 6.4

.github/scripts/container/create.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+if [ -z "${GITHUB_REPOSITORY_ID:-}" ]; then
+    echo "GITHUB_REPOSITORY_ID is unset!"
+    exit 1
+fi
+
+if [ -z "${GITHUB_WORKSPACE:-}" ]; then
+    echo "GITHUB_WORKSPACE is unset!"
+    exit 1
+fi
+
+IMAGE="${1:-}"
+
+if [ -z "${IMAGE}" ]; then
+    echo "Container image is unset!"
+    exit 1
+fi
+
+if command -v docker &> /dev/null; then
+    DOCKER="docker"
+elif command -v podman &> /dev/null; then
+    DOCKER="podman"
+else
+    echo "Could not find docker / podman!"
+    exit 1
+fi
+
+exec "${DOCKER}" run -d --name "${GITHUB_REPOSITORY_ID}" \
+    -v "${GITHUB_WORKSPACE}:/working" --workdir "/working" \
+    --entrypoint "tail" "${IMAGE}" -f /dev/null

.github/scripts/container/exec.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+if [ -z "${GITHUB_REPOSITORY_ID:-}" ]; then
+    echo "GITHUB_REPOSITORY_ID is unset!"
+    exit 1
+fi
+
+if [ -z "${1:-}" ]; then
+    echo "Arguments are unset!"
+    exit 1
+fi
+
+ENVVARS=()
+COMMAND=()
+
+while (( "${#}" )); do
+    case "$1" in
+    -e)
+        ENVVARS+=("-e")
+        shift
+
+        ENVVARS+=("$1")
+        shift
+        ;;
+    --)
+        shift
+        while (( "${#}" )); do
+            COMMAND+=("$1")
+            shift
+        done
+        ;;
+    esac
+done
+
+if command -v docker &> /dev/null; then
+    DOCKER="docker"
+elif command -v podman &> /dev/null; then
+    DOCKER="podman"
+else
+    echo "Could not find docker / podman!"
+    exit 1
+fi
+
+exec "${DOCKER}" exec "${ENVVARS[@]}" "${GITHUB_REPOSITORY_ID}" "${COMMAND[@]}"

.github/scripts/package/arch.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+if [ -z "${1:-}" ]; then
+    $0 setup-builddeps
+    $0 setup-secureboot
+    $0 build-packages
+    $0 sign-packages
+    exit
+fi
+
+pacman()
+{
+    command pacman --noconfirm "$@"
+}
+
+case "${1:-}" in
+setup-builddeps)
+    # Update the container
+    pacman -Syu
+
+    # Install makepkg deps
+    pacman -S sudo binutils fakeroot base-devel git
+
+    # Install tools for singing the kernel for secureboot
+    pacman -S sbsigntools
+    ;;
+setup-secureboot)
+    if [ -z "${SB_KEY:-}" ]; then
+        echo "WARNING: No secureboot key configured, skipping signing."
+        exit
+    fi
+
+    # Install the surface secureboot certificate
+    echo "${SB_KEY}" | base64 -d > pkg/arch/kernel/MOK.key
+    cp pkg/keys/surface.crt pkg/arch/kernel/MOK.crt
+    ;;
+build-packages)
+    pushd pkg/arch/kernel || exit 1
+
+    # Fix permissions (can't makepkg as root)
+    echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers
+    chown -R nobody .
+
+    # Package compression settings (Matches latest Arch)
+    export PKGEXT='.pkg.tar.zst'
+    export COMPRESSZST=(zstd -c -T0 --ultra -20 -)
+    export MAKEFLAGS="-j2"
+
+    # Build
+    su nobody --pty -p -s /bin/bash -c 'makepkg -sf --skippgpcheck --noconfirm'
+
+    # Prepare release
+    mkdir release
+    find . -name '*.pkg.tar.zst' -type f -exec mv {} release \;
+
+    popd || exit 1
+    ;;
+sign-packages)
+    if [ -z "${GPG_KEY:-}" ] || [ -z "${GPG_KEY_ID:-}" ]; then
+        echo "WARNING: No GPG key configured, skipping signing."
+        exit
+    fi
+
+    pushd pkg/arch/kernel/release || exit 1
+
+    # import GPG key
+    echo "${GPG_KEY}" | base64 -d | gpg --import --no-tty --batch --yes
+
+    # sign packages
+    find . -name '*.pkg.tar.zst' -type f -exec \
+        gpg --detach-sign --batch --no-tty -u "${GPG_KEY_ID}" {} \;
+
+    popd || exit 1
+    ;;
+esac

.github/scripts/package/debian.sh

@@ -0,0 +1,146 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+if [ -z "${1:-}" ]; then
+    $0 setup-builddeps
+    $0 setup-secureboot
+    $0 build-packages
+    $0 sign-packages
+    exit
+fi
+
+apt-get()
+{
+    command apt-get -y "$@"
+}
+
+MAINLINE_REPO="git://git.launchpad.net/~ubuntu-kernel-test/ubuntu/+source/linux/+git/mainline-crack"
+MAINLINE_BRANCH="cod/mainline"
+
+case "${1:-}" in
+setup-builddeps)
+    SOURCES="$(sed 's/^deb /deb-src /' /etc/apt/sources.list)"
+    echo "${SOURCES}" >> /etc/apt/sources.list
+
+    ln -snf /usr/share/zoneinfo/UTC /etc/localtime
+    echo UTC > /etc/timezone
+    
+    apt-get update
+    apt-get upgrade
+    apt-get install build-essential fakeroot rsync git wget software-properties-common \
+            zstd lz4 sbsigntool debhelper dpkg-dev dpkg-sig
+    apt-get build-dep linux
+
+    # install python 3.11, required for configuring the kernel via Ubuntu's annotation format
+    add-apt-repository -y ppa:deadsnakes
+
+    apt-get update
+    apt-get upgrade
+    apt-get install python3.11
+
+    rm -f /usr/bin/python
+    rm -f /usr/bin/python3
+    ln -s /usr/bin/python3.11 /usr/bin/python
+    ln -s /usr/bin/python3.11 /usr/bin/python3
+    ;;
+setup-secureboot)
+    if [ -z "${SB_KEY:-}" ]; then
+        echo "WARNING: No secureboot key configured, skipping signing."
+        exit
+    fi
+
+    mkdir -p pkg/debian/kernel/keys
+
+    # Install the surface secureboot certificate
+    echo "${SB_KEY}" | base64 -d > pkg/debian/kernel/keys/MOK.key
+    cp pkg/keys/surface.crt pkg/debian/kernel/keys/MOK.crt
+    ;;
+build-packages)
+    pushd pkg/debian/kernel || exit 1
+
+    . version.conf
+
+    # setup git
+    git config --global user.name "surfacebot"
+    git config --global user.email "surfacebot@users.noreply.github.com"
+
+    # get ubuntu mainline source
+    # see https://kernel.ubuntu.com/~kernel-ppa/mainline
+    git clone "${MAINLINE_REPO}" --branch "${MAINLINE_BRANCH}/v${KERNEL_VERSION}" --depth 1 linux
+
+    if [ -d "keys" ]; then
+        mv keys linux
+    fi
+
+    pushd linux || exit 1
+
+    # apply surface build/packaging patches
+    find .. -name '*.patch' -type f -exec git apply --index --reject {} \;
+
+    git add .
+    git commit --allow-empty -m "Apply linux-surface packaging patches"
+
+    KERNEL_MAJORVER="${KERNEL_VERSION%.*}"
+
+    # apply surface patches
+    find "../../../../patches/${KERNEL_MAJORVER}" -name '*.patch' -type f -exec \
+        git apply --index --reject {} \;
+
+    git add .
+    git commit --allow-empty -m "Apply linux-surface patches"
+
+    # generate base config
+    ./debian/scripts/misc/annotations --arch amd64 --flavour generic --export > ../base.config
+
+    # merge configs
+    ./scripts/kconfig/merge_config.sh \
+        ../base.config \
+        ../ubuntu.config \
+        "../../../../configs/surface-${KERNEL_MAJORVER}.config"
+    
+    # Explicitly set package version, including revision. This is picked up by 'make bindeb-pkg'.
+    export KDEB_PKGVERSION="${KERNEL_VERSION}${KERNEL_LOCALVERSION}-${KERNEL_REVISION}"
+    
+    # The DPKG in Ubuntu 22.04 defaults to using ZSTD, which is not yet supported by the DPKG in Debian 11
+    export KDEB_COMPRESS="xz"
+
+    make bindeb-pkg -j "$(nproc)"
+
+    popd || exit 1
+    popd || exit 1
+
+    pushd pkg/debian/meta || exit 1
+
+    ./mkdebian.sh "$(make -C ../kernel/linux -s kernelrelease)" "${KERNEL_REVISION}"
+    dpkg-buildpackage -b -Zxz
+
+    popd || exit 1
+
+    pushd pkg/debian || exit 1
+
+    mkdir release
+
+    find . -name 'linux-libc-dev*.deb' -type f -exec rm {} \;
+    find . -name '*.deb' -type f -exec cp {} release \;
+
+    popd || exit 1
+    ;;
+sign-packages)
+    if [ -z "${GPG_KEY:-}" ] || [ -z "${GPG_KEY_ID:-}" ]; then
+        echo "WARNING: No GPG key configured, skipping signing."
+        exit
+    fi
+
+    pushd pkg/debian/release || exit 1
+
+    # import GPG key
+    echo "${GPG_KEY}" | base64 -d | gpg --import --no-tty --batch --yes
+
+    # sign packages
+    find . -name '*.deb' -type f -exec \
+        dpkg-sig -g "--batch --no-tty" --sign builder -k "${GPG_KEY_ID}" {} \;
+
+    popd || exit 1
+    ;;
+esac

.github/scripts/package/fedora.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+if [ -z "$1" ]; then
+    $0 setup-builddeps
+    $0 setup-secureboot
+    $0 build-packages
+    $0 sign-packages
+    exit
+fi
+
+dnf()
+{
+    command dnf -y "$@"
+}
+
+case "$1" in
+setup-builddeps)
+    # Setup build environment
+    dnf distro-sync
+    dnf install @rpm-development-tools git rpm-sign
+
+    # Install build dependencies
+    dnf builddep kernel
+
+    # Install additional build dependencies
+    dnf install sbsigntools
+    ;;
+setup-secureboot)
+    if [ -z "${SB_KEY:-}" ]; then
+        echo "WARNING: No secureboot key configured, skipping signing."
+        exit
+    fi
+
+    # Install the surface secureboot certificate
+    echo "${SB_KEY}" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key
+    cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt
+    ;;
+build-packages)
+    pushd pkg/fedora/kernel-surface || exit 1
+
+    # setup git
+    git config --global user.name "surfacebot"
+    git config --global user.email "surfacebot@users.noreply.github.com"
+
+    # Build source RPM packages
+    python3 build-linux-surface.py --mode srpm --ark-dir kernel-ark --outdir srpm
+
+    # Remove the kernel-ark tree to get as much free disk space as possible
+    rm -rf kernel-ark
+
+    # Build binary RPM packages
+    find srpm -name '*.src.rpm' -type f -exec rpmbuild -rb \
+        --define "_topdir ${PWD}/rpmbuild" --define "_rpmdir ${PWD}/out" {} \;
+
+    popd || exit 1
+    ;;
+sign-packages)
+    if [ -z "${GPG_KEY:-}" ] || [ -z "${GPG_KEY_ID:-}" ]; then
+        echo "WARNING: No GPG key configured, skipping signing."
+        exit
+    fi
+
+    pushd pkg/fedora/kernel-surface/out/x86_64 || exit 1
+
+    # import GPG key
+    echo "${GPG_KEY}" | base64 -d | gpg --import --no-tty --batch --yes
+
+    # sign packages
+    find . -name '*.rpm' -type f -exec \
+        rpm --resign {} --define "_gpg_name ${GPG_KEY_ID}" \;
+
+    popd || exit 1
+    ;;
+esac

.github/scripts/repository/arch.sh

@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+pacman()
+{
+    command pacman --noconfirm "$@"
+}
+
+if [ -z "${GIT_REF:-}" ]; then
+	echo "GIT_REF is unset!"
+	exit 1
+fi
+
+if [ -z "${GITHUB_REPOSITORY:-}" ]; then
+	echo "GITHUB_REPOSITORY is unset!"
+	exit 1
+fi
+
+if [ -z "${SURFACEBOT_TOKEN:-}" ]; then
+	echo "SURFACEBOT_TOKEN is unset!"
+	exit 1
+fi
+
+if [ -z "${BRANCH_STAGING:-}" ]; then
+	echo "BRANCH_STAGING is unset!"
+	exit 1
+fi
+
+REPONAME="$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)"
+REPO="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"
+
+# parse git tag from ref
+GIT_TAG="${GIT_REF#refs/tags/}"
+
+# Install dependencies
+pacman -Syu
+pacman -S base-devel git
+
+# clone package repository
+git clone -b "${BRANCH_STAGING}" "${REPO}" repo
+
+# copy packages
+find arch-latest -type f -exec cp {} repo/arch \;
+pushd repo/arch || exit 1
+
+# convert packages into references
+while read -rd $'\n' FILE; do
+    echo "${REPONAME}:${GIT_TAG}/$(basename "${FILE}")" > "${FILE}.blob"
+    rm "${FILE}"
+done <<< "$(find . -name '*.pkg.tar.zst')"
+
+RAND="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)"
+BRANCH="${BRANCH_STAGING}-${RAND}"
+
+# set git identity
+git config --global user.name "surfacebot"
+git config --global user.email "surfacebot@users.noreply.github.com"
+
+# commit and push
+git checkout -b "${BRANCH}"
+git add .
+git commit -m "Update Arch Linux ${REPONAME} package"
+git push --set-upstream origin "${BRANCH}"
+
+popd || exit 1

.github/scripts/repository/debian.sh

@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+apt-get()
+{
+    command apt-get -y "$@"
+}
+
+if [ -z "${GIT_REF:-}" ]; then
+	echo "GIT_REF is unset!"
+	exit 1
+fi
+
+if [ -z "${GITHUB_REPOSITORY:-}" ]; then
+	echo "GITHUB_REPOSITORY is unset!"
+	exit 1
+fi
+
+if [ -z "${SURFACEBOT_TOKEN:-}" ]; then
+	echo "SURFACEBOT_TOKEN is unset!"
+	exit 1
+fi
+
+if [ -z "${BRANCH_STAGING:-}" ]; then
+	echo "BRANCH_STAGING is unset!"
+	exit 1
+fi
+
+REPONAME="$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)"
+REPO="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"
+
+# parse git tag from ref
+GIT_TAG="${GIT_REF#refs/tags/}"
+
+# Install dependencies
+apt-get update
+apt-get install git
+
+# clone package repository
+git clone -b "${BRANCH_STAGING}" "${REPO}" repo
+
+# copy packages
+find debian-latest -type f -exec cp {} repo/debian \;
+pushd repo/debian || exit 1
+
+# convert packages into references
+while read -rd $'\n' FILE; do
+    echo "${REPONAME}:${GIT_TAG}/$(basename "${FILE}")" > "${FILE}.blob"
+    rm "${FILE}"
+done <<< "$(find . -name '*.deb')"
+
+RAND="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)"
+BRANCH="${BRANCH_STAGING}-${RAND}"
+
+# set git identity
+git config --global user.name "surfacebot"
+git config --global user.email "surfacebot@users.noreply.github.com"
+
+# commit and push
+git checkout -b "${BRANCH}"
+git add .
+git commit -m "Update Debian ${REPONAME} package"
+git push --set-upstream origin "${BRANCH}"
+
+popd || exit 1

.github/scripts/repository/fedora.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+dnf()
+{
+    command dnf -y "$@"
+}
+
+if [ -z "${GIT_REF:-}" ]; then
+	echo "GIT_REF is unset!"
+	exit 1
+fi
+
+if [ -z "${GITHUB_REPOSITORY:-}" ]; then
+	echo "GITHUB_REPOSITORY is unset!"
+	exit 1
+fi
+
+if [ -z "${SURFACEBOT_TOKEN:-}" ]; then
+	echo "SURFACEBOT_TOKEN is unset!"
+	exit 1
+fi
+
+if [ -z "${BRANCH_STAGING:-}" ]; then
+	echo "BRANCH_STAGING is unset!"
+	exit 1
+fi
+
+FEDORA="${1:-}"
+
+if [ -z "${FEDORA}" ]; then
+	echo "Fedora version is unset!"
+	exit 1
+fi
+
+REPONAME="$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)"
+REPO="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"
+
+# parse git tag from ref
+GIT_TAG="${GIT_REF#refs/tags/}"
+
+# Install dependencies
+dnf install git findutils
+
+# clone package repository
+git clone -b "${BRANCH_STAGING}" "${REPO}" repo
+
+# copy packages
+find "fedora-${FEDORA}-latest" -type f -exec cp {} "repo/fedora/f${FEDORA}" \;
+pushd "repo/fedora/f${FEDORA}" || exit 1
+
+# convert packages into references
+while read -rd $'\n' FILE; do
+    echo "${REPONAME}:${GIT_TAG}/$(basename "${FILE}")" > "${FILE}.blob"
+    rm "${FILE}"
+done <<< "$(find . -name '*.rpm' -type f)"
+
+RAND="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)"
+BRANCH="${BRANCH_STAGING}-${RAND}"
+
+# set git identity
+git config --global user.name "surfacebot"
+git config --global user.email "surfacebot@users.noreply.github.com"
+
+# commit and push
+git checkout -b "${BRANCH}"
+git add .
+git commit -m "Update Fedora ${FEDORA} ${REPONAME} package"
+git push --set-upstream origin "${BRANCH}"
+
+popd || exit 1

.github/workflows/arch.yml

@@ -1,146 +1,124 @@
-on:
-  push:
-    tags:
-      - 'arch-*'
-
 name: Arch
 
 env:
   GPG_KEY_ID: 56C464BAAC421453
 
+on:
+  push:
+    tags:
+      - 'arch-*'
+
+  repository_dispatch:
+  workflow_dispatch:
+  
 jobs:
   build:
     name: Build Kernel
     runs-on: ubuntu-latest
-    container: archlinux
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Install build dependencies
-      run: |
-        # Install makepkg deps
-        pacman -Syu --noconfirm
-        pacman -S --noconfirm sudo binutils fakeroot grep base-devel git sbsigntools libffi python
-
-    - name: Setup secureboot certificate
-      env:
-        SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
-      run: |
-        cd pkg
-
-        # Install the surface secureboot certificate
-        echo "$SB_KEY" | base64 -d > arch/kernel/MOK.key
-        cp keys/surface.crt arch/kernel/MOK.crt
-
-    - name: Build
-      run: |
-        cd pkg/arch/kernel
-
-        # Fix permissions (can't makepkg as root)
-        echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers
-        chown -R nobody .
-
-        # Package compression settings (Matches latest Arch)
-        export PKGEXT='.pkg.tar.zst'
-        export COMPRESSZST=(zstd -c -T0 --ultra -20 -)
-        export MAKEFLAGS="-j2"
-
-        # Build
-        su nobody --pty -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm'
-
-    - name: Prepare release
-      run: |
-        mkdir release
-        mv pkg/arch/kernel/*.pkg.tar.zst release
-
-    - name: Sign packages
-      env:
-        GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
-      run: |
-        cd release
-
-        # import GPG key
-        echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
-        export GPG_TTY=$(tty)
-
-        # sign packages
-        ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty -u $GPG_KEY_ID
-
-    - name: Upload artifacts
-      uses: actions/upload-artifact@v3
-      with:
-        name: arch-latest
-        path: release
+      - name: Maximize disk space
+        uses: easimon/maximize-build-space@master
+        with:
+          root-reserve-mb: 5120
+          remove-dotnet: true
+          remove-android: true
+          remove-docker-images: true
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Initialize containers
+        run: |
+          bash ./.github/scripts/container/create.sh \
+            archlinux
+
+      - name: Install build dependencies
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -- \
+            bash ./.github/scripts/package/arch.sh setup-builddeps
+
+      - name: Setup secureboot certificate
+        env:
+          SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e SB_KEY \
+            -- \
+            bash ./.github/scripts/package/arch.sh setup-secureboot
+
+      - name: Build packages
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -- \
+            bash ./.github/scripts/package/arch.sh build-packages
+
+      - name: Sign packages
+        env:
+          GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e GPG_KEY \
+            -e GPG_KEY_ID \
+            -- \
+            bash ./.github/scripts/package/arch.sh sign-packages
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: arch-latest
+          path: pkg/arch/kernel/release
 
   release:
     name: Publish release
+    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/')
     needs: [build]
     runs-on: ubuntu-latest
     steps:
-    - name: Download artifacts
-      uses: actions/download-artifact@v3
-      with:
-        name: arch-latest
-        path: arch-latest
-
-    - name: Upload assets
-      uses: svenstaro/upload-release-action@v2
-      with:
-        repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
-        file: ./*-latest/*
-        tag: ${{ github.ref }}
-        overwrite: true
-        file_glob: true
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: arch-latest
+          path: arch-latest
+
+      - name: Upload assets
+        uses: svenstaro/upload-release-action@v2
+        with:
+          repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
+          file: ./*-latest/*
+          tag: ${{ github.ref }}
+          overwrite: true
+          file_glob: true
 
   repo:
     name: Update package repository
     needs: [release]
     runs-on: ubuntu-latest
-    container: archlinux
     steps:
-    - name: Install dependencies
-      run: |
-        pacman -Syu --noconfirm
-        pacman -S --noconfirm base-devel git
-
-    - name: Download artifacts
-      uses: actions/download-artifact@v3
-      with:
-        name: arch-latest
-        path: arch-latest
-
-    - name: Update repository
-      env:
-        SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
-        BRANCH_STAGING: u/staging
-        GIT_REF: ${{ github.ref }}
-      run: |
-        repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"
-
-        # clone package repository
-        git clone -b "${BRANCH_STAGING}" "${repo}" repo
-
-        # copy packages
-        cp arch-latest/* repo/arch/
-        cd repo/arch
-
-        # parse git tag from ref
-        GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g')
-
-        # convert packages into references
-        for pkg in $(find . -name '*.pkg.tar.zst'); do
-          echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob
-          rm $pkg
-        done
-
-        # set git identity
-        git config --global user.email "surfacebot@users.noreply.github.com"
-        git config --global user.name "surfacebot"
-
-        # commit and push
-        update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
-        git switch -c "${update_branch}"
-        git add .
-        git commit -m "Update Arch Linux kernel"
-        git push --set-upstream origin "${update_branch}"
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: arch-latest
+          path: arch-latest
+
+      - name: Initialize containers
+        run: |
+          bash ./.github/scripts/container/create.sh \
+            archlinux
+
+      - name: Update repository
+        env:
+          SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
+          GIT_REF: ${{ github.ref }}
+          BRANCH_STAGING: u/staging
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e SURFACEBOT_TOKEN \
+            -e GIT_REF \
+            -e BRANCH_STAGING \
+            -e GITHUB_REPOSITORY \
+            -- \
+            bash ./.github/scripts/repository/arch.sh

.github/workflows/debian.yml

@@ -1,221 +1,124 @@
+name: Debian
+
+env:
+  GPG_KEY_ID: 56C464BAAC421453
+
 on:
   push:
     tags:
       - 'debian-*'
 
-name: Debian
-
-env:
-  GPG_KEY_ID: 56C464BAAC421453
-  KERNEL_VERSION: 6.4.4
-  KERNEL_REVISION: 3
-  LOCALVERSION: -surface
-  MAINLINE_REPO: git://git.launchpad.net/~ubuntu-kernel-test/ubuntu/+source/linux/+git/mainline-crack
-  MAINLINE_BRANCH: cod/mainline
-  TZ: UTC
+  repository_dispatch:
+  workflow_dispatch:
 
 jobs:
   build:
     name: Build Kernel
     runs-on: ubuntu-latest
-    container: ubuntu:20.04
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Install build dependencies
-      run: |
-        sed 's/^deb /deb-src /' /etc/apt/sources.list >> /etc/apt/sources.list
-        ln -snf /usr/share/zoneinfo/$TZ /etc/localtime
-        echo $TZ > /etc/timezone
-        apt-get -y update
-        apt-get -y upgrade
-        apt-get -y install build-essential fakeroot rsync git wget software-properties-common \
-            zstd lz4 sbsigntool debhelper dpkg-dev dpkg-sig
-        apt-get -y build-dep linux
-
-    - name: Install Python 3.11
-      run: |
-        # install python 3.11, required for configuring the kernel via Ubuntu's annotation format
-        add-apt-repository -y ppa:deadsnakes
-
-        apt-get -y update
-        apt-get -y upgrade
-
-        apt-get -y install python3.11
-
-        rm -f /usr/bin/python
-        rm -f /usr/bin/python3
-        ln -s /usr/bin/python3.11 /usr/bin/python
-        ln -s /usr/bin/python3.11 /usr/bin/python3
-
-    - name: Prepare kernel source
-      run: |
-        cd pkg/debian/kernel
-
-        # setup git
-        git config --global user.email "surfacebot@users.noreply.github.com"
-        git config --global user.name "surfacebot"
-
-        # get ubuntu mainline source
-        # see https://kernel.ubuntu.com/~kernel-ppa/mainline
-        git clone "$MAINLINE_REPO" --branch "$MAINLINE_BRANCH/v$KERNEL_VERSION" --depth 1 linux
-
-        cd linux
-
-        # apply surface build/packaging patches
-        for PATCH in ../*.patch; do
-          git apply --index --reject ${PATCH}
-        done
-
-        git add .
-        git commit --allow-empty -m "Apply linux-surface packaging patches"
-
-        # apply surface patches
-        for PATCH in ../../../../patches/${KERNEL_VERSION%.*}/*.patch; do
-          git apply --index --reject ${PATCH}
-        done
-
-        git add .
-        git commit --allow-empty -m "Apply linux-surface patches"
-
-    - name: Configure
-      run: |
-        cd pkg/debian/kernel/linux
-
-        # generate base config
-        ./debian/scripts/misc/annotations --arch amd64 --flavour generic --export > ../base.config
-
-        # merge configs
-        ./scripts/kconfig/merge_config.sh                         \
-          ../base.config                                          \
-          ../ubuntu.config                                        \
-          ../../../../configs/surface-${KERNEL_VERSION%.*}.config
-
-    - name: Setup secureboot certificate
-      env:
-        SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
-      run: |
-        cd pkg
-
-        mkdir -p debian/kernel/linux/keys
-
-        # unlock/copy key and certificate
-        echo "$SB_KEY" | base64 -d > debian/kernel/linux/keys/MOK.key
-        cp keys/surface.crt debian/kernel/linux/keys/MOK.crt
-
-    - name: Build kernel
-      env:
-        # The DPKG in Ubuntu 22.04 defaults to using ZSTD,
-        # which is not yet supported by the DPKG in Debian 11
-        KDEB_COMPRESS: xz
-      run: |
-        cd pkg/debian/kernel/linux
-
-        # Explicitly set package version, including revision. This is picked up
-        # by 'make bindeb-pkg'.
-        export KDEB_PKGVERSION="${KERNEL_VERSION}${LOCALVERSION}-${KERNEL_REVISION}"
-
-        make bindeb-pkg -j2
-
-    - name: Build meta-package
-      run: |
-        cd pkg/debian/meta
-        ./mkdebian.sh $(make -C ../kernel/linux -s kernelrelease) ${KERNEL_REVISION}
-        dpkg-buildpackage -b -Zxz
-
-    - name: Prepare release
-      run: |
-        mkdir release
-        rm pkg/debian/kernel/linux-libc-dev*.deb
-        mv pkg/debian/kernel/*.deb release
-        mv pkg/debian/*.deb release
-
-    - name: Sign packages
-      env:
-        GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
-      run: |
-        # import GPG key
-        echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
-        export GPG_TTY=$(tty)
-
-        # sign package
-        dpkg-sig -g "--batch --no-tty" --sign builder -k $GPG_KEY_ID release/*.deb
-
-    - name: Upload artifacts
-      uses: actions/upload-artifact@v3
-      with:
-        name: debian-latest
-        path: release
+      - name: Maximize disk space
+        uses: easimon/maximize-build-space@master
+        with:
+          root-reserve-mb: 5120
+          remove-dotnet: true
+          remove-android: true
+          remove-docker-images: true
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Initialize containers
+        run: |
+          bash ./.github/scripts/container/create.sh \
+            ubuntu:20.04
+
+      - name: Install build dependencies
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -- \
+            bash ./.github/scripts/package/debian.sh setup-builddeps
+
+      - name: Setup secureboot certificate
+        env:
+          SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e SB_KEY \
+            -- \
+            bash ./.github/scripts/package/debian.sh setup-secureboot
+
+      - name: Build packages
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -- \
+            bash ./.github/scripts/package/debian.sh build-packages
+
+      - name: Sign packages
+        env:
+          GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e GPG_KEY \
+            -e GPG_KEY_ID \
+            -- \
+            bash ./.github/scripts/package/debian.sh sign-packages
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: debian-latest
+          path: pkg/debian/release
 
   release:
     name: Publish release
+    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/')
     needs: [build]
     runs-on: ubuntu-latest
     steps:
-    - name: Download artifacts
-      uses: actions/download-artifact@v3
-      with:
-        name: debian-latest
-        path: debian-latest
-
-    - name: Upload assets
-      uses: svenstaro/upload-release-action@v2
-      with:
-        repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
-        file: ./*-latest/*
-        tag: ${{ github.ref }}
-        overwrite: true
-        file_glob: true
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: debian-latest
+          path: debian-latest
+
+      - name: Upload assets
+        uses: svenstaro/upload-release-action@v2
+        with:
+          repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
+          file: ./*-latest/*
+          tag: ${{ github.ref }}
+          overwrite: true
+          file_glob: true
 
   repo:
     name: Update package repository
     needs: [release]
     runs-on: ubuntu-latest
-    container: debian:sid
     steps:
-    - name: Install dependencies
-      run: |
-        apt-get update
-        apt-get install -y git
-
-    - name: Download artifacts
-      uses: actions/download-artifact@v3
-      with:
-        name: debian-latest
-        path: debian-latest
-
-    - name: Update repository
-      env:
-        SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
-        BRANCH_STAGING: u/staging
-        GIT_REF: ${{ github.ref }}
-      run: |
-        repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"
-
-        # clone package repository
-        git clone -b "${BRANCH_STAGING}" "${repo}" repo
-
-        # copy packages
-        cp debian-latest/* repo/debian/
-        cd repo/debian
-
-        # parse git tag from ref
-        GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g')
-
-        # convert packages into references
-        for pkg in $(find . -name '*.deb'); do
-          echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob
-          rm $pkg
-        done
-
-        # set git identity
-        git config --global user.email "surfacebot@users.noreply.github.com"
-        git config --global user.name "surfacebot"
-
-        # commit and push
-        update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
-        git switch -c "${update_branch}"
-        git add .
-        git commit -m "Update Debian kernel"
-        git push --set-upstream origin "${update_branch}"
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: debian-latest
+          path: debian-latest
+
+      - name: Initialize containers
+        run: |
+          bash ./.github/scripts/container/create.sh \
+            debian:sid
+
+      - name: Update repository
+        env:
+          SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
+          GIT_REF: ${{ github.ref }}
+          BRANCH_STAGING: u/staging
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e SURFACEBOT_TOKEN \
+            -e GIT_REF \
+            -e BRANCH_STAGING \
+            -e GITHUB_REPOSITORY \
+            -- \
+            bash ./.github/scripts/repository/debian.sh

.github/workflows/fedora-37.yml

@@ -1,144 +1,125 @@
+name: Fedora 37
+
+env:
+  FEDORA: 37
+  GPG_KEY_ID: 56C464BAAC421453
+
 on:
   push:
     tags:
       - 'fedora-37-*'
 
-name: Fedora 37
-
-env:
-  GPG_KEY_ID: 56C464BAAC421453
+  repository_dispatch:
+  workflow_dispatch:
 
 jobs:
   build:
     name: Build Kernel
     runs-on: ubuntu-latest
-    container: registry.fedoraproject.org/fedora:37
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Install build dependencies
-      run: |
-        dnf distro-sync -y
-        dnf install -y git make gcc flex bison bzip2 rpm-build
-        dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
-
-        # Install build dependencies
-        dnf builddep -y kernel
-
-        # Install additional build dependencies
-        dnf install -y sbsigntools
-
-    - name: Setup secureboot certificate
-      env:
-        SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
-      run: |
-        # Install the surface secureboot certificate
-        echo "$SB_KEY" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key
-        cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt
-
-    - name: Build packages
-      run: |
-        cd pkg/fedora/kernel-surface
-
-        # setup git
-        git config --global user.email "surfacebot@users.noreply.github.com"
-        git config --global user.name "surfacebot"
-
-        # Build source RPM packages
-        python3 build-linux-surface.py --mode srpm --ark-dir kernel-ark --outdir srpm
-
-        # Remove the kernel-ark tree to get as much free disk space as possible
-        rm -rf kernel-ark
-
-        # Build binary RPM packages
-        rpmbuild -rb --define "_rpmdir $PWD/out" srpm/*.src.rpm
-
-    - name: Sign packages
-      env:
-        GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
-      run: |
-        cd pkg/fedora/kernel-surface/out/x86_64
-
-        # import GPG key
-        echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
-
-        # sign packages
-        rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID"
-
-    - name: Upload artifacts
-      uses: actions/upload-artifact@v3
-      with:
-        name: fedora-37-latest
-        path: pkg/fedora/kernel-surface/out/x86_64
+      - name: Maximize disk space
+        uses: easimon/maximize-build-space@master
+        with:
+          root-reserve-mb: 5120
+          remove-dotnet: true
+          remove-android: true
+          remove-docker-images: true
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Initialize containers
+        run: |
+          bash ./.github/scripts/container/create.sh \
+            registry.fedoraproject.org/fedora:${{ env.FEDORA }}
+
+      - name: Install build dependencies
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -- \
+            bash ./.github/scripts/package/fedora.sh setup-builddeps
+
+      - name: Setup secureboot certificate
+        env:
+          SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e SB_KEY \
+            -- \
+            bash ./.github/scripts/package/fedora.sh setup-secureboot
+
+      - name: Build packages
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -- \
+            bash ./.github/scripts/package/fedora.sh build-packages
+
+      - name: Sign packages
+        env:
+          GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e GPG_KEY \
+            -e GPG_KEY_ID \
+            -- \
+            bash ./.github/scripts/package/fedora.sh sign-packages
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: fedora-${{ env.FEDORA }}-latest
+          path: pkg/fedora/kernel-surface/out/x86_64
 
   release:
     name: Publish release
+    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/')
     needs: [build]
     runs-on: ubuntu-latest
     steps:
-    - name: Download artifacts
-      uses: actions/download-artifact@v3
-      with:
-        name: fedora-37-latest
-        path: fedora-37-latest
-
-    - name: Upload assets
-      uses: svenstaro/upload-release-action@v2
-      with:
-        repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
-        file: ./*-latest/*
-        tag: ${{ github.ref }}
-        overwrite: true
-        file_glob: true
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: fedora-${{ env.FEDORA }}-latest
+          path: fedora-${{ env.FEDORA }}-latest
+
+      - name: Upload assets
+        uses: svenstaro/upload-release-action@v2
+        with:
+          repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
+          file: ./*-latest/*
+          tag: ${{ github.ref }}
+          overwrite: true
+          file_glob: true
 
   repo:
     name: Update package repository
     needs: [release]
     runs-on: ubuntu-latest
-    container: registry.fedoraproject.org/fedora:37
     steps:
-    - name: Install dependencies
-      run: |
-        dnf install -y git findutils
-
-    - name: Download artifacts
-      uses: actions/download-artifact@v3
-      with:
-        name: fedora-37-latest
-        path: fedora-37-latest
-
-    - name: Update repository
-      env:
-        SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
-        BRANCH_STAGING: u/staging
-        GIT_REF: ${{ github.ref }}
-      run: |
-        repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"
-
-        # clone package repository
-        git clone -b "${BRANCH_STAGING}" "${repo}" repo
-
-        # copy packages
-        cp fedora-37-latest/* repo/fedora/f37
-        cd repo/fedora/f37
-
-        # parse git tag from ref
-        GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g')
-
-        # convert packages into references
-        for pkg in $(find . -name '*.rpm'); do
-          echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob
-          rm $pkg
-        done
-
-        # set git identity
-        git config --global user.email "surfacebot@users.noreply.github.com"
-        git config --global user.name "surfacebot"
-
-        # commit and push
-        update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
-        git checkout -b "${update_branch}"
-        git add .
-        git commit -m "Update Fedora 37 kernel"
-        git push --set-upstream origin "${update_branch}"
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: fedora-${{ env.FEDORA }}-latest
+          path: fedora-${{ env.FEDORA }}-latest
+
+      - name: Initialize containers
+        run: |
+          bash ./.github/scripts/container/create.sh \
+            registry.fedoraproject.org/fedora:${{ env.FEDORA }}
+
+      - name: Update repository
+        env:
+          SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
+          GIT_REF: ${{ github.ref }}
+          BRANCH_STAGING: u/staging
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e SURFACEBOT_TOKEN \
+            -e GIT_REF \
+            -e BRANCH_STAGING \
+            -e GITHUB_REPOSITORY \
+            -- \
+            bash ./.github/scripts/repository/fedora.sh ${{ env.FEDORA }}

.github/workflows/fedora-38.yml

@@ -1,144 +1,125 @@
+name: Fedora 38
+
+env:
+  FEDORA: 38
+  GPG_KEY_ID: 56C464BAAC421453
+
 on:
   push:
     tags:
       - 'fedora-38-*'
 
-name: Fedora 38
-
-env:
-  GPG_KEY_ID: 56C464BAAC421453
+  repository_dispatch:
+  workflow_dispatch:
 
 jobs:
   build:
     name: Build Kernel
     runs-on: ubuntu-latest
-    container: registry.fedoraproject.org/fedora:38
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Install build dependencies
-      run: |
-        dnf distro-sync -y
-        dnf install -y git make gcc flex bison bzip2 rpm-build
-        dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
-
-        # Install build dependencies
-        dnf builddep -y kernel
-
-        # Install additional build dependencies
-        dnf install -y sbsigntools
-
-    - name: Setup secureboot certificate
-      env:
-        SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
-      run: |
-        # Install the surface secureboot certificate
-        echo "$SB_KEY" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key
-        cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt
-
-    - name: Build packages
-      run: |
-        cd pkg/fedora/kernel-surface
-
-        # setup git
-        git config --global user.email "surfacebot@users.noreply.github.com"
-        git config --global user.name "surfacebot"
-
-        # Build source RPM packages
-        python3 build-linux-surface.py --mode srpm --ark-dir kernel-ark --outdir srpm
-
-        # Remove the kernel-ark tree to get as much free disk space as possible
-        rm -rf kernel-ark
-
-        # Build binary RPM packages
-        rpmbuild -rb --define "_rpmdir $PWD/out" srpm/*.src.rpm
-
-    - name: Sign packages
-      env:
-        GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
-      run: |
-        cd pkg/fedora/kernel-surface/out/x86_64
-
-        # import GPG key
-        echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
-
-        # sign packages
-        rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID"
-
-    - name: Upload artifacts
-      uses: actions/upload-artifact@v3
-      with:
-        name: fedora-38-latest
-        path: pkg/fedora/kernel-surface/out/x86_64
+      - name: Maximize disk space
+        uses: easimon/maximize-build-space@master
+        with:
+          root-reserve-mb: 5120
+          remove-dotnet: true
+          remove-android: true
+          remove-docker-images: true
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Initialize containers
+        run: |
+          bash ./.github/scripts/container/create.sh \
+            registry.fedoraproject.org/fedora:${{ env.FEDORA }}
+
+      - name: Install build dependencies
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -- \
+            bash ./.github/scripts/package/fedora.sh setup-builddeps
+
+      - name: Setup secureboot certificate
+        env:
+          SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e SB_KEY \
+            -- \
+            bash ./.github/scripts/package/fedora.sh setup-secureboot
+
+      - name: Build packages
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -- \
+            bash ./.github/scripts/package/fedora.sh build-packages
+
+      - name: Sign packages
+        env:
+          GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e GPG_KEY \
+            -e GPG_KEY_ID \
+            -- \
+            bash ./.github/scripts/package/fedora.sh sign-packages
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: fedora-${{ env.FEDORA }}-latest
+          path: pkg/fedora/kernel-surface/out/x86_64
 
   release:
     name: Publish release
+    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/')
     needs: [build]
     runs-on: ubuntu-latest
     steps:
-    - name: Download artifacts
-      uses: actions/download-artifact@v3
-      with:
-        name: fedora-38-latest
-        path: fedora-38-latest
-
-    - name: Upload assets
-      uses: svenstaro/upload-release-action@v2
-      with:
-        repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
-        file: ./*-latest/*
-        tag: ${{ github.ref }}
-        overwrite: true
-        file_glob: true
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: fedora-${{ env.FEDORA }}-latest
+          path: fedora-${{ env.FEDORA }}-latest
+
+      - name: Upload assets
+        uses: svenstaro/upload-release-action@v2
+        with:
+          repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
+          file: ./*-latest/*
+          tag: ${{ github.ref }}
+          overwrite: true
+          file_glob: true
 
   repo:
     name: Update package repository
     needs: [release]
     runs-on: ubuntu-latest
-    container: registry.fedoraproject.org/fedora:38
     steps:
-    - name: Install dependencies
-      run: |
-        dnf install -y git findutils
-
-    - name: Download artifacts
-      uses: actions/download-artifact@v3
-      with:
-        name: fedora-38-latest
-        path: fedora-38-latest
-
-    - name: Update repository
-      env:
-        SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
-        BRANCH_STAGING: u/staging
-        GIT_REF: ${{ github.ref }}
-      run: |
-        repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"
-
-        # clone package repository
-        git clone -b "${BRANCH_STAGING}" "${repo}" repo
-
-        # copy packages
-        cp fedora-38-latest/* repo/fedora/f38
-        cd repo/fedora/f38
-
-        # parse git tag from ref
-        GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g')
-
-        # convert packages into references
-        for pkg in $(find . -name '*.rpm'); do
-          echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob
-          rm $pkg
-        done
-
-        # set git identity
-        git config --global user.email "surfacebot@users.noreply.github.com"
-        git config --global user.name "surfacebot"
-
-        # commit and push
-        update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
-        git checkout -b "${update_branch}"
-        git add .
-        git commit -m "Update Fedora 38 kernel"
-        git push --set-upstream origin "${update_branch}"
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: fedora-${{ env.FEDORA }}-latest
+          path: fedora-${{ env.FEDORA }}-latest
+
+      - name: Initialize containers
+        run: |
+          bash ./.github/scripts/container/create.sh \
+            registry.fedoraproject.org/fedora:${{ env.FEDORA }}
+
+      - name: Update repository
+        env:
+          SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
+          GIT_REF: ${{ github.ref }}
+          BRANCH_STAGING: u/staging
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e SURFACEBOT_TOKEN \
+            -e GIT_REF \
+            -e BRANCH_STAGING \
+            -e GITHUB_REPOSITORY \
+            -- \
+            bash ./.github/scripts/repository/fedora.sh ${{ env.FEDORA }}

pkg/debian/kernel/version.conf

@@ -0,0 +1,3 @@
+KERNEL_VERSION="6.4.4"
+KERNEL_REVISION="2"
+KERNEL_LOCALVERSION="-surface"

pkg/fedora/kernel-surface/build-linux-surface.py

@@ -18,13 +18,13 @@ PACKAGE_NAME = "surface"
 ## Fedora tags: kernel-X.Y.Z
 ## Upstream tags: vX.Y.Z
 ##
-PACKAGE_TAG = "kernel-6.3.13-0"
+PACKAGE_TAG = "kernel-6.4.4-0"
 
 ##
 ## The release number of the modified kernel package.
 ## e.g. 300 for kernel-6.3.1-300.fc38.foo
 ##
-PACKAGE_RELEASE = "2"
+PACKAGE_RELEASE = "1"
 
 ##
 ## Build options for configuring which parts of the kernel package are enabled.

pkg/fedora/kernel-surface/configs/fedora.config

@@ -6,10 +6,4 @@
 ## The build fails because this is not enabled in the config set for RHEL,
 ## but enabled automatically by one of our patches.
 ##
-CONFIG_VIDEO_V4L2_SUBDEV_API=y
-
-##
-## Compress debug info to prevent GitHub Actions from running out of space.
-##
-CONFIG_DEBUG_INFO_COMPRESSED_ZLIB=y
-# CONFIG_DEBUG_INFO_COMPRESSED_NONE is not set
+CONFIG_VIDEO_V4L2_SUBDEV_API=y

pkg/fedora/kernel-surface/patches/0001-iptsd.patch

@@ -1,6 +1,6 @@
-From 5fc0582727cb64230d1c2ac02001263f92a9b82c Mon Sep 17 00:00:00 2001
+From 1cad947df5f2ec874863e42cce595a76dad64cc2 Mon Sep 17 00:00:00 2001
 From: Dorian Stoll <dorian.stoll@tmsp.io>
-Date: Sun, 14 May 2023 09:21:43 +0200
+Date: Sat, 22 Jul 2023 10:33:03 +0200
 Subject: [PATCH] Pull in iptsd as a weak dependency
 
 Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
@@ -9,10 +9,10 @@ Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
  1 file changed, 1 insertion(+)
 
 diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
-index 51f43b21b018..d61276b49d95 100644
+index d3dafe56aa64..24823cd8b784 100644
 --- a/redhat/kernel.spec.template
 +++ b/redhat/kernel.spec.template
-@@ -938,6 +938,7 @@ Requires(pre): %{kernel_prereq}\
+@@ -1052,6 +1052,7 @@ Requires(pre): %{kernel_prereq}\
  Requires(pre): %{initrd_prereq}\
  Requires(pre): ((linux-firmware >= 20150904-56.git6ebf5d57) if linux-firmware)\
  Recommends: linux-firmware\
@@ -21,5 +21,5 @@ index 51f43b21b018..d61276b49d95 100644
  Conflicts: xfsprogs < 4.3.0-1\
  Conflicts: xorg-x11-drv-vmmouse < 13.0.99\
 -- 
-2.40.1
+2.41.0
 

pkg/fedora/kernel-surface/patches/0002-provides.patch

@@ -1,6 +1,6 @@
-From 4f7a333fc3dbacc4b3fa25ea117cb59f865878af Mon Sep 17 00:00:00 2001
+From 17907fed744ae17414a1ad8bebc335e12dac7691 Mon Sep 17 00:00:00 2001
 From: Dorian Stoll <dorian.stoll@tmsp.io>
-Date: Sun, 14 May 2023 15:04:22 +0200
+Date: Sat, 22 Jul 2023 10:34:38 +0200
 Subject: [PATCH] Let kernel-surface provide the standard package names
 
 Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
@@ -9,10 +9,10 @@ Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
  1 file changed, 5 insertions(+)
 
 diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
-index 51f43b21b018..2d91719b7d93 100644
+index 24823cd8b784..ea7de5884a89 100644
 --- a/redhat/kernel.spec.template
 +++ b/redhat/kernel.spec.template
-@@ -598,6 +598,7 @@ Requires: kernel-core-uname-r = %{KVERREL}
+@@ -697,6 +697,7 @@ Requires: kernel-core-uname-r = %{KVERREL}
  Requires: kernel-modules-uname-r = %{KVERREL}
  Requires: kernel-modules-core-uname-r = %{KVERREL}
  Provides: installonlypkg(kernel)
@@ -20,15 +20,15 @@ index 51f43b21b018..2d91719b7d93 100644
  %endif
  
  
-@@ -1226,6 +1227,7 @@ Summary: Development package for building kernel modules to match the %{?2:%{2}
+@@ -1352,6 +1353,7 @@ Summary: Development package for building kernel modules to match the %{?2:%{2}
  Provides: kernel%{?1:-%{1}}-devel-%{_target_cpu} = %{specrpmversion}-%{release}\
- Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{?1:+%{1}}\
- Provides: kernel-devel-uname-r = %{KVERREL}%{?1:+%{1}}\
+ Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{uname_suffix %{?1:+%{1}}}\
+ Provides: kernel-devel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
 +Provides: kernel-devel = %{KVERREL}%{?1:+%{1}}\
  Provides: installonlypkg(kernel)\
  AutoReqProv: no\
  Requires(pre): findutils\
-@@ -1255,6 +1257,7 @@ against the %{?2:%{2} }kernel package.\
+@@ -1381,6 +1383,7 @@ against the %{?2:%{2} }kernel package.\
  Summary: Meta package to install matching core and devel packages for a given %{?2:%{2} }kernel\
  Requires: %{package_name}%{?1:-%{1}}-devel = %{specrpmversion}-%{release}\
  Requires: %{package_name}%{?1:-%{1}}-core = %{specrpmversion}-%{release}\
@@ -36,22 +36,22 @@ index 51f43b21b018..2d91719b7d93 100644
  %description %{?1:%{1}-}devel-matched\
  This meta package is used to install matching core and devel packages for a given %{?2:%{2} }kernel.\
  %{nil}
-@@ -1373,6 +1376,7 @@ Requires: kernel-%{1}-core-uname-r = %{KVERREL}+%{1}\
- Requires: kernel-%{1}-modules-uname-r = %{KVERREL}+%{1}\
- Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{1}\
+@@ -1502,6 +1505,7 @@ Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{uname_suffix %{1}}\
+ Requires: realtime-setup\
+ %endif\
  Provides: installonlypkg(kernel)\
 +Provides: kernel = %{KVERREL}+%{1}\
  %description %{1}\
  The meta-package for the %{1} kernel\
  %{nil}
-@@ -1387,6 +1391,7 @@ The meta-package for the %{1} kernel\
+@@ -1534,6 +1538,7 @@ This package provides KVM modules for package kernel%{?1:-%{1}}.\
  Summary: %{variant_summary}\
- Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?1:+%{1}}\
+ Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
  Provides: installonlypkg(kernel)\
 +Provides: kernel-%{?1:%{1}-}core = %{KVERREL}%{?1:+%{1}}\
  %if %{-m:1}%{!-m:0}\
- Requires: kernel-core-uname-r = %{KVERREL}\
- Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\
+ Requires: kernel-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\
+ Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\
 -- 
-2.40.1
+2.41.0
 

pkg/fedora/kernel-surface/patches/0003-obsoletes.patch

@@ -1,6 +1,6 @@
-From 360961a67b03503c59b7434ccc5bd1d2fa40b55e Mon Sep 17 00:00:00 2001
+From 819c1b06089925d6944bf2dad9dc29649b7510d5 Mon Sep 17 00:00:00 2001
 From: Dorian Stoll <dorian.stoll@tmsp.io>
-Date: Sun, 14 May 2023 18:16:38 +0200
+Date: Sat, 22 Jul 2023 10:40:32 +0200
 Subject: [PATCH] Let kernel-surface conflict with older versions of the
  package
 
@@ -10,10 +10,10 @@ Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
  1 file changed, 20 insertions(+)
 
 diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
-index d952180f91ef..dc95736a227e 100644
+index ea7de5884a89..43dce82a9d36 100644
 --- a/redhat/kernel.spec.template
 +++ b/redhat/kernel.spec.template
-@@ -599,6 +599,10 @@ Requires: kernel-modules-uname-r = %{KVERREL}
+@@ -698,6 +698,10 @@ Requires: kernel-modules-uname-r = %{KVERREL}
  Requires: kernel-modules-core-uname-r = %{KVERREL}
  Provides: installonlypkg(kernel)
  Provides: kernel = %{KVERREL}
@@ -24,8 +24,8 @@ index d952180f91ef..dc95736a227e 100644
  %endif
  
  
-@@ -1230,6 +1234,8 @@ Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{?1:+%{1}}\
- Provides: kernel-devel-uname-r = %{KVERREL}%{?1:+%{1}}\
+@@ -1355,6 +1359,8 @@ Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{uname_suff
+ Provides: kernel-devel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
  Provides: kernel-devel = %{KVERREL}%{?1:+%{1}}\
  Provides: installonlypkg(kernel)\
 +Conflicts: %{package_name}-devel < 6.3.7-2\
@@ -33,7 +33,7 @@ index d952180f91ef..dc95736a227e 100644
  AutoReqProv: no\
  Requires(pre): findutils\
  Requires: findutils\
-@@ -1259,6 +1265,8 @@ Summary: Meta package to install matching core and devel packages for a given %{
+@@ -1384,6 +1390,8 @@ Summary: Meta package to install matching core and devel packages for a given %{
  Requires: %{package_name}%{?1:-%{1}}-devel = %{specrpmversion}-%{release}\
  Requires: %{package_name}%{?1:-%{1}}-core = %{specrpmversion}-%{release}\
  Provides: kernel-devel-matched = %{specrpmversion}-%{release}\
@@ -42,60 +42,60 @@ index d952180f91ef..dc95736a227e 100644
  %description %{?1:%{1}-}devel-matched\
  This meta package is used to install matching core and devel packages for a given %{?2:%{2} }kernel.\
  %{nil}
-@@ -1291,6 +1299,8 @@ Provides: kernel%{?1:-%{1}}-modules-internal-uname-r = %{KVERREL}%{?1:+%{1}}\
- Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\
- Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\
- Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\
+@@ -1416,6 +1424,8 @@ Provides: kernel%{?1:-%{1}}-modules-internal-uname-r = %{KVERREL}%{uname_suffix
+ Requires: kernel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
+ Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
+ Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
 +Conflicts: %{package_name}-modules-internal < 6.3.7-2\
 +Obsoletes: %{package_name}-modules-internal < 6.3.7-2\
  AutoReq: no\
  AutoProv: yes\
  %description %{?1:%{1}-}modules-internal\
-@@ -1312,6 +1322,8 @@ Provides: kernel%{?1:-%{1}}-modules-extra-uname-r = %{KVERREL}%{?1:+%{1}}\
- Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\
- Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\
- Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\
+@@ -1437,6 +1447,8 @@ Provides: kernel%{?1:-%{1}}-modules-extra-uname-r = %{KVERREL}%{uname_suffix %{?
+ Requires: kernel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
+ Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
+ Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
 +Conflicts: %{package_name}-modules-extra < 6.3.7-2\
 +Obsoletes: %{package_name}-modules-extra < 6.3.7-2\
  %if %{-m:1}%{!-m:0}\
- Requires: kernel-modules-extra-uname-r = %{KVERREL}\
+ Requires: kernel-modules-extra-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\
  %endif\
-@@ -1335,6 +1347,8 @@ Provides: installonlypkg(kernel-module)\
- Provides: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\
- Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\
- Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\
+@@ -1460,6 +1472,8 @@ Provides: installonlypkg(kernel-module)\
+ Provides: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
+ Requires: kernel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
+ Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
 +Conflicts: %{package_name}-modules < 6.3.7-2\
 +Obsoletes: %{package_name}-modules < 6.3.7-2\
  %if %{-m:1}%{!-m:0}\
- Requires: kernel-modules-uname-r = %{KVERREL}\
+ Requires: kernel-modules-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\
  %endif\
-@@ -1357,6 +1371,8 @@ Provides: kernel-modules-core = %{specrpmversion}-%{release}%{?1:+%{1}}\
+@@ -1482,6 +1496,8 @@ Provides: kernel-modules-core = %{specrpmversion}-%{release}%{uname_suffix %{?1:
  Provides: installonlypkg(kernel-module)\
- Provides: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\
- Requires: kernel-uname-r = %{KVERREL}%{?1:+%{1}}\
+ Provides: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
+ Requires: kernel-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
 +Conflicts: %{package_name}-modules-core < 6.3.7-2\
 +Obsoletes: %{package_name}-modules-core < 6.3.7-2\
  %if %{-m:1}%{!-m:0}\
- Requires: kernel-modules-core-uname-r = %{KVERREL}\
+ Requires: kernel-modules-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\
+ %endif\
+@@ -1504,6 +1520,8 @@ Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{uname_suffix %{1}}\
+ %if "%{1}" == "rt" || "%{1}" == "rt-debug"\
+ Requires: realtime-setup\
  %endif\
-@@ -1376,6 +1392,8 @@ summary: kernel meta-package for the %{1} kernel\
- Requires: kernel-%{1}-core-uname-r = %{KVERREL}+%{1}\
- Requires: kernel-%{1}-modules-uname-r = %{KVERREL}+%{1}\
- Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{1}\
 +Conflicts: %{package_name} < 6.3.7-2\
 +Obsoletes: %{package_name} < 6.3.7-2\
  Provides: installonlypkg(kernel)\
  Provides: kernel = %{KVERREL}+%{1}\
  %description %{1}\
-@@ -1393,6 +1411,8 @@ Summary: %{variant_summary}\
- Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?1:+%{1}}\
+@@ -1539,6 +1557,8 @@ Summary: %{variant_summary}\
+ Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{uname_suffix %{?1:+%{1}}}\
  Provides: installonlypkg(kernel)\
  Provides: kernel-%{?1:%{1}-}core = %{KVERREL}%{?1:+%{1}}\
 +Conflicts: %{package_name}-core < 6.3.7-2\
 +Obsoletes: %{package_name}-core < 6.3.7-2\
  %if %{-m:1}%{!-m:0}\
- Requires: kernel-core-uname-r = %{KVERREL}\
- Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\
+ Requires: kernel-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\
+ Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{uname_variant %{?1:+%{1}}}\
 -- 
-2.40.1
+2.41.0
 

pkg/fedora/kernel-surface/patches/0004-default-kernel.patch

@@ -1,6 +1,6 @@
-From a45b4c3fcb7d364f236a25e03378a6b03a9cc627 Mon Sep 17 00:00:00 2001
+From 81141a454f41cbc5fd41b778f85b10552c8676e8 Mon Sep 17 00:00:00 2001
 From: Dorian Stoll <dorian.stoll@tmsp.io>
-Date: Sat, 3 Jun 2023 11:47:02 +0200
+Date: Sat, 22 Jul 2023 10:41:11 +0200
 Subject: [PATCH] Install scripts and service files for keeping the surface
  kernel the default
 
@@ -10,10 +10,10 @@ Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
  1 file changed, 34 insertions(+)
 
 diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
-index dc95736a227e..4d6504ca721b 100644
+index 43dce82a9d36..28df94e561d4 100644
 --- a/redhat/kernel.spec.template
 +++ b/redhat/kernel.spec.template
-@@ -911,6 +911,11 @@ Source4000: README.rst
+@@ -1025,6 +1025,11 @@ Source4000: README.rst
  Source4001: rpminspect.yaml
  Source4002: gating.yaml
  
@@ -25,7 +25,7 @@ index dc95736a227e..4d6504ca721b 100644
  ## Patches needed for building this package
  
  %if !%{nopatches}
-@@ -944,6 +949,7 @@ Requires(pre): %{initrd_prereq}\
+@@ -1058,6 +1063,7 @@ Requires(pre): %{initrd_prereq}\
  Requires(pre): ((linux-firmware >= 20150904-56.git6ebf5d57) if linux-firmware)\
  Recommends: linux-firmware\
  Recommends: iptsd\
@@ -33,7 +33,7 @@ index dc95736a227e..4d6504ca721b 100644
  Requires(preun): systemd >= 200\
  Conflicts: xfsprogs < 4.3.0-1\
  Conflicts: xorg-x11-drv-vmmouse < 13.0.99\
-@@ -958,6 +964,14 @@ AutoProv: yes\
+@@ -1072,6 +1078,14 @@ AutoProv: yes\
  %{nil}
  
  
@@ -48,7 +48,7 @@ index dc95736a227e..4d6504ca721b 100644
  %package doc
  Summary: Various documentation bits found in the kernel source
  Group: Documentation
-@@ -2691,6 +2705,11 @@ find Documentation -type d | xargs chmod u+w
+@@ -2945,6 +2959,11 @@ find Documentation -type d | xargs chmod u+w
  
  cd linux-%{KVERREL}
  
@@ -60,7 +60,7 @@ index dc95736a227e..4d6504ca721b 100644
  %if %{with_doc}
  docdir=$RPM_BUILD_ROOT%{_datadir}/doc/kernel-doc-%{specversion}-%{pkgrelease}
  
-@@ -2938,6 +2957,15 @@ popd
+@@ -3197,6 +3216,15 @@ popd
  ### scripts
  ###
  
@@ -76,7 +76,7 @@ index dc95736a227e..4d6504ca721b 100644
  %if %{with_tools}
  %post -n %{package_name}-tools-libs
  /sbin/ldconfig
-@@ -3313,6 +3341,12 @@ fi
+@@ -3609,6 +3637,12 @@ fi\
  %{_libexecdir}/kselftests
  %endif
  
@@ -87,8 +87,8 @@ index dc95736a227e..4d6504ca721b 100644
 +%{_presetdir}/90-linux-surface-default-watchdog.preset
 +
  # empty meta-package
+ %if %{with_up_base}
  %ifnarch %nobuildarches noarch
- %files
 -- 
-2.40.1
+2.41.0
 

pkg/fedora/kernel-surface/patches/9999-TEMP-Add-hid-uclogic-test-to-mod-internal.list.patch

@@ -1,25 +0,0 @@
-From 1a1b787441b355ea9bbcaf335d3c3ae5ca44534f Mon Sep 17 00:00:00 2001
-From: "Justin M. Forbes" <jforbes@fedoraproject.org>
-Date: Wed, 12 Jul 2023 07:34:54 -0500
-Subject: [PATCH] Add hid-uclogic-test to mod-internal.list
-
-Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
----
- redhat/scripts/mod/mod-internal.list | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/redhat/scripts/mod/mod-internal.list b/redhat/scripts/mod/mod-internal.list
-index b0368901ff30..3bebd2dfc05c 100644
---- a/redhat/scripts/mod/mod-internal.list
-+++ b/redhat/scripts/mod/mod-internal.list
-@@ -26,6 +26,7 @@ fat_test
- fortify_kunit
- gss_krb5_test
- hashtable_test
-+hid-uclogic-test
- iio-test-format
- iio-test-rescale
- is_signed_type_kunit
--- 
-2.41.0
-

pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch

@@ -1,6 +1,6 @@
-From 67f8052f553191686b1224b5598d00ff33d38608 Mon Sep 17 00:00:00 2001
+From 71133b4337411ddd550d5e5ef68a12c510740b2c Mon Sep 17 00:00:00 2001
 From: Dorian Stoll <dorian.stoll@tmsp.io>
-Date: Sat, 13 May 2023 16:39:50 +0200
+Date: Sat, 22 Jul 2023 10:45:33 +0200
 Subject: [PATCH] Use a custom key and certificate for Secure Boot signing
 
 Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
@@ -9,10 +9,10 @@ Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
  1 file changed, 9 insertions(+), 6 deletions(-)
 
 diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
-index 51f43b21b018..76d1ad8e2818 100644
+index 28df94e561d4..fd44abc4118a 100644
 --- a/redhat/kernel.spec.template
 +++ b/redhat/kernel.spec.template
-@@ -703,6 +703,7 @@ BuildRequires: system-sb-certs
+@@ -805,6 +805,7 @@ BuildRequires: system-sb-certs
  %ifarch x86_64 aarch64
  BuildRequires: nss-tools
  BuildRequires: pesign >= 0.10-4
@@ -20,7 +20,7 @@ index 51f43b21b018..76d1ad8e2818 100644
  %endif
  %endif
  %endif
-@@ -762,6 +763,13 @@ Source1: Makefile.rhelver
+@@ -864,6 +865,13 @@ Source1: Makefile.rhelver
  %define signing_key_filename kernel-signing-s390.cer
  %endif
  
@@ -34,8 +34,8 @@ index 51f43b21b018..76d1ad8e2818 100644
  %if %{?released_kernel}
  
  Source10: redhatsecurebootca5.cer
-@@ -1860,9 +1868,7 @@ BuildKernel() {
-     fi
+@@ -2096,9 +2104,7 @@ BuildKernel() {
+     SignImage=$KernelImage
  
      %ifarch x86_64 aarch64
 -    %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
@@ -45,7 +45,7 @@ index 51f43b21b018..76d1ad8e2818 100644
      %endif
      %ifarch s390x ppc64le
      if [ -x /usr/bin/rpm-sign ]; then
-@@ -2393,9 +2399,6 @@ BuildKernel() {
+@@ -2650,9 +2656,6 @@ BuildKernel() {
      # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
      mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
      %ifarch x86_64 aarch64
@@ -56,5 +56,5 @@ index 51f43b21b018..76d1ad8e2818 100644
         install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
      %endif
 -- 
-2.40.1
+2.41.0