From 37adff75c459d542ba7b7588f2319bd3e7a2658f Mon Sep 17 00:00:00 2001
From: Kevin Sandi <ksandi@contractor.linuxfoundation.org>
Date: Wed, 11 Feb 2026 15:32:21 -0600
Subject: [PATCH] CI: Deploy python based Github2Gerrit

Issue-ID: CIMAN-33
Change-Id: I7a005add85a4157122c8d92346a2a6dc6e4d8f4e
Signed-off-by: Kevin Sandi <ksandi@contractor.linuxfoundation.org>
---
 .github/workflows/call-github2gerrit.yaml | 221 +++++++++++++++++++++++++++---
 1 file changed, 204 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/call-github2gerrit.yaml b/.github/workflows/call-github2gerrit.yaml
index fa6ae05e67..36db35d62f 100644
--- a/.github/workflows/call-github2gerrit.yaml
+++ b/.github/workflows/call-github2gerrit.yaml
@@ -1,33 +1,220 @@
 ---
 # SPDX-License-Identifier: Apache-2.0
-# Copyright 2025 The Linux Foundation <abelur@linuxfoundation.org>
+# SPDX-FileCopyrightText: 2026 The Linux Foundation
 
-name: call-github2gerrit-reusable-workflow
+name: 'GitHub2Gerrit'
 
 # yamllint disable-line rule:truthy
 on:
-  workflow_dispatch:
+  # Submit new Github pull requests to Gerrit
+  # When pull request is modified, update Gerrit change
   pull_request_target:
-    types: [opened, reopened, edited, synchronize]
+    types: [opened, reopened, edited, synchronize, closed]
     branches:
-      - master
       - main
+      - master
+
+  # Pushes from Gerrit use gerrit_to_platform triggers
+  # These use the workflow_dispatch method/invocation
+  workflow_dispatch:
+    inputs:
+      GERRIT_BRANCH:
+        description: 'Branch that change is against'
+        required: false
+        type: string
+      GERRIT_CHANGE_ID:
+        description: 'The ID for the change'
+        required: false
+        type: string
+      GERRIT_CHANGE_NUMBER:
+        description: 'The Gerrit number'
+        required: false
+        type: string
+      GERRIT_CHANGE_URL:
+        description: 'URL to the change'
+        required: false
+        type: string
+      GERRIT_EVENT_TYPE:
+        description: 'Gerrit event type'
+        required: false
+        type: string
+      GERRIT_PATCHSET_NUMBER:
+        description: 'The patch number for the change'
+        required: false
+        type: string
+      GERRIT_PATCHSET_REVISION:
+        description: 'The revision sha'
+        required: false
+        type: string
+      GERRIT_PROJECT:
+        description: 'Project in Gerrit'
+        required: false
+        type: string
+      GERRIT_REFSPEC:
+        description: 'Gerrit refspec of change'
+        required: false
+        type: string
+      GERRIT_DISABLED:
+        description: "Run without Gerrit components"
+        required: false
+        default: false
+        type: boolean
+      allow_duplicates:
+        description: "Allow submitting duplicate changes without error"
+        required: false
+        default: true
+        type: boolean
+      preserve_github_prs:
+        description: "Do not close GitHub PRs after pushing to Gerrit"
+        required: false
+        default: true
+        type: boolean
 
 concurrency:
-  # yamllint disable-line rule:line-length
-  group: ${{ github.workflow }}-${{ github.run_id }}
-  cancel-in-progress: true
+  # Separate concurrency groups for different event types to prevent interference:
+  # - PR events: Group by PR number, allow cancellation of older commits
+  # - Push events: Group by run_id (unique), never cancel
+  # - Workflow dispatch: Group by run_id (unique), never cancel
+  group: >-
+    ${{
+      github.event_name == 'pull_request_target' && format('{0}-pr-{1}', github.workflow, github.event.pull_request.number) ||
+      format('{0}-{1}-{2}', github.workflow, github.event_name, github.run_id)
+    }}
+  # Only cancel in-progress runs for PR events (newer commit supersedes older)
+  # Never cancel push events (each Gerrit merge should process independently)
+  cancel-in-progress: ${{ github.event_name == 'pull_request_target' }}
 
 jobs:
-  call-in-g2g-workflow:
+  repository-metadata:
+    name: "Repository Metadata"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    timeout-minutes: 5
+    steps:
+      # yamllint disable-line rule:line-length
+      - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: "Gather repository metadata"
+        id: repo-metadata
+        # yamllint disable-line rule:line-length
+        uses: lfreleng-actions/repository-metadata-action@ceabcd987d13d7bfefd2372e01eebb0ddac45956  # v0.2.0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_summary: 'true'
+          files_summary: 'true'
+          artifact_upload: 'true'
+          artifact_formats: 'json'
+
+  notify:
+    if: github.event_name == 'workflow_dispatch' && inputs.GERRIT_DISABLED != true
+    runs-on: ubuntu-latest
+    steps:
+      # Harden the runner used by this workflow
+      # yamllint disable-line rule:line-length
+      - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
+      - name: Notify job start
+        # yamllint disable-line rule:line-length
+        uses: lfreleng-actions/gerrit-review-action@6d2e00dfd3173cd9a36d11350c8fba44731c7b4e # v0.10.0
+        with:
+          host: ${{ vars.GERRIT_SERVER }}
+          username: ${{ vars.GERRIT_SSH_USER }}
+          key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
+          known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
+          gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
+          gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
+          vote-type: clear
+      - name: Allow replication
+        run: sleep 10s
+
+  github2gerrit:
+    name: 'GitHub2Gerrit'
+    runs-on: ubuntu-latest
+    if: always()
+    needs: [notify]
     permissions:
       contents: read
       pull-requests: write
-    uses: lfit/github2gerrit/.github/workflows/github2gerrit.yaml@main
-    with:
-      GERRIT_KNOWN_HOSTS: ${{ vars.GERRIT_KNOWN_HOSTS }}
-      GERRIT_SSH_USER_G2G: ${{ vars.GERRIT_SSH_USER_G2G }}
-      GERRIT_SSH_USER_G2G_EMAIL: ${{ vars.GERRIT_SSH_USER_G2G_EMAIL }}
-      ORGANIZATION: ${{ vars.ORGANIZATION }}
-    secrets:
-      GERRIT_SSH_PRIVKEY_G2G: ${{ secrets.GERRIT_SSH_PRIVKEY_G2G }}
+      issues: write
+    timeout-minutes: 12
+    steps:
+      # Harden the runner used by this workflow
+      # yamllint disable-line rule:line-length
+      - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        name: 'Harden runner'
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout repository'
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 10
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
+      - name: 'Run GitHub2Gerrit'
+        # yamllint disable-line rule:line-length
+        uses: lfreleng-actions/github2gerrit-action@7c1ba15a75dd86619139a81933f4432648d97af5  # v1.0.5
+        env:
+          # Pass GERRIT_* inputs as environment variables when dispatched from Gerrit
+          GERRIT_BRANCH: ${{ github.event.inputs.GERRIT_BRANCH || '' }}
+          GERRIT_CHANGE_ID: ${{ github.event.inputs.GERRIT_CHANGE_ID || '' }}
+          GERRIT_CHANGE_NUMBER: ${{ github.event.inputs.GERRIT_CHANGE_NUMBER || '' }}
+          GERRIT_CHANGE_URL: ${{ github.event.inputs.GERRIT_CHANGE_URL || '' }}
+          GERRIT_EVENT_TYPE: ${{ github.event.inputs.GERRIT_EVENT_TYPE || '' }}
+          GERRIT_PATCHSET_NUMBER: ${{ github.event.inputs.GERRIT_PATCHSET_NUMBER || '' }}
+          GERRIT_PATCHSET_REVISION: ${{ github.event.inputs.GERRIT_PATCHSET_REVISION || '' }}
+          GERRIT_PROJECT: ${{ github.event.inputs.GERRIT_PROJECT || '' }}
+          GERRIT_REFSPEC: ${{ github.event.inputs.GERRIT_REFSPEC || '' }}
+        with:
+          # Only for testing in LF Gerrit/sandbox; remove AUTOMATION_ONLY from production workflows
+          AUTOMATION_ONLY: "false"
+          USE_LOCAL_ACTION: true  # Use branch code for testing, not PyPI
+          USE_PR_AS_COMMIT: true
+          VERBOSE: false
+
+          # Workflow-specific inputs (only used for pull_request_target/workflow_dispatch)
+          ALLOW_DUPLICATES: ${{ github.event_name == 'workflow_dispatch' && inputs.allow_duplicates || true }}
+          PRESERVE_GITHUB_PRS: ${{ github.event_name == 'workflow_dispatch' && inputs.preserve_github_prs || true }}
+          ISSUE_ID_LOOKUP_JSON: ${{ vars.ISSUE_ID_LOOKUP_JSON }}
+
+          # Authentication (required for all contexts)
+          GERRIT_SSH_PRIVKEY_G2G: ${{ secrets.GERRIT_SSH_PRIVKEY_G2G }}
+          GERRIT_KNOWN_HOSTS: ${{ vars.GERRIT_KNOWN_HOSTS }}
+
+  report-status:
+    if: ${{ always() && github.event_name == 'workflow_dispatch' && inputs.GERRIT_DISABLED != true }}
+    needs: [notify, github2gerrit]
+    runs-on: ubuntu-latest
+    steps:
+      # Harden the runner used by this workflow
+      # yamllint disable-line rule:line-length
+      - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
+      - name: Get workflow conclusion
+        uses: im-open/workflow-conclusion@e4f7c4980600fbe0818173e30931d3550801b992 # v2.2.3
+
+      - name: Report workflow conclusion
+        # yamllint disable-line rule:line-length
+        uses: lfreleng-actions/gerrit-review-action@6d2e00dfd3173cd9a36d11350c8fba44731c7b4e # v0.10.0
+        with:
+          host: ${{ vars.GERRIT_SERVER }}
+          username: ${{ vars.GERRIT_SSH_USER }}
+          key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
+          known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
+          gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
+          gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
+          vote-type: ${{ env.WORKFLOW_CONCLUSION }}
-- 
2.16.6