From 77c98a6c84a237b999f52778605c12850c1da0ba Mon Sep 17 00:00:00 2001
From: Keerthi Gowda <kbalehal@qti.qualcomm.com>
Date: Wed, 24 Jun 2026 14:55:34 -0700
Subject: [PATCH] pkg-release: add S3 upload for proposed debs and provenance

Add two changes to the Ubuntu release workflow:

- ubuntu-s3-proposed: runs after build-and-test (before approval gate),
  uploads debs/ to S3 so external consumers can fetch and validate
  before approving the release.

- persistance: runner changed to lecore-prd-u2404-arm64-xlrg-od-ephem
  (self-hosted, has AWS credentials). Two new steps appended at the end
  upload provenance_<suite>.json to the same S3 path after release
  completes. No separate provenance job needed.

S3 layout:
  s3://qli-prd-lecore-gh-artifacts/qualcomm-linux/pkg/proposed/<run_id>/
    provenance_<suite>.json   <- uploaded by persistance post-release
    debs/                     <- uploaded by ubuntu-s3-proposed pre-approval
      *.deb

Job graph:
  build-and-test -> debian-release  (approval gate) -+-> persistance
  build-and-test -> ubuntu-release  (approval gate) -+
  build-and-test -> ubuntu-s3-proposed (no gate)    -+

Signed-off-by: Keerthi Gowda <kbalehal@qti.qualcomm.com>
---
 .../pkg-release-reusable-workflow.yml         | 56 ++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pkg-release-reusable-workflow.yml b/.github/workflows/pkg-release-reusable-workflow.yml
index dcb6c76..4965dae 100644
--- a/.github/workflows/pkg-release-reusable-workflow.yml
+++ b/.github/workflows/pkg-release-reusable-workflow.yml
@@ -487,7 +487,7 @@ jobs:
       - build-and-test
       - debian-release
       - ubuntu-release
-    runs-on: ubuntu-latest
+    runs-on: lecore-prd-u2404-arm64-xlrg-od-ephem
     if: ${{ always() && ((needs.build-and-test.outputs.family == 'ubuntu' && needs.ubuntu-release.result == 'success') || (needs.build-and-test.outputs.family == 'debian' && !inputs.test-run && needs.debian-release.result == 'success')) }}
     permissions:
       contents: read
@@ -654,3 +654,57 @@ jobs:
               git pull --rebase origin main
             done
           fi
+
+      - name: Stage provenance for S3 upload
+        if: ${{ needs.build-and-test.outputs.family == 'ubuntu' }}
+        env:
+          SUITE: ${{ needs.build-and-test.outputs.suite }}
+        run: |
+          set -euxo pipefail
+          mkdir -p s3-provenance
+          cp build/provenance.json "s3-provenance/provenance_${SUITE}.json"
+
+      - name: Upload provenance to S3
+        if: ${{ needs.build-and-test.outputs.family == 'ubuntu' }}
+        uses: qualcomm-linux/upload-private-artifact-action@aws-v4
+        with:
+          s3_bucket: qli-prd-lecore-gh-artifacts
+          path: s3-provenance
+          destination: qualcomm-linux/pkg/proposed/${{ github.run_id }}/
+
+  upload-debs-to-s3:
+    name: Upload Debs to S3 (Ubuntu)
+    if: ${{ needs.build-and-test.outputs.family == 'ubuntu' }}
+    needs:
+      - build-and-test
+    runs-on: lecore-prd-u2404-arm64-xlrg-od-ephem
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Download Docker build artifacts
+        uses: actions/download-artifact@v8
+        with:
+          name: docker-build-area
+          path: .
+
+      - name: Extract Docker build artifacts
+        run: |
+          set -euxo pipefail
+          mkdir -p build-area
+          tar -C build-area -xzf docker-build-area.tgz
+
+      - name: Stage debs for S3 proposed upload
+        env:
+          SUITE: ${{ needs.build-and-test.outputs.suite }}
+        run: |
+          set -euxo pipefail
+          mkdir -p s3-proposed/debs
+          find build-area -maxdepth 1 -name "*.deb" -exec cp {} s3-proposed/debs/ \;
+
+      - name: Upload proposed debs and provenance to S3
+        uses: qualcomm-linux/upload-private-artifact-action@aws-v4
+        with:
+          s3_bucket: qli-prd-lecore-gh-artifacts
+          path: s3-proposed
+          destination: qualcomm-linux/pkg/proposed/${{ github.run_id }}/