Separate out CI workflows for patching and building

Author: bartvdbraak

.github/workflows/build.yml

@@ -0,0 +1,54 @@
+name: Build and Publish
+run-name: Build and publish Docker image for ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref_name }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'Ref to build'
+        required: true
+  push:
+    tags:
+      '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref_name }}
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          check-latest: true
+
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Fetch Go modules
+        run: make vendor
+
+      - name: Build and push rootless Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64
+          push: true
+          file: Dockerfile.rootless
+          tags: ghcr.io/${{ github.repository }}:${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref_name }}

.github/workflows/patch-release.yml

@@ -0,0 +1,69 @@
+name: Patch upstream release
+run-name: Apply patches to release ${{ inputs.tag }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Specify an upstream version tag'
+        required: true
+        default: 'v1.23.1'
+
+jobs:
+  patch-upstream:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: write
+    steps:
+      - name: Checkout current branch
+        uses: actions/checkout@v3
+
+      - name: Move patches
+        run: mv patches /tmp/patches
+
+      - name: Add upstream and fetch tags
+        run: |
+          git remote add upstream https://github.com/go-gitea/gitea.git
+          git fetch upstream --tags
+
+      - name: Verify upstream tag exists
+        run: |
+          if ! git rev-parse "refs/tags/${{ inputs.tag }}" >/dev/null 2>&1; then
+            echo "Error: Tag ${{ inputs.tag }} does not exist upstream."
+            exit 1
+          fi
+
+      - name: Create branch from determined tag
+        run: git checkout tags/${{ inputs.tag }} -b apply-patches-${{ inputs.tag }}
+
+      - name: Configure Git user
+        run: |
+          git config --global user.name 'Bart van der Braak'
+          git config --global user.email '[email protected]'
+
+      - name: Apply patches
+        run: |
+          if ! git am --3way /tmp/patches/*.patch; then
+            echo "Patch application failed."
+            git am --abort
+            exit 1
+          fi
+
+      - name: Clean tags and push new
+        run: |
+          git tag -d "${{ inputs.tag }}" || echo "Local tag does not exist, skipping delete."
+          git push --delete origin "${{ inputs.tag }}" || echo "Remote tag does not exist, skipping delete."
+          git tag -a "${{ inputs.tag }}" -m "Tagging version ${{ inputs.tag }} after applying patches"
+          git push origin "${{ inputs.tag }}"
+          echo '{"ref":"${{ inputs.tag }}"}' | gh workflow run build.yml --ref "ci"	--repo "blender/gitea" --json
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Push branch
+        if: always()
+        run: git push origin apply-patches-${{ inputs.tag }} --force
+        env:
+          PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
+