Add prepare-release workflow that leverages existing buildkit.yml

Instead of reimplementing release logic, this approach:
1. Uses prepare-patched-release.yml to cherry-pick patches
2. Creates the tag locally but doesn't push
3. Provides manual commands to push the tag
4. Leverages existing buildkit.yml for actual release

Benefits:
- No PAT needed for patches without workflow changes
- Uses upstream's proven build/release process
- Manual review step before release
- Simpler and more maintainable

Author: adityamaru

.github/workflows/prepare-patched-release.yml

@@ -0,0 +1,221 @@
+name: Prepare Patched Release
+
+# This workflow prepares a patched release but DOES NOT push it
+# After review, you manually push the tag which triggers buildkit.yml
+
+on:
+  workflow_dispatch:
+    inputs:
+      upstream_version:
+        description: 'Upstream version to patch (e.g., v0.17.0)'
+        required: true
+        type: string
+      release_suffix:
+        description: 'Suffix for release (default: blacksmith)'
+        required: false
+        type: string
+        default: 'blacksmith'
+
+permissions:
+  contents: write
+
+jobs:
+  prepare-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup git
+        run: |
+          git config user.name "GitHub Actions"
+          git config user.email "actions@github.com"
+
+      - name: Add and fetch upstream
+        run: |
+          git remote add upstream https://github.com/moby/buildkit.git || true
+          git fetch upstream master --tags
+          git fetch origin master
+
+      - name: Prepare patched release
+        id: prepare
+        run: |
+          VERSION="${{ github.event.inputs.upstream_version }}"
+          SUFFIX="${{ github.event.inputs.release_suffix }}"
+          RELEASE_TAG="${VERSION}-${SUFFIX}"
+          RELEASE_BRANCH="${VERSION}-${SUFFIX}"
+
+          # Check if already exists
+          if git rev-parse "refs/tags/$RELEASE_TAG" >/dev/null 2>&1; then
+            echo "❌ Release $RELEASE_TAG already exists"
+            echo ""
+            echo "To recreate it, first delete the existing tag:"
+            echo "  git push origin --delete $RELEASE_TAG"
+            echo "  git push origin --delete $RELEASE_BRANCH"
+            exit 1
+          fi
+
+          # Verify upstream version exists
+          if ! git rev-parse "refs/tags/$VERSION" >/dev/null 2>&1; then
+            echo "❌ Upstream version $VERSION not found"
+            echo ""
+            echo "Available recent versions:"
+            git tag -l 'v*.*.*' | grep -v '\-' | sort -rV | head -20
+            exit 1
+          fi
+
+          # Checkout upstream version
+          echo "Creating release branch from $VERSION..."
+          git checkout -b "$RELEASE_BRANCH" "$VERSION"
+
+          # Find all commits that are in origin/master but not in upstream/master
+          echo ""
+          echo "Finding patches to apply..."
+          PATCHES=$(git rev-list upstream/master..origin/master --reverse --no-merges)
+
+          if [ -z "$PATCHES" ]; then
+            echo "⚠️  No patches found. Your master branch has no commits ahead of upstream."
+            exit 1
+          fi
+
+          # Count patches
+          PATCH_COUNT=$(echo "$PATCHES" | wc -l | tr -d ' ')
+          echo "Found $PATCH_COUNT patches to apply"
+          echo ""
+
+          # Apply patches and collect results
+          APPLIED_PATCHES=""
+          FAILED_PATCHES=""
+          SUCCESS_COUNT=0
+          HAS_WORKFLOW_CHANGES=false
+
+          for COMMIT in $PATCHES; do
+            COMMIT_MSG=$(git log -1 --pretty=format:"%h: %s" "$COMMIT")
+            FULL_MSG=$(git log -1 --pretty=format:"%s" "$COMMIT")
+
+            # Check if commit modifies workflow files
+            WORKFLOW_CHANGES=$(git diff-tree --no-commit-id --name-only -r "$COMMIT" | grep "^.github/workflows/" || true)
+            if [ -n "$WORKFLOW_CHANGES" ]; then
+              HAS_WORKFLOW_CHANGES=true
+              echo "⚠️  Commit $COMMIT_MSG modifies workflow files:"
+              echo "$WORKFLOW_CHANGES" | sed 's/^/    /'
+            fi
+
+            echo "Applying $COMMIT_MSG..."
+            if git cherry-pick "$COMMIT" >/dev/null 2>&1; then
+              echo "  ✅ Success"
+              if [ -n "$APPLIED_PATCHES" ]; then
+                APPLIED_PATCHES=$(printf "%s\n- %s" "$APPLIED_PATCHES" "$FULL_MSG")
+              else
+                APPLIED_PATCHES="- $FULL_MSG"
+              fi
+              SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
+            else
+              echo "  ❌ Failed (conflicts with this version)"
+              if [ -n "$FAILED_PATCHES" ]; then
+                FAILED_PATCHES=$(printf "%s\n- %s" "$FAILED_PATCHES" "$FULL_MSG")
+              else
+                FAILED_PATCHES="- $FULL_MSG"
+              fi
+              git cherry-pick --abort || true
+            fi
+          done
+
+          echo ""
+          echo "========================================="
+          echo "Applied $SUCCESS_COUNT out of $PATCH_COUNT patches"
+
+          if [ -n "$APPLIED_PATCHES" ]; then
+            echo ""
+            echo "✅ Successfully applied:"
+            echo "$APPLIED_PATCHES"
+          fi
+
+          if [ -n "$FAILED_PATCHES" ]; then
+            echo ""
+            echo "⚠️  Failed to apply (incompatible with $VERSION):"
+            echo "$FAILED_PATCHES"
+          fi
+
+          if [ "$SUCCESS_COUNT" -eq 0 ]; then
+            echo ""
+            echo "❌ No patches could be applied to $VERSION"
+            exit 1
+          fi
+
+          # Create annotated tag locally
+          TAG_MSG=$(printf "Release %s with %s patches\n\nPatches applied:\n%s" "$VERSION" "$SUCCESS_COUNT" "$APPLIED_PATCHES")
+          git tag -a "$RELEASE_TAG" -m "$TAG_MSG"
+
+          echo ""
+          echo "========================================="
+          echo "📦 RELEASE PREPARED SUCCESSFULLY"
+          echo "========================================="
+          echo ""
+          echo "Branch created: $RELEASE_BRANCH"
+          echo "Tag created: $RELEASE_TAG"
+          echo ""
+
+          if [ "$HAS_WORKFLOW_CHANGES" = true ]; then
+            echo "⚠️  WARNING: This release contains workflow file changes!"
+            echo "You'll need a Personal Access Token with 'workflow' scope to push."
+            echo ""
+          fi
+
+          echo "To complete the release, run these commands locally:"
+          echo ""
+          echo "  # Clone and setup"
+          echo "  git clone https://github.com/${{ github.repository }}.git"
+          echo "  cd buildkit"
+          echo "  git remote add upstream https://github.com/moby/buildkit.git"
+          echo "  git fetch --all --tags"
+          echo ""
+          echo "  # Push the release (this will trigger buildkit.yml)"
+          if [ "$HAS_WORKFLOW_CHANGES" = true ]; then
+            echo "  # Note: Use a PAT with 'workflow' scope for this push"
+            echo "  git push https://<YOUR_PAT>@github.com/${{ github.repository }}.git $RELEASE_TAG"
+          else
+            echo "  git push origin $RELEASE_TAG"
+          fi
+          echo ""
+          echo "  # Optionally push the branch too"
+          echo "  git push origin $RELEASE_BRANCH"
+          echo ""
+          echo "Once pushed, the tag will trigger the buildkit.yml workflow"
+          echo "which will build and release the binaries automatically."
+          echo ""
+
+          # Save info for artifact
+          cat > release-info.txt << EOF
+          RELEASE_TAG=$RELEASE_TAG
+          RELEASE_BRANCH=$RELEASE_BRANCH
+          VERSION=$VERSION
+          SUCCESS_COUNT=$SUCCESS_COUNT
+          HAS_WORKFLOW_CHANGES=$HAS_WORKFLOW_CHANGES
+
+          Commands to complete release:
+          git clone https://github.com/${{ github.repository }}.git
+          cd buildkit
+          git remote add upstream https://github.com/moby/buildkit.git
+          git fetch --all --tags
+          git push origin $RELEASE_TAG
+          git push origin $RELEASE_BRANCH
+          EOF
+
+      - name: Create patch summary
+        if: always()
+        run: |
+          if [ -f release-info.txt ]; then
+            echo "## Release Information"
+            cat release-info.txt
+          fi
+
+      - name: Upload release info
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-info
+          path: release-info.txt
+          retention-days: 7

DEPLOYMENT.md

@@ -4,42 +4,56 @@
 
 This fork maintains patches on top of upstream BuildKit using a rebase workflow. Our `master` branch contains upstream BuildKit plus our custom patches rebased on top.
 
-## Setup Requirements
-
-**Required**: You must create a Personal Access Token for the workflows to function properly:
-
-1. Go to GitHub Settings > Developer settings > Personal access tokens > Tokens (classic)
-2. Click "Generate new token (classic)"
-3. Give it a descriptive name (e.g., "BuildKit Fork Workflow")
-4. Select these scopes:
-   - `repo` (all checkboxes under repo)
-   - `workflow` (update GitHub Action workflows)
-5. Generate the token and copy it
-6. Go to your fork's Settings > Secrets and variables > Actions
-7. Click "New repository secret"
-8. Name: `WORKFLOW_TOKEN`
-9. Value: Paste your Personal Access Token
-
-This token is necessary because:
-- The default `GITHUB_TOKEN` cannot push changes to workflow files
-- Some patches may include modifications to `.github/workflows/*.yml` files
+## Release Strategy
+
+We use BuildKit's existing `buildkit.yml` workflow to build and release our patched versions. This ensures consistency with upstream's build process.
+
+### Process:
+1. **Prepare**: Use `prepare-patched-release.yml` to cherry-pick patches onto an upstream tag
+2. **Review**: Check which patches were applied successfully
+3. **Push**: Manually push the tag to trigger BuildKit's release workflow
+4. **Release**: The existing `buildkit.yml` automatically builds and publishes binaries
 
 ## Creating a Patched Release
 
-To deploy a patched version of BuildKit:
+### Step 1: Prepare the Release
+
+```bash
+# Run the prepare workflow to cherry-pick patches
+gh workflow run prepare-patched-release.yml -f upstream_version=v0.17.0
+```
+
+This workflow will:
+1. Cherry-pick all patches from master onto v0.17.0
+2. Create a local tag `v0.17.0-blacksmith`
+3. Show you which patches succeeded/failed
+4. Give you the exact commands to complete the release
+
+### Step 2: Review and Push
+
+Check the workflow output, then run locally:
 
 ```bash
-# Create release for v0.17.0 with all our patches
-gh workflow run release-patched-version.yml -f upstream_version=v0.17.0
+# Clone and setup
+git clone https://github.com/useblacksmith/buildkit.git
+cd buildkit
+git fetch --all --tags
+
+# Push the tag (this triggers buildkit.yml)
+git push origin v0.17.0-blacksmith
+
+# The existing buildkit.yml workflow will now:
+# - Build multi-platform binaries
+# - Create Docker images
+# - Publish a GitHub release
 ```
 
-This workflow:
-1. Finds all commits in `origin/master` that aren't in `upstream/master` (our patches)
-2. Cherry-picks each patch onto the upstream version tag
-3. Builds binaries for Linux and macOS (amd64/arm64)
-4. Creates a GitHub release with downloadable artifacts
+### Why This Approach?
 
-The release will be tagged as `v0.17.0-blacksmith`.
+- **No PAT complexity**: If your patches don't modify workflows, you can use regular git push
+- **Uses upstream's build**: The existing `buildkit.yml` handles all the complex build logic
+- **Manual control**: You review patches before pushing the release
+- **Cleaner**: We don't duplicate BuildKit's release logic
 
 ## Keeping Synced with Upstream