From 608cfe033b5ef504fc2e9d08d1cdbae110b23a29 Mon Sep 17 00:00:00 2001
From: nileshnegi <Nilesh.Negi@amd.com>
Date: Sat, 23 May 2026 00:00:43 -0500
Subject: [PATCH 1/3] [ci] Build but don't publish packages for candidate
 branch

Add candidate to PR triggers so pushes and PRs against candidate run
the full build pipeline. Gate all S3 upload steps on ref_name and
base_ref not being 'candidate' so no packages are published until
candidate is promoted to develop/mainline.

Co-authored-by: Claude <claude@anthropic.com>
---
 .github/workflows/build-relocatable-packages.yml | 14 +++++++-------
 .github/workflows/codeql.yml                     |  3 ++-
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build-relocatable-packages.yml b/.github/workflows/build-relocatable-packages.yml
index af90b466..4f79f6db 100644
--- a/.github/workflows/build-relocatable-packages.yml
+++ b/.github/workflows/build-relocatable-packages.yml
@@ -2,9 +2,9 @@ name: Build Relocatable Packages
 
 on:
   push:
-    branches: [develop, mainline, 'release/**', candidate]
+    branches: [candidate, develop, mainline, 'release/**']
   pull_request:
-    branches: [develop, mainline]
+    branches: [candidate, develop, mainline]
   schedule:
     # Daily at 13:00 UTC (5:00 AM PST)
     - cron: '0 13 * * *'
@@ -84,14 +84,14 @@ jobs:
           if-no-files-found: error
 
       - name: Configure AWS credentials (OIDC)
-        if: github.repository == 'ROCm/TransferBench' && vars.AWS_S3_BUCKET != ''
+        if: github.repository == 'ROCm/TransferBench' && vars.AWS_S3_BUCKET != '' && github.ref_name != 'candidate' && github.base_ref != 'candidate'
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           aws-region: us-east-1
 
       - name: Upload to S3
-        if: github.repository == 'ROCm/TransferBench' && vars.AWS_S3_BUCKET != ''
+        if: github.repository == 'ROCm/TransferBench' && vars.AWS_S3_BUCKET != '' && github.ref_name != 'candidate' && github.base_ref != 'candidate'
         env:
           AWS_S3_BUCKET: ${{ vars.AWS_S3_BUCKET }}
         run: |
@@ -193,20 +193,20 @@ jobs:
           if-no-files-found: error
 
       - name: Install AWS CLI
-        if: github.repository == 'ROCm/TransferBench' && vars.AWS_S3_BUCKET != ''
+        if: github.repository == 'ROCm/TransferBench' && vars.AWS_S3_BUCKET != '' && github.ref_name != 'candidate' && github.base_ref != 'candidate'
         run: |
           curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o /tmp/awscli.zip
           (cd /tmp && unzip -q awscli.zip && ./aws/install)
 
       - name: Configure AWS credentials (OIDC)
-        if: github.repository == 'ROCm/TransferBench' && vars.AWS_S3_BUCKET != ''
+        if: github.repository == 'ROCm/TransferBench' && vars.AWS_S3_BUCKET != '' && github.ref_name != 'candidate' && github.base_ref != 'candidate'
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           aws-region: us-east-1
 
       - name: Upload to S3
-        if: github.repository == 'ROCm/TransferBench' && vars.AWS_S3_BUCKET != ''
+        if: github.repository == 'ROCm/TransferBench' && vars.AWS_S3_BUCKET != '' && github.ref_name != 'candidate' && github.base_ref != 'candidate'
         env:
           AWS_S3_BUCKET: ${{ vars.AWS_S3_BUCKET }}
         run: |
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 6d3ba2f9..313f0dee 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -3,11 +3,12 @@ name: "CodeQL Security Scanning"
 on:
   push:
     branches:
+      - candidate
       - develop
       - mainline
-      - candidate
   pull_request:
     branches:
+      - candidate
       - develop
       - mainline
   schedule:

From fecdb4b3d47aa826da80484e8cfe8fde9af95685 Mon Sep 17 00:00:00 2001
From: nileshnegi <Nilesh.Negi@amd.com>
Date: Sat, 23 May 2026 00:07:21 -0500
Subject: [PATCH 2/3] [ci] Block artifact upload for candidate branch

Candidate builds are validation-only; no artifacts should be retained.
The verify steps (dpkg-deb, rpm -qip) still confirm packages were built.

Co-authored-by: Claude <claude@anthropic.com>
---
 .github/workflows/build-relocatable-packages.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/build-relocatable-packages.yml b/.github/workflows/build-relocatable-packages.yml
index 4f79f6db..77839b9b 100644
--- a/.github/workflows/build-relocatable-packages.yml
+++ b/.github/workflows/build-relocatable-packages.yml
@@ -75,6 +75,7 @@ jobs:
           done
 
       - name: Upload artifacts (always, for inspection)
+        if: github.ref_name != 'candidate' && github.base_ref != 'candidate'
         uses: actions/upload-artifact@v4
         with:
           name: ubuntu-22.04-packages
@@ -184,6 +185,7 @@ jobs:
           done
 
       - name: Upload artifacts (always, for inspection)
+        if: github.ref_name != 'candidate' && github.base_ref != 'candidate'
         uses: actions/upload-artifact@v4
         with:
           name: manylinux_2_28-packages

From fa18a079b85e71137b8d78ae31ddea635f49e835 Mon Sep 17 00:00:00 2001
From: nileshnegi <Nilesh.Negi@amd.com>
Date: Sat, 23 May 2026 00:20:39 -0500
Subject: [PATCH 3/3] [ci] Gate build-report artifact and fix stale step names
 for candidate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Gate the release-summary build-report artifact upload behind the same
candidate condition as the package artifacts. Also drop "(always, for
inspection)" from the artifact upload step names — they are no longer
unconditional.

Co-authored-by: Claude <claude@anthropic.com>
---
 .github/workflows/build-relocatable-packages.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-relocatable-packages.yml b/.github/workflows/build-relocatable-packages.yml
index 77839b9b..8a139f0d 100644
--- a/.github/workflows/build-relocatable-packages.yml
+++ b/.github/workflows/build-relocatable-packages.yml
@@ -74,7 +74,7 @@ jobs:
             dpkg-deb -c "${deb}" | head -50
           done
 
-      - name: Upload artifacts (always, for inspection)
+      - name: Upload artifacts
         if: github.ref_name != 'candidate' && github.base_ref != 'candidate'
         uses: actions/upload-artifact@v4
         with:
@@ -184,7 +184,7 @@ jobs:
             rpm -qlp "${rpm}" | head -50
           done
 
-      - name: Upload artifacts (always, for inspection)
+      - name: Upload artifacts
         if: github.ref_name != 'candidate' && github.base_ref != 'candidate'
         uses: actions/upload-artifact@v4
         with:
@@ -297,6 +297,7 @@ jobs:
           cat report/build-report.md >> "$GITHUB_STEP_SUMMARY"
 
       - name: Upload report
+        if: github.ref_name != 'candidate' && github.base_ref != 'candidate'
         uses: actions/upload-artifact@v4
         with:
           name: build-report