Skip to content

Tool enhancements #3721

Tool enhancements

Tool enhancements #3721

Workflow file for this run

name: RPM
on:
push:
branches:
- 'master'
- 'release/*'
- 'rpm/test/*'
tags:
- 'v*'
pull_request:
branches:
- 'master'
- 'release/*'
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
config:
name: Load configuration
runs-on: ubuntu-20.04
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
is-copr-enabled: ${{ steps.is-copr-enabled.outputs.defined }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Load config matrix
id: set-matrix
run: |
echo "matrix=$(cat .github/rpm-matrix.json | tr -d '\n' | tr -d ' ')" >> $GITHUB_OUTPUT
- name: Copr token discovery
id: is-copr-enabled
if: "${{ env.COPR_KEY != '' }}"
run: echo "defined=true" >> $GITHUB_OUTPUT
env:
COPR_KEY: ${{ secrets.COPR_API_LOGIN }}
source0:
name: Vendor Source0
container: registry.fedoraproject.org/fedora:38
runs-on: ubuntu-20.04
steps:
- name: Install deps
run: dnf install -y git make python3
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
fetch-depth: 0
- name: Mark as git safe
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
- name: Generate build info
run: |
scripts/build-info.py --git
git add -f fapolicy_analyzer/resources/build-info.json
git config user.name 'CI'
git config user.email '<>'
git commit -m build-info
- name: Vendor
run: |
make -f .copr/Makefile vendor-app spec=fapolicy-analyzer.spec
- name: Rename source0 with prerelease version
if: endsWith(github.ref, '/master')
run: |
spec_version=$(grep "Version:" fapolicy-analyzer.spec | tr -s ' ' | cut -d' ' -f2)
commit_number=$(git rev-list HEAD~1 --count)
patched_version="$spec_version~dev${commit_number}"
mv fapolicy-analyzer-${spec_version}.tar.gz fapolicy-analyzer-${patched_version}.tar.gz
- name: Rename source0 with pull request version
if: github.event_name == 'pull_request'
run: |
spec_version=$(grep "Version:" fapolicy-analyzer.spec | tr -s ' ' | cut -d' ' -f2)
commit_number=${{ github.event.pull_request.commits }}
pr_number=${{ github.event.pull_request.number }}
patched_version="0.${pr_number}.${commit_number}"
mv fapolicy-analyzer-${spec_version}.tar.gz fapolicy-analyzer-${patched_version}.tar.gz
- name: Upload
uses: actions/upload-artifact@v4
with:
name: source0
path: |
fapolicy-analyzer-*.tar.gz
- name: Checksum
run: |
sha256sum fapolicy-analyzer-*.tar.gz
crates0:
name: Vendor Crates0
container: registry.fedoraproject.org/fedora:latest
runs-on: ubuntu-20.04
steps:
- name: Install RPM build dependencies
run: |
dnf install -y git dnf5-plugins dnf-plugins-core cargo2rpm
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
fetch-depth: 0
- name: Adjust spec
run: |
# generate build deps with cargo2rpm
cargo2rpm -p Cargo.toml buildrequires | while read line; do
grep -n "BuildRequires:" fapolicy-analyzer.spec | head -n1 | cut -d: -f1 | xargs -I{} sed -i "{}iBuildRequires: $line" fapolicy-analyzer.spec
done
- name: Install build dependencies
run: |
dnf -y builddep fapolicy-analyzer.spec
- name: Tar crates
run: |
ls -l /usr/share/cargo/registry
scripts/srpm/vendor-rs.sh
- name: Upload tarball
uses: actions/upload-artifact@v4
with:
name: crates0
path: |
vendor-rs.tar.gz
- name: Checksum
run: |
sha256sum vendor-rs.tar.gz
srpm:
needs: [ config, source0, crates0 ]
name: SRPM Build ${{ matrix.props.dist }}
container: ${{ matrix.props.image }}
runs-on: ubuntu-20.04
strategy:
matrix: ${{ fromJson(needs.config.outputs.matrix) }}
steps:
- name: Enable EPEL
if: startsWith(matrix.props.dist, 'el')
run: |
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-${{ matrix.props.version }}.noarch.rpm
- name: Install Git
run: dnf install -y git
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
fetch-depth: 0
- name: Strip ref to tag
id: tag_name
if: startsWith(github.ref, 'refs/tags/v')
run: echo "VERSION=$(echo $GITHUB_REF | cut -d/ -f3)" >> $GITHUB_OUTPUT
- name: Mark as git safe
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
- name: Ensure spec version matches tag
if: startsWith(github.ref, 'refs/tags/v')
run: |
spec_version=$(grep "Version:" ${{ matrix.props.spec }} | tr -s ' ' | cut -d' ' -f2)
tag="${{ steps.tag_name.outputs.VERSION }}"
tag_version="${tag#v}"
echo "Got version $tag_version from git tag $tag"
if [[ "$tag_version" == *-rc* ]] && [[ "$spec_version" != *~rc* ]]; then
echo "The spec version ($spec_version) prerelease tag does not agree with git ($tag_version)"
exit 1
fi
normalized_spec_version=$(echo "$spec_version" | tr "~" "-")
if [[ ! "$tag_version" == "$normalized_spec_version" ]]; then
echo "The spec version ($normalized_spec_version) does not agree with git ($tag_version)"
exit 2
fi
echo "The spec version $spec_version is correct based on git tag $tag"
- name: Patch spec with prerelease version
if: endsWith(github.ref, '/master')
run: |
spec_version=$(grep "Version:" ${{ matrix.props.spec }} | tr -s ' ' | cut -d' ' -f2)
commit_number=$(git rev-list HEAD --count)
patched_version="$spec_version~dev${commit_number}"
sed -i "s#Version:\s*${spec_version}#Version: ${patched_version}#" ${{ matrix.props.spec }}
grep Version ${{ matrix.props.spec }}
- name: Patch spec with pull request version
if: github.event_name == 'pull_request'
run: |
spec_version=$(grep "Version:" ${{ matrix.props.spec }} | tr -s ' ' | cut -d' ' -f2)
commit_number=${{ github.event.pull_request.commits }}
pr_number=${{ github.event.pull_request.number }}
patched_version="0.${pr_number}.${commit_number}"
sed -i "s#Version:\s*${spec_version}#Version: ${patched_version}#" ${{ matrix.props.spec }}
grep Version ${{ matrix.props.spec }}
- name: Install RPM build dependencies
run: |
dnf install -y make rpm rpmdevtools dnf-plugins-core
- name: Install SRPM build dependencies
run: |
make -f .copr/Makefile dnf OS_ID=${{ matrix.props.platform }}
- name: Fetch Source0 tarball
uses: actions/download-artifact@v4
with:
name: source0
path: /tmp/rpmbuild/SOURCES/
- name: Fetch Crates0 tarball
if: startsWith(matrix.props.dist, 'el')
uses: actions/download-artifact@v4
with:
name: crates0
path: /tmp/rpmbuild/SOURCES/
- name: Tag Crates0 tarball
if: startsWith(matrix.props.dist, 'el')
run: |
spec_version=$(grep "Version:" ${{ matrix.props.spec }} | tr -s ' ' | cut -d' ' -f2)
cd /tmp/rpmbuild/SOURCES/
mv vendor-rs.tar.gz vendor-rs-${spec_version}.tar.gz
- name: Generate doc tag
if: startsWith(github.ref, 'refs/tags/v')
run: |
echo "${{ steps.tag_name.outputs.VERSION }}" > help/version
cat help/version
- name: Build SRPM
run: |
make -f .copr/Makefile \
vendor build export \
outdir=/tmp/archives \
spec=${{ matrix.props.spec }} \
OS_ID=${{ matrix.props.platform }}
- name: Export common tarballs
run: |
mkdir -p /tmp/archives
mv vendor-docs-*.tar.gz /tmp/archives
- name: Export el tarballs
if: startsWith(matrix.props.dist, 'el')
run: |
version=$(grep "Version:" ${{ matrix.props.spec }} | tr -s ' ' | cut -d' ' -f2)
mv /tmp/rpmbuild/SOURCES/vendor-rs-${version}.tar.gz /tmp/archives/
- name: Upload Tarballs
uses: actions/upload-artifact@v4
with:
name: tarball-artifacts-${{ matrix.props.dist }}
path: |
/tmp/archives/*.tar.gz
- name: Upload SRPMs
uses: actions/upload-artifact@v4
with:
name: srpm-artifacts-${{ matrix.props.dist }}
path: |
/tmp/archives/*.src.rpm
- name: Checksum artifacts
run: |
sha256sum /tmp/archives/* || true
copr:
needs: [ config, srpm ]
name: Copr Build ${{ matrix.props.dist }}
if: needs.config.outputs.is-copr-enabled == 'true'
container: 'rockylinux:8.6'
runs-on: ubuntu-20.04
strategy:
matrix: ${{ fromJson(needs.config.outputs.matrix) }}
steps:
- name: Install Copr CLI
run: |
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf install -y copr-cli
- name: Download srpm artifacts
uses: actions/download-artifact@v4
with:
name: srpm-artifacts-${{ matrix.props.dist }}
path: /tmp/
- name: Checksum artifacts
run: |
sha256sum /tmp/*.src.rpm
- name: Install Config
run: |
mkdir -p $HOME/.config
echo "[copr-cli]" > $HOME/.config/copr
echo "username = ${COPR_USER}" >> $HOME/.config/copr
echo "login = ${COPR_LOGIN}" >> $HOME/.config/copr
echo "token = ${COPR_TOKEN}" >> $HOME/.config/copr
echo "copr_url = https://copr.fedorainfracloud.org" >> $HOME/.config/copr
env:
COPR_USER: ${{ secrets.COPR_API_USER }}
COPR_LOGIN: ${{ secrets.COPR_API_LOGIN }}
COPR_TOKEN: ${{ secrets.COPR_API_TOKEN }}
- name: build
run: |
chroot=$(echo ${{ matrix.props.chroot }} | cut -d+ -f2)
copr-cli build --chroot $chroot fapolicy-analyzer /tmp/fapolicy-analyzer-*.${{ matrix.props.dist }}.src.rpm
rpm:
needs: [ config, srpm ]
name: Rebuild ${{ matrix.props.dist }}
runs-on: ubuntu-20.04
strategy:
matrix: ${{ fromJson(needs.config.outputs.matrix )}}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Download srpm artifacts
uses: actions/download-artifact@v4
with:
name: srpm-artifacts-${{ matrix.props.dist }}
path: /tmp/src/
- name: Download tarball artifacts
if: startsWith(matrix.props.dist, 'el')
uses: actions/download-artifact@v4
with:
name: tarball-artifacts-${{ matrix.props.dist }}
path: /tmp/src/
- name: Checksum artifacts
run: |
sha256sum /tmp/src/*
- name: Create container
run: |
sudo apt install -y podman
cid="${{ matrix.props.dist }}-${{ github.run_id }}"
podman run -dt --name $cid --privileged fedora:39
- name: Init container
run: |
cid="${{ matrix.props.dist }}-${{ github.run_id }}"
podman exec $cid dnf install -y mock
podman exec $cid mock -r ${{ matrix.props.chroot }} --init
- name: Build with Mock
run: |
cid="${{ matrix.props.dist }}-${{ github.run_id }}"
srpm=$(find . -name *.${{ matrix.props.dist }}.src.rpm)
podman cp $srpm $cid:/tmp/$srpm
podman exec $cid mock -r ${{ matrix.props.chroot }} rebuild /tmp/$srpm --resultdir /tmp/rpmbuild
working-directory: /tmp/src/
- name: Show logs
if: always()
run: |
cid="${{ matrix.props.dist }}-${{ github.run_id }}"
podman exec $cid ls -R /tmp/rpmbuild
podman exec $cid cat /tmp/rpmbuild/build.log
- name: Export RPMs
run: |
cid="${{ matrix.props.dist }}-${{ github.run_id }}"
podman cp $cid:/tmp/rpmbuild/ /tmp/rpmbuild
mkdir -p /tmp/archives
cd /tmp/rpmbuild
ls | grep -v -e debug -e log | xargs mv -t /tmp/archives
- name: Upload RPMs
uses: actions/upload-artifact@v4
with:
name: rpm-artifacts-${{ matrix.props.dist }}
path: |
/tmp/archives/*.x86_64.rpm
install:
needs: [ config, srpm, rpm ]
name: Install ${{ matrix.props.dist }}
container: ${{ matrix.props.image }}
runs-on: ubuntu-20.04
strategy:
matrix: ${{ fromJson(needs.config.outputs.matrix )}}
continue-on-error: ${{ matrix.props.prerelease }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Download rpm artifacts
uses: actions/download-artifact@v4
with:
name: rpm-artifacts-${{ matrix.props.dist }}
path: /tmp/src/
- name: Checksum artifacts
run: |
sha256sum /tmp/src/*
- name: Enable EPEL
if: startsWith(matrix.props.dist, 'el')
run: |
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-${{ matrix.props.version }}.noarch.rpm
- name: Install RPM
run: |
dnf install -y /tmp/src/fapolicy-analyzer-*.${{ matrix.props.dist }}.x86_64.rpm
- name: Check RPM
run: |
rpm -qa --dump fapolicy-analyzer
rpm -q fapolicy-analyzer
publish:
needs: [ srpm, rpm, install, copr ]
name: Publish
if: startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Download artifacts
uses: actions/download-artifact@v4
with:
path: /tmp/archives/
- name: Checksum
run: |
sha256sum /tmp/archives/*/* || true
- name: Release artifacts
uses: softprops/action-gh-release@v1
with:
tag_name: ${{ steps.tag_name.outputs.VERSION }}
prerelease: ${{ startsWith(github.ref, 'refs/tags/v0') || contains(github.ref, 'rc') }}
draft: true
files: |
fapolicy-analyzer.spec
/tmp/archives/source0/*.tar.gz
/tmp/archives/rpm-artifacts-*/*.rpm
/tmp/archives/srpm-artifacts-*/*.src.rpm
/tmp/archives/tarball-artifacts-*/*.tar.gz