Tool enhancements #3721
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: RPM | |
on: | |
push: | |
branches: | |
- 'master' | |
- 'release/*' | |
- 'rpm/test/*' | |
tags: | |
- 'v*' | |
pull_request: | |
branches: | |
- 'master' | |
- 'release/*' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
config: | |
name: Load configuration | |
runs-on: ubuntu-20.04 | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
is-copr-enabled: ${{ steps.is-copr-enabled.outputs.defined }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
- name: Load config matrix | |
id: set-matrix | |
run: | | |
echo "matrix=$(cat .github/rpm-matrix.json | tr -d '\n' | tr -d ' ')" >> $GITHUB_OUTPUT | |
- name: Copr token discovery | |
id: is-copr-enabled | |
if: "${{ env.COPR_KEY != '' }}" | |
run: echo "defined=true" >> $GITHUB_OUTPUT | |
env: | |
COPR_KEY: ${{ secrets.COPR_API_LOGIN }} | |
source0: | |
name: Vendor Source0 | |
container: registry.fedoraproject.org/fedora:38 | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Install deps | |
run: dnf install -y git make python3 | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
fetch-depth: 0 | |
- name: Mark as git safe | |
run: | | |
git config --global --add safe.directory $GITHUB_WORKSPACE | |
- name: Generate build info | |
run: | | |
scripts/build-info.py --git | |
git add -f fapolicy_analyzer/resources/build-info.json | |
git config user.name 'CI' | |
git config user.email '<>' | |
git commit -m build-info | |
- name: Vendor | |
run: | | |
make -f .copr/Makefile vendor-app spec=fapolicy-analyzer.spec | |
- name: Rename source0 with prerelease version | |
if: endsWith(github.ref, '/master') | |
run: | | |
spec_version=$(grep "Version:" fapolicy-analyzer.spec | tr -s ' ' | cut -d' ' -f2) | |
commit_number=$(git rev-list HEAD~1 --count) | |
patched_version="$spec_version~dev${commit_number}" | |
mv fapolicy-analyzer-${spec_version}.tar.gz fapolicy-analyzer-${patched_version}.tar.gz | |
- name: Rename source0 with pull request version | |
if: github.event_name == 'pull_request' | |
run: | | |
spec_version=$(grep "Version:" fapolicy-analyzer.spec | tr -s ' ' | cut -d' ' -f2) | |
commit_number=${{ github.event.pull_request.commits }} | |
pr_number=${{ github.event.pull_request.number }} | |
patched_version="0.${pr_number}.${commit_number}" | |
mv fapolicy-analyzer-${spec_version}.tar.gz fapolicy-analyzer-${patched_version}.tar.gz | |
- name: Upload | |
uses: actions/upload-artifact@v4 | |
with: | |
name: source0 | |
path: | | |
fapolicy-analyzer-*.tar.gz | |
- name: Checksum | |
run: | | |
sha256sum fapolicy-analyzer-*.tar.gz | |
crates0: | |
name: Vendor Crates0 | |
container: registry.fedoraproject.org/fedora:latest | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Install RPM build dependencies | |
run: | | |
dnf install -y git dnf5-plugins dnf-plugins-core cargo2rpm | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
fetch-depth: 0 | |
- name: Adjust spec | |
run: | | |
# generate build deps with cargo2rpm | |
cargo2rpm -p Cargo.toml buildrequires | while read line; do | |
grep -n "BuildRequires:" fapolicy-analyzer.spec | head -n1 | cut -d: -f1 | xargs -I{} sed -i "{}iBuildRequires: $line" fapolicy-analyzer.spec | |
done | |
- name: Install build dependencies | |
run: | | |
dnf -y builddep fapolicy-analyzer.spec | |
- name: Tar crates | |
run: | | |
ls -l /usr/share/cargo/registry | |
scripts/srpm/vendor-rs.sh | |
- name: Upload tarball | |
uses: actions/upload-artifact@v4 | |
with: | |
name: crates0 | |
path: | | |
vendor-rs.tar.gz | |
- name: Checksum | |
run: | | |
sha256sum vendor-rs.tar.gz | |
srpm: | |
needs: [ config, source0, crates0 ] | |
name: SRPM Build ${{ matrix.props.dist }} | |
container: ${{ matrix.props.image }} | |
runs-on: ubuntu-20.04 | |
strategy: | |
matrix: ${{ fromJson(needs.config.outputs.matrix) }} | |
steps: | |
- name: Enable EPEL | |
if: startsWith(matrix.props.dist, 'el') | |
run: | | |
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-${{ matrix.props.version }}.noarch.rpm | |
- name: Install Git | |
run: dnf install -y git | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
fetch-depth: 0 | |
- name: Strip ref to tag | |
id: tag_name | |
if: startsWith(github.ref, 'refs/tags/v') | |
run: echo "VERSION=$(echo $GITHUB_REF | cut -d/ -f3)" >> $GITHUB_OUTPUT | |
- name: Mark as git safe | |
run: | | |
git config --global --add safe.directory $GITHUB_WORKSPACE | |
- name: Ensure spec version matches tag | |
if: startsWith(github.ref, 'refs/tags/v') | |
run: | | |
spec_version=$(grep "Version:" ${{ matrix.props.spec }} | tr -s ' ' | cut -d' ' -f2) | |
tag="${{ steps.tag_name.outputs.VERSION }}" | |
tag_version="${tag#v}" | |
echo "Got version $tag_version from git tag $tag" | |
if [[ "$tag_version" == *-rc* ]] && [[ "$spec_version" != *~rc* ]]; then | |
echo "The spec version ($spec_version) prerelease tag does not agree with git ($tag_version)" | |
exit 1 | |
fi | |
normalized_spec_version=$(echo "$spec_version" | tr "~" "-") | |
if [[ ! "$tag_version" == "$normalized_spec_version" ]]; then | |
echo "The spec version ($normalized_spec_version) does not agree with git ($tag_version)" | |
exit 2 | |
fi | |
echo "The spec version $spec_version is correct based on git tag $tag" | |
- name: Patch spec with prerelease version | |
if: endsWith(github.ref, '/master') | |
run: | | |
spec_version=$(grep "Version:" ${{ matrix.props.spec }} | tr -s ' ' | cut -d' ' -f2) | |
commit_number=$(git rev-list HEAD --count) | |
patched_version="$spec_version~dev${commit_number}" | |
sed -i "s#Version:\s*${spec_version}#Version: ${patched_version}#" ${{ matrix.props.spec }} | |
grep Version ${{ matrix.props.spec }} | |
- name: Patch spec with pull request version | |
if: github.event_name == 'pull_request' | |
run: | | |
spec_version=$(grep "Version:" ${{ matrix.props.spec }} | tr -s ' ' | cut -d' ' -f2) | |
commit_number=${{ github.event.pull_request.commits }} | |
pr_number=${{ github.event.pull_request.number }} | |
patched_version="0.${pr_number}.${commit_number}" | |
sed -i "s#Version:\s*${spec_version}#Version: ${patched_version}#" ${{ matrix.props.spec }} | |
grep Version ${{ matrix.props.spec }} | |
- name: Install RPM build dependencies | |
run: | | |
dnf install -y make rpm rpmdevtools dnf-plugins-core | |
- name: Install SRPM build dependencies | |
run: | | |
make -f .copr/Makefile dnf OS_ID=${{ matrix.props.platform }} | |
- name: Fetch Source0 tarball | |
uses: actions/download-artifact@v4 | |
with: | |
name: source0 | |
path: /tmp/rpmbuild/SOURCES/ | |
- name: Fetch Crates0 tarball | |
if: startsWith(matrix.props.dist, 'el') | |
uses: actions/download-artifact@v4 | |
with: | |
name: crates0 | |
path: /tmp/rpmbuild/SOURCES/ | |
- name: Tag Crates0 tarball | |
if: startsWith(matrix.props.dist, 'el') | |
run: | | |
spec_version=$(grep "Version:" ${{ matrix.props.spec }} | tr -s ' ' | cut -d' ' -f2) | |
cd /tmp/rpmbuild/SOURCES/ | |
mv vendor-rs.tar.gz vendor-rs-${spec_version}.tar.gz | |
- name: Generate doc tag | |
if: startsWith(github.ref, 'refs/tags/v') | |
run: | | |
echo "${{ steps.tag_name.outputs.VERSION }}" > help/version | |
cat help/version | |
- name: Build SRPM | |
run: | | |
make -f .copr/Makefile \ | |
vendor build export \ | |
outdir=/tmp/archives \ | |
spec=${{ matrix.props.spec }} \ | |
OS_ID=${{ matrix.props.platform }} | |
- name: Export common tarballs | |
run: | | |
mkdir -p /tmp/archives | |
mv vendor-docs-*.tar.gz /tmp/archives | |
- name: Export el tarballs | |
if: startsWith(matrix.props.dist, 'el') | |
run: | | |
version=$(grep "Version:" ${{ matrix.props.spec }} | tr -s ' ' | cut -d' ' -f2) | |
mv /tmp/rpmbuild/SOURCES/vendor-rs-${version}.tar.gz /tmp/archives/ | |
- name: Upload Tarballs | |
uses: actions/upload-artifact@v4 | |
with: | |
name: tarball-artifacts-${{ matrix.props.dist }} | |
path: | | |
/tmp/archives/*.tar.gz | |
- name: Upload SRPMs | |
uses: actions/upload-artifact@v4 | |
with: | |
name: srpm-artifacts-${{ matrix.props.dist }} | |
path: | | |
/tmp/archives/*.src.rpm | |
- name: Checksum artifacts | |
run: | | |
sha256sum /tmp/archives/* || true | |
copr: | |
needs: [ config, srpm ] | |
name: Copr Build ${{ matrix.props.dist }} | |
if: needs.config.outputs.is-copr-enabled == 'true' | |
container: 'rockylinux:8.6' | |
runs-on: ubuntu-20.04 | |
strategy: | |
matrix: ${{ fromJson(needs.config.outputs.matrix) }} | |
steps: | |
- name: Install Copr CLI | |
run: | | |
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm | |
dnf install -y copr-cli | |
- name: Download srpm artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: srpm-artifacts-${{ matrix.props.dist }} | |
path: /tmp/ | |
- name: Checksum artifacts | |
run: | | |
sha256sum /tmp/*.src.rpm | |
- name: Install Config | |
run: | | |
mkdir -p $HOME/.config | |
echo "[copr-cli]" > $HOME/.config/copr | |
echo "username = ${COPR_USER}" >> $HOME/.config/copr | |
echo "login = ${COPR_LOGIN}" >> $HOME/.config/copr | |
echo "token = ${COPR_TOKEN}" >> $HOME/.config/copr | |
echo "copr_url = https://copr.fedorainfracloud.org" >> $HOME/.config/copr | |
env: | |
COPR_USER: ${{ secrets.COPR_API_USER }} | |
COPR_LOGIN: ${{ secrets.COPR_API_LOGIN }} | |
COPR_TOKEN: ${{ secrets.COPR_API_TOKEN }} | |
- name: build | |
run: | | |
chroot=$(echo ${{ matrix.props.chroot }} | cut -d+ -f2) | |
copr-cli build --chroot $chroot fapolicy-analyzer /tmp/fapolicy-analyzer-*.${{ matrix.props.dist }}.src.rpm | |
rpm: | |
needs: [ config, srpm ] | |
name: Rebuild ${{ matrix.props.dist }} | |
runs-on: ubuntu-20.04 | |
strategy: | |
matrix: ${{ fromJson(needs.config.outputs.matrix )}} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
- name: Download srpm artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: srpm-artifacts-${{ matrix.props.dist }} | |
path: /tmp/src/ | |
- name: Download tarball artifacts | |
if: startsWith(matrix.props.dist, 'el') | |
uses: actions/download-artifact@v4 | |
with: | |
name: tarball-artifacts-${{ matrix.props.dist }} | |
path: /tmp/src/ | |
- name: Checksum artifacts | |
run: | | |
sha256sum /tmp/src/* | |
- name: Create container | |
run: | | |
sudo apt install -y podman | |
cid="${{ matrix.props.dist }}-${{ github.run_id }}" | |
podman run -dt --name $cid --privileged fedora:39 | |
- name: Init container | |
run: | | |
cid="${{ matrix.props.dist }}-${{ github.run_id }}" | |
podman exec $cid dnf install -y mock | |
podman exec $cid mock -r ${{ matrix.props.chroot }} --init | |
- name: Build with Mock | |
run: | | |
cid="${{ matrix.props.dist }}-${{ github.run_id }}" | |
srpm=$(find . -name *.${{ matrix.props.dist }}.src.rpm) | |
podman cp $srpm $cid:/tmp/$srpm | |
podman exec $cid mock -r ${{ matrix.props.chroot }} rebuild /tmp/$srpm --resultdir /tmp/rpmbuild | |
working-directory: /tmp/src/ | |
- name: Show logs | |
if: always() | |
run: | | |
cid="${{ matrix.props.dist }}-${{ github.run_id }}" | |
podman exec $cid ls -R /tmp/rpmbuild | |
podman exec $cid cat /tmp/rpmbuild/build.log | |
- name: Export RPMs | |
run: | | |
cid="${{ matrix.props.dist }}-${{ github.run_id }}" | |
podman cp $cid:/tmp/rpmbuild/ /tmp/rpmbuild | |
mkdir -p /tmp/archives | |
cd /tmp/rpmbuild | |
ls | grep -v -e debug -e log | xargs mv -t /tmp/archives | |
- name: Upload RPMs | |
uses: actions/upload-artifact@v4 | |
with: | |
name: rpm-artifacts-${{ matrix.props.dist }} | |
path: | | |
/tmp/archives/*.x86_64.rpm | |
install: | |
needs: [ config, srpm, rpm ] | |
name: Install ${{ matrix.props.dist }} | |
container: ${{ matrix.props.image }} | |
runs-on: ubuntu-20.04 | |
strategy: | |
matrix: ${{ fromJson(needs.config.outputs.matrix )}} | |
continue-on-error: ${{ matrix.props.prerelease }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
- name: Download rpm artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: rpm-artifacts-${{ matrix.props.dist }} | |
path: /tmp/src/ | |
- name: Checksum artifacts | |
run: | | |
sha256sum /tmp/src/* | |
- name: Enable EPEL | |
if: startsWith(matrix.props.dist, 'el') | |
run: | | |
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-${{ matrix.props.version }}.noarch.rpm | |
- name: Install RPM | |
run: | | |
dnf install -y /tmp/src/fapolicy-analyzer-*.${{ matrix.props.dist }}.x86_64.rpm | |
- name: Check RPM | |
run: | | |
rpm -qa --dump fapolicy-analyzer | |
rpm -q fapolicy-analyzer | |
publish: | |
needs: [ srpm, rpm, install, copr ] | |
name: Publish | |
if: startsWith(github.ref, 'refs/tags/v') | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
path: /tmp/archives/ | |
- name: Checksum | |
run: | | |
sha256sum /tmp/archives/*/* || true | |
- name: Release artifacts | |
uses: softprops/action-gh-release@v1 | |
with: | |
tag_name: ${{ steps.tag_name.outputs.VERSION }} | |
prerelease: ${{ startsWith(github.ref, 'refs/tags/v0') || contains(github.ref, 'rc') }} | |
draft: true | |
files: | | |
fapolicy-analyzer.spec | |
/tmp/archives/source0/*.tar.gz | |
/tmp/archives/rpm-artifacts-*/*.rpm | |
/tmp/archives/srpm-artifacts-*/*.src.rpm | |
/tmp/archives/tarball-artifacts-*/*.tar.gz |