docker-for-riscv64/.github/workflows/build-cli-rpm.yml at main · gounthar/docker-for-riscv64 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
name: Build CLI RPM Package

on:
  # Only trigger from Weekly Build - Track workflow completes before release exists
  workflow_run:
    workflows: ["Weekly Docker CLI RISC-V64 Build"]
    types: [completed]
    branches: [main]
  workflow_dispatch:
    inputs:
      release_tag:
        description: 'CLI release tag to build package from'
        required: true
        default: 'cli-v28.5.1-riscv64'

jobs:
  build-cli-rpm:
    runs-on: [self-hosted, riscv64]
    if: github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch'

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Get release tag
        id: release
        uses: ./.github/actions/get-release-tag
        with:
          release-tag-input: ${{ github.event.inputs.release_tag || '' }}
          tag-pattern: '^cli-v[0-9]+\.[0-9]+\.[0-9]+-riscv64$'
          asset-pattern: 'docker-cli.*\.rpm$'
          check-existing-assets: ${{ github.event_name != 'workflow_dispatch' }}

      - name: Install build dependencies
        if: steps.release.outputs.has-new-release == 'true'
        run: |
          if [ -f /etc/fedora-release ]; then
            sudo dnf install -y rpm-build rpmdevtools rpmlint
          elif [ -f /etc/debian_version ]; then
            sudo apt-get update
            sudo apt-get install -y rpm rpmlint
          fi

      - name: Set up RPM build tree
        if: steps.release.outputs.has-new-release == 'true'
        run: |
          rpmdev-setuptree || mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}

      - name: Clean previous RPM builds
        if: steps.release.outputs.has-new-release == 'true'
        run: |
          # Remove any existing RPM files to prevent uploading old versions
          rm -f ~/rpmbuild/RPMS/riscv64/docker-cli-*.rpm
          echo "Cleaned previous docker-cli RPM files"

      - name: Download docker CLI binary
        if: steps.release.outputs.has-new-release == 'true'
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          set -euo pipefail

          RELEASE_TAG="${{ steps.release.outputs.release-tag }}"
          echo "Building package for release: $RELEASE_TAG"

          # Clean and download docker binary to SOURCES
          cd ~/rpmbuild/SOURCES
          rm -f docker
          gh release download $RELEASE_TAG -p docker --repo gounthar/docker-for-riscv64

          # Validate binary was downloaded
          if [ ! -f docker ]; then
            echo "Error: Failed to download docker binary from release $RELEASE_TAG"
            exit 1
          fi

          chmod +x docker
          ls -lh

      - name: Copy spec file
        if: steps.release.outputs.has-new-release == 'true'
        run: |
          cp rpm-cli/docker-cli.spec ~/rpmbuild/SPECS/

      - name: Update package version
        if: steps.release.outputs.has-new-release == 'true'
        run: |
          set -euo pipefail

          RELEASE_TAG="${{ steps.release.outputs.release-tag }}"
          echo "Updating version for release: $RELEASE_TAG"

          # Extract version from tag (cli-v28.5.1-riscv64 -> 28.5.1)
          VERSION=$(echo "$RELEASE_TAG" | sed 's/^cli-v//; s/-riscv64$//')

          # Validate VERSION extraction succeeded (before hyphen normalization)
          if [ -z "$VERSION" ] || [ "$VERSION" = "$RELEASE_TAG" ]; then
            echo "Error: Failed to extract version from tag: $RELEASE_TAG"
            exit 1
          fi

          # RPM versions cannot contain hyphens - replace with dots
          VERSION=$(echo "$VERSION" | tr '-' '.')
          echo "Package version: $VERSION"

          # Update spec file
          sed -i "s/^Version:.*/Version:        $VERSION/" ~/rpmbuild/SPECS/docker-cli.spec

      - name: Build RPM package
        if: steps.release.outputs.has-new-release == 'true'
        run: |
          cd ~/rpmbuild/SPECS
          # Building on native riscv64, no --target needed
          rpmbuild -bb docker-cli.spec

          echo ""
          echo "Built RPM package:"
          ls -lh ~/rpmbuild/RPMS/riscv64/

      - name: Run rpmlint checks
        if: steps.release.outputs.has-new-release == 'true'
        run: |
          rpmlint ~/rpmbuild/RPMS/riscv64/docker-cli-*.rpm || true

      - name: Package info
        if: steps.release.outputs.has-new-release == 'true'
        run: |
          for rpm in ~/rpmbuild/RPMS/riscv64/docker-cli-*.rpm; do
            echo "============================================"
            echo "=== Package: $(basename $rpm) ==="
            echo "============================================"
            echo ""
            echo "=== Package Info ==="
            rpm -qip "$rpm"
            echo ""
            echo "=== Package Contents ==="
            rpm -qlp "$rpm"
            echo ""
            echo "=== Package Size ==="
            ls -lh "$rpm"
            echo ""
          done

      - name: Import GPG signing key
        if: steps.release.outputs.has-new-release == 'true'
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
        run: |
          set -euo pipefail
          echo "Importing GPG key for package signing..."
          echo "$GPG_PRIVATE_KEY" | gpg --batch --import

          # Verify key imported
          echo ""
          echo "GPG keys available:"
          gpg --list-secret-keys
          echo ""
          echo "GPG key imported successfully"

      - name: Sign RPM packages
        if: steps.release.outputs.has-new-release == 'true'
        run: |
          set -euo pipefail
          echo "Signing RPM packages..."

          # Install rpm-sign if needed
          if ! command -v rpmsign >/dev/null 2>&1; then
            if [ -f /etc/fedora-release ]; then
              sudo dnf install -y rpm-sign
            elif [ -f /etc/debian_version ]; then
              sudo apt-get update && sudo apt-get install -y rpm
            fi
          fi

          # Get GPG key ID
          GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format LONG --with-colons | awk -F: '/^sec:/ {print $5; exit}')
          echo "Using GPG key ID: $GPG_KEY_ID"

          # Sign each RPM package
          for rpm in ~/rpmbuild/RPMS/riscv64/docker-cli-*.rpm; do
            echo "Signing $(basename $rpm)..."
            setsid rpmsign --addsign --define "_gpg_name $GPG_KEY_ID" "$rpm" || { echo "Error: Failed to sign $rpm"; exit 1; }
          done

          echo ""
          echo "✅ All packages signed successfully"
          echo ""

          # Verify signatures
          echo "Verifying signatures:"
          for rpm in ~/rpmbuild/RPMS/riscv64/docker-cli-*.rpm; do
            echo "Checking $(basename $rpm)..."
            rpm -qip "$rpm" | grep -i signature || echo "Warning: No signature found"
          done

      - name: Upload package to release
        if: steps.release.outputs.has-new-release == 'true'
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          RELEASE_TAG="${{ steps.release.outputs.release-tag }}"

          for rpm in ~/rpmbuild/RPMS/riscv64/docker-cli-*.rpm; do
            echo "Uploading $(basename $rpm)..."
            gh release upload "$RELEASE_TAG" "$rpm" --repo gounthar/docker-for-riscv64 --clobber
          done

          echo ""
          echo "✅ Docker CLI RPM package uploaded successfully!"