-
Notifications
You must be signed in to change notification settings - Fork 0
272 lines (233 loc) · 9.88 KB
/
build-rpm-package.yml
File metadata and controls
272 lines (233 loc) · 9.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
name: Build RPM Package
# This workflow builds RPM packages using a Fedora container
# to ensure proper RPM build environment with native systemd-rpm-macros support.
# Running rpmbuild on Debian requires extensive workarounds that are fragile.
'on':
# Only trigger from Build workflow - Track workflow completes before release exists
workflow_run:
workflows: ["Build Docker RISC-V64"]
types: [completed]
branches: [main]
workflow_dispatch:
inputs:
release_tag:
description: 'Release tag to build package from'
required: true
default: 'v28.5.1-riscv64'
jobs:
build-rpm:
runs-on: [self-hosted, riscv64]
if: github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch'
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Get release tag
id: release
uses: ./.github/actions/get-release-tag
with:
release-tag-input: ${{ github.event.inputs.release_tag || '' }}
tag-pattern: '^v[0-9]+\.[0-9]+\.[0-9]+-riscv64$'
asset-pattern: 'moby-engine.*\.rpm$'
check-existing-assets: ${{ github.event_name != 'workflow_dispatch' }}
- name: Set up RPM build tree
if: steps.release.outputs.has-new-release == 'true'
run: |
mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
- name: Clean previous RPM builds
if: steps.release.outputs.has-new-release == 'true'
run: |
# Remove any existing RPM files to prevent uploading old versions
rm -f ~/rpmbuild/RPMS/riscv64/moby-engine-*.rpm
rm -f ~/rpmbuild/RPMS/riscv64/containerd-*.rpm
rm -f ~/rpmbuild/RPMS/riscv64/runc-*.rpm
echo "Cleaned previous Engine RPM files"
- name: Download release binaries
if: steps.release.outputs.has-new-release == 'true'
env:
GH_TOKEN: ${{ github.token }}
RELEASE_TAG: ${{ steps.release.outputs.release-tag }}
run: |
set -euo pipefail
echo "Building package for release: $RELEASE_TAG"
# Clean and download all binaries to SOURCES directory
cd ~/rpmbuild/SOURCES
rm -f dockerd docker-proxy containerd containerd-shim-runc-v2 runc
for binary in dockerd docker-proxy containerd containerd-shim-runc-v2 runc; do
gh release download $RELEASE_TAG -p $binary --repo gounthar/docker-for-riscv64
if [ ! -f "$binary" ]; then
echo "Error: Failed to download $binary from release $RELEASE_TAG"
exit 1
fi
done
chmod +x *
ls -lh
- name: Copy spec files and sources
if: steps.release.outputs.has-new-release == 'true'
run: |
# Copy systemd unit files to SOURCES
cp rpm-docker/docker.service ~/rpmbuild/SOURCES/
cp rpm-docker/docker.socket ~/rpmbuild/SOURCES/
cp rpm-containerd/containerd.service ~/rpmbuild/SOURCES/
# Copy spec files to SPECS
cp rpm-docker/moby-engine.spec ~/rpmbuild/SPECS/
cp rpm-containerd/containerd.spec ~/rpmbuild/SPECS/
cp rpm-runc/runc.spec ~/rpmbuild/SPECS/
- name: Update package versions
if: steps.release.outputs.has-new-release == 'true'
env:
RELEASE_TAG: ${{ steps.release.outputs.release-tag }}
run: |
# Extract version from tag (v28.5.1-riscv64 -> 28.5.1)
VERSION=$(echo "$RELEASE_TAG" | sed 's/^v//; s/-riscv64$//')
# Validate VERSION extraction succeeded (before hyphen normalization)
if [ -z "$VERSION" ] || [ "$VERSION" = "$RELEASE_TAG" ]; then
echo "Error: Failed to extract version from tag: $RELEASE_TAG"
exit 1
fi
# RPM versions cannot contain hyphens - replace with dots
VERSION=$(echo "$VERSION" | tr '-' '.')
echo "Package version: $VERSION"
# Update moby-engine version
sed -i "s/^Version:.*/Version: $VERSION/" ~/rpmbuild/SPECS/moby-engine.spec
- name: Build RPM packages in Fedora container
if: steps.release.outputs.has-new-release == 'true'
run: |
# Use Fedora RISC-V container for proper RPM build environment
# This avoids Debian-specific issues with systemd-rpm-macros
docker run --rm \
-v ~/rpmbuild:/root/rpmbuild:Z \
-v $PWD/rpm-docker:/rpm-docker:ro \
-v $PWD/rpm-containerd:/rpm-containerd:ro \
-v $PWD/rpm-runc:/rpm-runc:ro \
fedorariscv/base:latest \
bash -c '
set -euo pipefail
# Install build dependencies
echo "Installing RPM build dependencies..."
dnf install -y rpm-build rpmdevtools rpmlint systemd-rpm-macros
# Build packages
cd /root/rpmbuild/SPECS
echo "Building runc..."
rpmbuild -bb runc.spec
echo "Building containerd..."
rpmbuild -bb containerd.spec
echo "Building moby-engine..."
rpmbuild -bb moby-engine.spec
# List built packages
echo ""
echo "Built RPM packages:"
ls -lh /root/rpmbuild/RPMS/riscv64/
'
# Show results on host
echo ""
echo "RPM packages built successfully:"
ls -lh ~/rpmbuild/RPMS/riscv64/
- name: Fix RPM file ownership
if: steps.release.outputs.has-new-release == 'true'
run: |
# RPMs were created by root inside container, fix ownership for host user
sudo chown -R $(id -u):$(id -g) ~/rpmbuild/RPMS/
echo "Fixed ownership of RPM files"
ls -lh ~/rpmbuild/RPMS/riscv64/
- name: Run rpmlint checks
if: steps.release.outputs.has-new-release == 'true'
run: |
# Run rpmlint inside Fedora RISC-V container
docker run --rm \
-v ~/rpmbuild:/root/rpmbuild:ro \
fedorariscv/base:latest \
bash -c 'dnf install -y rpmlint && rpmlint /root/rpmbuild/RPMS/riscv64/*.rpm' || true
- name: Package info
if: steps.release.outputs.has-new-release == 'true'
run: |
for rpm in ~/rpmbuild/RPMS/riscv64/*.rpm; do
echo "============================================"
echo "=== Package: $(basename $rpm) ==="
echo "============================================"
echo ""
echo "=== Package Info ==="
rpm -qip "$rpm"
echo ""
echo "=== Package Contents ==="
rpm -qlp "$rpm"
echo ""
echo "=== Package Size ==="
ls -lh "$rpm"
echo ""
done
- name: Import GPG signing key
if: steps.release.outputs.has-new-release == 'true'
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
run: |
set -euo pipefail
echo "Importing GPG key for package signing..."
echo "$GPG_PRIVATE_KEY" | gpg --batch --import
# Verify key imported
echo ""
echo "GPG keys available:"
gpg --list-secret-keys
echo ""
echo "GPG key imported successfully"
- name: Sign RPM packages
if: steps.release.outputs.has-new-release == 'true'
run: |
set -euo pipefail
echo "Signing RPM packages..."
# Install rpm-sign if needed
if ! command -v rpmsign >/dev/null 2>&1; then
if [ -f /etc/fedora-release ]; then
sudo dnf install -y rpm-sign
elif [ -f /etc/debian_version ]; then
sudo apt-get update && sudo apt-get install -y rpm
fi
fi
# Get GPG key ID
GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format LONG --with-colons | awk -F: '/^sec:/ {print $5; exit}')
echo "Using GPG key ID: $GPG_KEY_ID"
# Sign each RPM package
for rpm in ~/rpmbuild/RPMS/riscv64/*.rpm; do
echo "Signing $(basename $rpm)..."
setsid rpmsign --addsign --define "_gpg_name $GPG_KEY_ID" "$rpm" || {
echo "Error: Failed to sign $rpm"
exit 1
}
done
echo ""
echo "✅ All packages signed successfully"
echo ""
# Verify signatures
echo "Verifying signatures:"
for rpm in ~/rpmbuild/RPMS/riscv64/*.rpm; do
echo "Checking $(basename $rpm)..."
rpm -qip "$rpm" | grep -i signature || echo "Warning: No signature found"
done
- name: Upload packages to release
if: steps.release.outputs.has-new-release == 'true'
env:
GH_TOKEN: ${{ github.token }}
RELEASE_TAG: ${{ steps.release.outputs.release-tag }}
run: |
echo "Uploading packages to release $RELEASE_TAG"
echo ""
for rpm in ~/rpmbuild/RPMS/riscv64/*.rpm; do
echo "Uploading $(basename $rpm)..."
gh release upload $RELEASE_TAG "$rpm" --repo gounthar/docker-for-riscv64 --clobber
done
echo ""
echo "✅ All RPM packages uploaded successfully!"
echo ""
echo "Packages built:"
ls -lh ~/rpmbuild/RPMS/riscv64/
echo ""
echo "Install with:"
echo " # Download all packages"
RELEASE_URL="https://github.com/gounthar/docker-for-riscv64/releases/download/${RELEASE_TAG}"
echo " wget ${RELEASE_URL}/runc-*.riscv64.rpm"
echo " wget ${RELEASE_URL}/containerd-*.riscv64.rpm"
echo " wget ${RELEASE_URL}/moby-engine-*.riscv64.rpm"
echo ""
echo " # Install in dependency order"
echo " sudo dnf install -y runc-*.riscv64.rpm"
echo " sudo dnf install -y containerd-*.riscv64.rpm"
echo " sudo dnf install -y moby-engine-*.riscv64.rpm"