ci: Move srpm/rpm build to packit

Split off make-sources.sh from make-srpm.sh which builds a directory
with the sprm ingredients (the unpacked directory); the packit workflow
requires that, it builds the srpm by itself after some further
adjustments.

This mostly obsoletes the need of doing custom COPR builds, so
eventually .copr/ can be simplified. But keep the old functionality for
the time being.

Note that this way of building an srpm in packit is still rather
unusual: the normal mode is to maintain the .spec and all auxiliary
files in the upstream git; that then enables automatic Fedora releases,
and make it easier to keep the spec in sync. But one step after
another..

Configure packit to automatically build srpm and rpms in the usual
temporary COPRs. This makes it much easier to test PRs both by humans
and future integration tests. There are no test plans yet, but already
enable the TF run to at least cover package installation/upgrade.

Run these on Rawhide and the current stable Fedora (38 right now).

This entirely replaces the "build-rpm" workflow, so drop that.

Co-Authored-By: Ondrej Mosnacek <[email protected]>

.copr/Makefile

@@ -2,7 +2,9 @@
 
 outdir ?= $(PWD)
 
+COPR_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
+
 srpm:
-	$(dir $(lastword $(MAKEFILE_LIST)))/make-srpm.sh $(outdir)
+	$(COPR_DIR)/../scripts/make-srpm.sh $(outdir)
 
 .PHONY: srpm

.github/workflows/build.yml

@@ -14,32 +14,3 @@ jobs:
       - run: make -j $(nproc) policy
       - run: make -j $(nproc) validate
       - run: make -j $(nproc) container.pp
-  build-rpm:
-    runs-on: ubuntu-latest
-    container:
-      image: fedora:rawhide
-      options: --security-opt seccomp=unconfined
-    steps:
-      - run: dnf install --nogpgcheck -y make git-core rpm-build 'dnf-command(builddep)'
-      - uses: actions/checkout@v3
-      # https://github.blog/2022-04-12-git-security-vulnerability-announced/
-      - run: git config --global --add safe.directory "$PWD"
-      - run: make -C .copr srpm outdir="$PWD"
-      - name: Store the SRPM as an artifact
-        uses: actions/upload-artifact@v2
-        with:
-          name: srpm
-          path: "*.src.rpm"
-      - run: |
-          if grep -q rawhide /etc/os-release; then
-            tag=rawhide
-          else
-            tag='f$releasever-build'
-          fi
-          dnf builddep --nogpgcheck --repofrompath "koji,https://kojipkgs.fedoraproject.org/repos/$tag/latest/\$arch/" -y *.src.rpm
-      - run: rpmbuild --define "_topdir $PWD/rpmbuild" -rb *.src.rpm
-      - name: Store binary RPMs as artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: rpms
-          path: rpmbuild/RPMS

packit.yaml

@@ -0,0 +1,22 @@
+# See https://packit.dev/docs/configuration/
+
+specfile_path: tmp/rpm/selinux-policy.spec
+
+actions:
+  post-upstream-clone:
+    - mkdir -p tmp/rpm
+    - scripts/make-sources.sh tmp/rpm
+  create-archive: sh -c 'ls tmp/rpm/selinux-policy*.tar.gz'
+
+jobs:
+  - job: copr_build
+    trigger: pull_request
+    targets:
+    - fedora-development
+    - fedora-latest-stable
+
+  - job: tests
+    trigger: pull_request
+    targets:
+    - fedora-development
+    - fedora-latest-stable

.copr/make-srpm.sh → scripts/make-sources.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# Prepare sources for an SRPM build
+
 set -eux
 
 outdir="$1"; shift
@@ -12,8 +14,6 @@ DISTGIT_REF=rawhide
 CONTAINER_URL=https://github.com/containers/container-selinux
 EXPANDER_URL=https://github.com/fedora-selinux/macro-expander
 
-rpm -q rpm-build git-core || dnf install -y rpm-build git-core
-
 base_head_id="$(git -C "$rootdir" rev-parse HEAD)"
 base_short_head_id="${base_head_id:0:7}"
 base_date="$(TZ=UTC git show -s --format=%cd --date=format-local:%F_%T HEAD | tr -d :-)"
@@ -24,27 +24,19 @@ trap 'rm -rf "$tmpdir"' EXIT
 
 container_dir="$tmpdir/container-selinux"
 expander_dir="$tmpdir/macro-expander"
-rpmbuild_dir="$tmpdir/rpmbuild"
-distgit_dir="$tmpdir/rpmbuild/SOURCES"
-
-mkdir -p "$distgit_dir"
 
 git clone --single-branch --depth 1 "$CONTAINER_URL" "$container_dir"
 git clone --single-branch --depth 1 "$EXPANDER_URL" "$expander_dir"
-git clone -b "$DISTGIT_REF" --single-branch --depth 1 "$DISTGIT_URL" "$distgit_dir"
+git clone -b "$DISTGIT_REF" --single-branch --depth 1 "$DISTGIT_URL" "$outdir"
 
 git -C "$rootdir" archive --prefix="selinux-policy-$base_head_id/" --format tgz HEAD \
-	>"$distgit_dir/selinux-policy-$base_short_head_id.tar.gz"
+	>"$outdir/selinux-policy-$base_short_head_id.tar.gz"
 
-tar -C "$container_dir" -czf "$distgit_dir/container-selinux.tgz" \
+tar -C "$container_dir" -czf "$outdir/container-selinux.tgz" \
 	container.if container.te container.fc
 
-cp "$expander_dir/macro-expander.sh" "$distgit_dir/macro-expander"
-
+cp "$expander_dir/macro-expander.sh" "$outdir/macro-expander"
 
 sed -i "s/%global commit [^ ]*$/%global commit $base_head_id/;
-        s/%{?dist}/.$base_date.$base_short_head_id%{?dist}/" "$distgit_dir/selinux-policy.spec"
-rm -f "$distgit_dir/sources"
-rpmbuild --define "_topdir $rpmbuild_dir" -bs "$distgit_dir/selinux-policy.spec"
-
-cp "$rpmbuild_dir/SRPMS/"*.src.rpm "$outdir"
+        s/%{?dist}/.$base_date.$base_short_head_id%{?dist}/" "$outdir/selinux-policy.spec"
+rm -f "$outdir/sources"

scripts/make-srpm.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Make an SRPM for COPR
+
+set -eux
+
+outdir="$1"; shift
+
+rootdir="$(realpath -m "$0/../..")"
+
+rpm -q rpm-build git-core || dnf install -y rpm-build git-core
+
+tmpdir="$(mktemp -d)"
+
+trap 'rm -rf "$tmpdir"' EXIT
+
+rpmbuild_dir="$tmpdir"
+distgit_dir="$tmpdir/SOURCES"
+
+mkdir -p "$distgit_dir"
+
+"$rootdir/scripts/make-sources.sh" "$distgit_dir"
+
+rpmbuild --define "_topdir $rpmbuild_dir" -bs "$distgit_dir/selinux-policy.spec"
+cp "$rpmbuild_dir/SRPMS/"*.src.rpm "$outdir"