feat: add RPM packaging and Packit CI/CD for complytime-providers

[marcusburghardt]

Summary

Add complete Fedora RPM packaging pipeline for complytime-providers. A single source RPM produces two binary sub-packages so users can install only the providers they need:

• complytime-providers-openscap — OpenSCAP scanning provider (requires complyctl, scap-security-guide)
• complytime-providers-ampel — Ampel scanning provider (requires complyctl)

No main complytime-providers binary RPM is produced.

Files added:

• complytime-providers.spec — Fedora Go packaging guidelines compliant spec with vendored dependencies, automatic bundled provides via vendor/modules.txt, and unit tests in %check
• .packit.yaml — Full Packit CI/CD: COPR builds on PRs, Testing Farm tests on PRs, propose-downstream on release, Koji builds and Bodhi updates on dist-git commits
• .fmf/version — FMF metadata root for Testing Farm plan discovery
• plans/test-RPM-providers.fmf — TMT smoke test validating both provider binaries are installed at /usr/libexec/complytime/providers/ with executable permissions

Companion PR: complytime/complyctl#485 (complyctl side — spec simplification, GoReleaser cleanup, release docs)

Related Issues

• Companion to the complyctl RPM packaging update (feat: update RPM packaging for core-only complyctl after provider split complyctl#485)
• Prerequisite: Fedora package review for complytime-providers (manual, one-time)

Review Hints

• Review the two commits in sequence:

  1. RPM spec (feat:): the complytime-providers.spec file with sub-package definitions
  2. CI/CD (ci:): Packit configuration, FMF metadata, and TMT test plan

• Both rpmlint complytime-providers.spec and packit validate pass with zero errors. The packit validate warning about the package not existing is expected — it requires a Fedora package review first.

• To build and test the RPM locally:

  # Download the source tarball
  spectool -g -R complytime-providers.spec
  
  # Build the SRPM
  rpmbuild -bs complytime-providers.spec \
    --define "_sourcedir $(pwd)" \
    --define "_srcrpmdir $(pwd)"
  
  # Build in mock (Fedora rawhide)
  mock -r fedora-rawhide-x86_64 rebuild complytime-providers-*.src.rpm
  
  # Verify two sub-packages produced (no main package)
  ls /var/lib/mock/fedora-rawhide-x86_64/result/*.rpm | grep -v src | grep -v debug
  # Expected:
  #   complytime-providers-openscap-*.x86_64.rpm
  #   complytime-providers-ampel-*.x86_64.rpm
  # Must NOT have: complytime-providers-0.0.1-*.x86_64.rpm (no main pkg)
  
  # Verify provider binary paths
  rpm -qlp /var/lib/mock/fedora-rawhide-x86_64/result/complytime-providers-openscap-*.x86_64.rpm
  rpm -qlp /var/lib/mock/fedora-rawhide-x86_64/result/complytime-providers-ampel-*.x86_64.rpm
  
  # Verify dependency on complyctl
  rpm -qp --requires /var/lib/mock/fedora-rawhide-x86_64/result/complytime-providers-openscap-*.x86_64.rpm \
    | grep complyctl
  
  # Verify bundled provides are auto-generated
  rpm -qp --provides /var/lib/mock/fedora-rawhide-x86_64/result/complytime-providers-openscap-*.x86_64.rpm \
    | grep "bundled(golang"

  Alternatively: packit build locally

• The Requires: complyctl >= 0.0.8 version is a placeholder — it should be set to the first complyctl release that includes the provider SDK rename (pkg/provider/).

• There is a simple release JOB in the workflow, but it is expected to be changed when integrating with Fedora.