Skip to content

feat: add RPM packaging and Packit CI/CD for complytime-providers#5

Open
marcusburghardt wants to merge 2 commits intocomplytime:mainfrom
marcusburghardt:005-rpm-packaging-ci
Open

feat: add RPM packaging and Packit CI/CD for complytime-providers#5
marcusburghardt wants to merge 2 commits intocomplytime:mainfrom
marcusburghardt:005-rpm-packaging-ci

Conversation

@marcusburghardt
Copy link
Copy Markdown
Contributor

@marcusburghardt marcusburghardt commented Apr 24, 2026
edited
Loading

Summary

Add complete Fedora RPM packaging pipeline for complytime-providers. A single source RPM produces two binary sub-packages so users can install only the providers they need:

  • complytime-providers-openscap — OpenSCAP scanning provider (requires complyctl, scap-security-guide)
  • complytime-providers-ampel — Ampel scanning provider (requires complyctl)

No main complytime-providers binary RPM is produced.

Files added:

  • complytime-providers.spec — Fedora Go packaging guidelines compliant spec with vendored dependencies, automatic bundled provides via vendor/modules.txt, and unit tests in %check
  • .packit.yaml — Full Packit CI/CD: COPR builds on PRs, Testing Farm tests on PRs, propose-downstream on release, Koji builds and Bodhi updates on dist-git commits
  • .fmf/version — FMF metadata root for Testing Farm plan discovery
  • plans/test-RPM-providers.fmf — TMT smoke test validating both provider binaries are installed at /usr/libexec/complytime/providers/ with executable permissions

Companion PR: complytime/complyctl#485 (complyctl side — spec simplification, GoReleaser cleanup, release docs)

Related Issues

Review Hints

  • Review the two commits in sequence:

    1. RPM spec (feat:): the complytime-providers.spec file with sub-package definitions
    2. CI/CD (ci:): Packit configuration, FMF metadata, and TMT test plan

  • Both rpmlint complytime-providers.spec and packit validate pass with zero errors. The packit validate warning about the package not existing is expected — it requires a Fedora package review first.

  • To build and test the RPM locally:

    # Download the source tarball
spectool -g -R complytime-providers.spec

# Build the SRPM
rpmbuild -bs complytime-providers.spec \
  --define "_sourcedir $(pwd)" \
  --define "_srcrpmdir $(pwd)"

# Build in mock (Fedora rawhide)
mock -r fedora-rawhide-x86_64 rebuild complytime-providers-*.src.rpm

# Verify two sub-packages produced (no main package)
ls /var/lib/mock/fedora-rawhide-x86_64/result/*.rpm | grep -v src | grep -v debug
# Expected:
#   complytime-providers-openscap-*.x86_64.rpm
#   complytime-providers-ampel-*.x86_64.rpm
# Must NOT have: complytime-providers-0.0.1-*.x86_64.rpm (no main pkg)

# Verify provider binary paths
rpm -qlp /var/lib/mock/fedora-rawhide-x86_64/result/complytime-providers-openscap-*.x86_64.rpm
rpm -qlp /var/lib/mock/fedora-rawhide-x86_64/result/complytime-providers-ampel-*.x86_64.rpm

# Verify dependency on complyctl
rpm -qp --requires /var/lib/mock/fedora-rawhide-x86_64/result/complytime-providers-openscap-*.x86_64.rpm \
  | grep complyctl

# Verify bundled provides are auto-generated
rpm -qp --provides /var/lib/mock/fedora-rawhide-x86_64/result/complytime-providers-openscap-*.x86_64.rpm \
  | grep "bundled(golang"

    Alternatively: packit build locally

  • The Requires: complyctl >= 0.0.8 version is a placeholder — it should be set to the first complyctl release that includes the provider SDK rename (pkg/provider/).

  • There is a simple release JOB in the workflow, but it is expected to be changed when integrating with Fedora.

@marcusburghardt
feat: add RPM spec for complytime-providers with two sub-packages
9ff6ac0 
Add Fedora RPM spec that builds from a single source package and
produces two binary sub-packages:
- complytime-providers-openscap (requires complyctl, scap-security-guide)
- complytime-providers-ampel (requires complyctl)

No main binary RPM is produced. Follows Fedora Packaging Guidelines
for Go projects with vendored dependencies. Uses vendor/modules.txt
via %license for automatic bundled provides generation.

rpmlint passes with 0 errors, 0 warnings.

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
ci: add Packit CI/CD and Testing Farm integration
cfece86 
Add Packit configuration with:
- COPR builds on PRs (Fedora rawhide/43/42, CentOS Stream 9/10)
- Testing Farm tests on PRs via TMT plans
- propose_downstream on release (rawhide, f43, f42)
- Koji builds and Bodhi updates on dist-git commits

Add FMF metadata root and TMT test plan that validates both
provider binaries are installed at the expected path with
executable permissions after RPM installation.

packit validate confirms configuration is valid.

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
hbraswelrh
hbraswelrh reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@hbraswelrh hbraswelrh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Council Findings (Imperative)

Five issues that need to be fixed before merge — build failures, factual errors, or Fedora packaging guideline violations.

1. complytime-providers.spec line 39: HealthCheck RPC does not exist

The provider interface defines Describe, Generate, and Scan. There is no HealthCheck RPC. The Describe RPC returns a DescribeResponse that includes a Healthy field, but the RPC itself is Describe.

-Communicates via gRPC (Generate, Scan, HealthCheck RPCs)
+Communicates via gRPC (Describe, Generate, Scan RPCs)

2. complytime-providers.spec lines 66-67: Add -mod=vendor to %build

%check (line 77) uses -mod=vendor but %build does not. In network-isolated Koji/mock builds, if vendor auto-detection fails the build breaks — or worse, build and test phases resolve different dependency versions silently.

-go build -buildmode=pie -o ${GO_BUILD_BINDIR}/complyctl-provider-openscap ./cmd/openscap-provider
-go build -buildmode=pie -o ${GO_BUILD_BINDIR}/complyctl-provider-ampel ./cmd/ampel-provider
+go build -mod=vendor -buildmode=pie -o ${GO_BUILD_BINDIR}/complyctl-provider-openscap ./cmd/openscap-provider
+go build -mod=vendor -buildmode=pie -o ${GO_BUILD_BINDIR}/complyctl-provider-ampel ./cmd/ampel-provider

3. complytime-providers.spec: Missing ExclusiveArch: %{go_arches}

Without this, Koji will attempt builds on all Fedora architectures (s390x, ppc64le, etc.) once propose_downstream lands the spec in dist-git. This is required by Fedora Go packaging guidelines.

Add after the BuildRequires lines:

ExclusiveArch:  %{go_arches}

4. complytime-providers.spec line 16: Missing minimum Go version

go.mod declares go 1.25.0 but BuildRequires: golang has no version floor. On targets shipping older Go (e.g., CentOS Stream 9), the build will fail with cryptic compilation errors instead of a clear dependency resolution failure.

-BuildRequires:  golang
+BuildRequires:  golang >= 1.25.0

5. complytime-providers.spec lines 83, 88: vendor/modules.txt under %license

vendor/modules.txt is a Go module manifest, not a license file. The %license macro is reserved for files containing license text per Fedora packaging guidelines. This will be flagged by license auditing tools.

-%license LICENSE vendor/modules.txt
-%doc README.md
+%license LICENSE
+%doc README.md vendor/modules.txt

(Apply to both the openscap and ampel %files sections.)

hbraswelrh
hbraswelrh reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@hbraswelrh hbraswelrh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This review supersedes the previous "Review Council Findings (Imperative)" review above.

Code Review

Issues

Bug: Missing runtime dependency openscap-scanner

The openscap sub-package requires scap-security-guide but not openscap-scanner. The provider binary invokes oscap via exec.Command at runtime — without openscap-scanner installed, every scan will fail with "command not found".

Worth discussing: Missing runtime dependencies for Ampel provider

The ampel sub-package has no Requires for snappy and ampel, both called via exec.Command at runtime. If these aren't packaged in Fedora, the dependency can't be expressed as an RPM requirement, but it should be documented in the sub-package %description.

Minor: vendor/modules.txt listed as %license

This file is a Go module manifest, not a license. Per Fedora Go packaging guidelines, it should be consumed by %golist to generate Provides: bundled(golang(...)) entries. Without that, the RPMs will lack bundled() provides metadata — a Fedora packaging review blocker.

Minor: Build flags not fully applied

%set_build_flags sets CFLAGS/LDFLAGS, but the go build commands don't forward $LDFLAGS via -ldflags. Security hardening is partially ineffective. Using %gobuild or passing -ldflags "${LDFLAGS}" would address this.

Trivial: .fmf/version missing trailing newline

Observations

  • Tests in %check may require external tools not available in mock/koji build environments. Verify tests have proper skip conditions.
  • CentOS Stream 9 ships Go 1.21 by default, but go.mod specifies go 1.25.0 — likely build failures on that target.
  • The test plan only checks binary existence. A smoke test (e.g., --help) would catch dynamic linking issues earlier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gvauter gvauter Awaiting requested review from gvauter

@jpower432 jpower432 Awaiting requested review from jpower432

1 more reviewer

@hbraswelrh hbraswelrh hbraswelrh left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marcusburghardt @hbraswelrh