Skip to content

[ci] Refactor RPM nfpm configs for reuse #5179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PlatCore wants to merge 43 commits into
base: master
Choose a base branch
from
Open

[ci] Refactor RPM nfpm configs for reuse #5179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
43 commits
Select commit Hold shift + click to select a range
6387fa4
[ci] Refactor RPM nfpm configs for reuse
PlatCore Apr 6, 2026
0b641f8
Rename RPM packaging files for naming consistency
PlatCore Apr 6, 2026
28e9a97
Add lib-build-common.sh with shared packaging functions
PlatCore Apr 6, 2026
e621435
Extract shared smoke test into smoke-test.sh
PlatCore Apr 6, 2026
df3e925
Rewrite build-rpm.sh to use lib-build-common.sh
PlatCore Apr 6, 2026
7cedfee
Fix ephemeral key passphrase clearing in build-rpm.sh
PlatCore Apr 7, 2026
58c40cc
Handle docker buildx inspect failure in build-builder-image.sh
PlatCore Apr 7, 2026
97eaee3
Standardize PACKAGE_ARCH and extract resolve_subnet_evm_vm_id
PlatCore Apr 7, 2026
d3df3a2
Add lib-validate-common.sh with shared validation helpers
PlatCore Apr 7, 2026
7be532d
Create unified build-package.sh replacing build-rpm.sh
PlatCore Apr 7, 2026
6b113b7
Add setup-packaging composite action, use in RPM workflow
PlatCore Apr 7, 2026
f472dc1
Make build-package.sh and lib-validate-common.sh executable
PlatCore Apr 7, 2026
ea91494
Replace composite action with shared script for old-tag compat
PlatCore Apr 9, 2026
639eec8
Route setup-packaging through Taskfile for lint compliance
PlatCore Apr 12, 2026
8e4cd35
Replace setup-packaging Taskfile target with workflow-*.sh escape hatch
PlatCore Apr 16, 2026
06c5833
Drop DEB-specific code paths to keep this PR strictly RPM
PlatCore May 5, 2026
0e1d908
Address library-polish review feedback
PlatCore May 6, 2026
234e92c
Use BINARY_PATH directly in nfpm templates
PlatCore May 11, 2026
03825b1
Source DEFAULT_VM_ID from pure-data file
PlatCore May 11, 2026
dd5ec2a
Add precondition guards for required env vars
PlatCore May 13, 2026
9595da4
Address review-feedback cleanup
PlatCore May 13, 2026
c821157
Address library-polish review feedback
PlatCore May 13, 2026
70927aa
Address review nit.
PlatCore May 18, 2026
49e9695
Fix subnet-evm packaging constants
PlatCore May 18, 2026
a2cb5f6
Clarify package build script scope
PlatCore May 19, 2026
6f03745
Use passphrased ephemeral RPM signing key
PlatCore May 19, 2026
361456f
Fix RPM packaging overlay for manual builds
PlatCore May 19, 2026
50dc30c
Rename GPG env vars to format-agnostic names
PlatCore May 20, 2026
cdc384f
Move docstring comments inline with their definitions
PlatCore May 20, 2026
6ebb19e
Require DOCKERFILE explicitly in build-builder-image.sh
PlatCore May 20, 2026
ef8bd3f
Drop format-prefix from GPG public key filename
PlatCore May 20, 2026
9836e68
Simplify ephemeral GPG key reuse in setup_gpg
PlatCore May 20, 2026
4ea5591
Remove host arch detection from validate-rpm.sh
PlatCore May 20, 2026
0d1e1aa
Gate GPG_KEY_PASSPHRASE on non-pull_request event
PlatCore May 20, 2026
052a9c5
Fail release builds without a signing key
PlatCore May 20, 2026
e0ce137
Stop inlining GPG signing passphrase into docker run
PlatCore May 20, 2026
3a4607f
Discard sourced constants.sh stdout in resolve_subnet_evm_vm_id
PlatCore May 20, 2026
c85716d
Drop PKG_FORMAT default in build-package.sh
PlatCore May 22, 2026
74c67a4
Fold lib-validate-common.sh into lib-build-common.sh
PlatCore May 22, 2026
bd1320f
Tighten validate-rpm.sh: fatal on missing key + inline asserts
PlatCore May 22, 2026
ef16400
Inline env-var asserts in workflow-setup-packaging.sh
PlatCore May 22, 2026
a939959
Clarify overlay-step semantics + drop redundant mkdir
PlatCore May 22, 2026
5f653ff
Simplify smoke-test.sh contract: drop Args header + take plugin path
PlatCore May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/packaging/Dockerfile → .github/packaging/Dockerfile.rpm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,12 @@ ARG TARGETARCH

# Install build dependencies
# - gcc: required for cgo (CGO_ENABLED=1 in scripts/constants.sh)
# - gettext: envsubst for nfpm config template expansion
# - gnupg2: GPG signing of RPM packages
# - git: version detection in build scripts
RUN dnf install -y \
gcc \
gettext \
gnupg2 \
git \
&& dnf clean all
Expand Down
32 changes: 20 additions & 12 deletions .github/packaging/Taskfile.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,56 +50,63 @@ tasks:
GO_VERSION: '{{.PACKAGING_GO_VERSION}}'
DOCKER_IMAGE: '{{.PACKAGING_DOCKER_IMAGE}}'
CONTEXT_DIR: '{{.REPO_ROOT}}/.github/packaging'
DOCKERFILE: Dockerfile.rpm
cmds:
- cmd: '{{.REPO_ROOT}}/.github/packaging/scripts/build-builder-image.sh'

build-avalanchego-rpm:
desc: Builds RPM for avalanchego
vars:
RPM_ARCH: '{{.RPM_ARCH | default .PACKAGING_HOST_ARCH}}'
PACKAGE_ARCH: '{{.PACKAGE_ARCH | default .PACKAGING_HOST_ARCH}}'
RPM_TAG: '{{.PACKAGING_TAG}}'
env:
GPG_KEY_PASSPHRASE: '{{.GPG_KEY_PASSPHRASE}}'
deps: [build-builder-docker-image]
cmds:
- cmd: mkdir -p {{.PACKAGING_OUTPUT_DIR}}
- cmd: >-
docker run --rm
-v {{.REPO_ROOT}}:/build
-v {{.PACKAGING_OUTPUT_DIR}}:/output
{{if .RPM_GPG_KEY_FILE}}-v {{.RPM_GPG_KEY_FILE}}:{{.RPM_GPG_KEY_FILE}}:ro{{end}}
{{if .GPG_KEY_FILE}}-v {{.GPG_KEY_FILE}}:{{.GPG_KEY_FILE}}:ro{{end}}
-e PKG_FORMAT=RPM
-e PACKAGE=avalanchego
-e VERSION={{trimPrefix "v" .RPM_TAG}}
-e TAG={{.RPM_TAG}}
-e RPM_ARCH={{.RPM_ARCH}}
-e PACKAGE_ARCH={{.PACKAGE_ARCH}}
-e OUTPUT_DIR=/output
-e AVALANCHEGO_COMMIT={{.PACKAGING_GIT_COMMIT}}
{{if .RPM_GPG_KEY_FILE}}-e RPM_GPG_KEY_FILE={{.RPM_GPG_KEY_FILE}}{{end}}
{{if .NFPM_RPM_PASSPHRASE}}-e NFPM_RPM_PASSPHRASE={{.NFPM_RPM_PASSPHRASE}}{{end}}
{{if .GPG_KEY_FILE}}-e GPG_KEY_FILE={{.GPG_KEY_FILE}}{{end}}
{{if .GPG_KEY_PASSPHRASE}}-e GPG_KEY_PASSPHRASE{{end}}
{{.PACKAGING_DOCKER_IMAGE}}
.github/packaging/scripts/build-rpm.sh
.github/packaging/scripts/build-package.sh

build-subnet-evm-rpm:
desc: Builds RPM for subnet-evm
vars:
RPM_ARCH: '{{.RPM_ARCH | default .PACKAGING_HOST_ARCH}}'
PACKAGE_ARCH: '{{.PACKAGE_ARCH | default .PACKAGING_HOST_ARCH}}'
RPM_TAG: '{{.PACKAGING_TAG}}'
env:
GPG_KEY_PASSPHRASE: '{{.GPG_KEY_PASSPHRASE}}'
deps: [build-builder-docker-image]
cmds:
- cmd: mkdir -p {{.PACKAGING_OUTPUT_DIR}}
- cmd: >-
docker run --rm
-v {{.REPO_ROOT}}:/build
-v {{.PACKAGING_OUTPUT_DIR}}:/output
{{if .RPM_GPG_KEY_FILE}}-v {{.RPM_GPG_KEY_FILE}}:{{.RPM_GPG_KEY_FILE}}:ro{{end}}
{{if .GPG_KEY_FILE}}-v {{.GPG_KEY_FILE}}:{{.GPG_KEY_FILE}}:ro{{end}}
-e PKG_FORMAT=RPM
-e PACKAGE=subnet-evm
-e VERSION={{trimPrefix "v" .RPM_TAG}}
-e TAG={{.RPM_TAG}}
-e RPM_ARCH={{.RPM_ARCH}}
-e PACKAGE_ARCH={{.PACKAGE_ARCH}}
-e OUTPUT_DIR=/output
-e AVALANCHEGO_COMMIT={{.PACKAGING_GIT_COMMIT}}
{{if .RPM_GPG_KEY_FILE}}-e RPM_GPG_KEY_FILE={{.RPM_GPG_KEY_FILE}}{{end}}
{{if .NFPM_RPM_PASSPHRASE}}-e NFPM_RPM_PASSPHRASE={{.NFPM_RPM_PASSPHRASE}}{{end}}
{{if .GPG_KEY_FILE}}-e GPG_KEY_FILE={{.GPG_KEY_FILE}}{{end}}
{{if .GPG_KEY_PASSPHRASE}}-e GPG_KEY_PASSPHRASE{{end}}
{{.PACKAGING_DOCKER_IMAGE}}
.github/packaging/scripts/build-rpm.sh
.github/packaging/scripts/build-package.sh

test-build-rpms:
desc: Builds and validates RPMs end-to-end
Expand All @@ -112,5 +119,6 @@ tasks:
env:
TAG: '{{.PACKAGING_TAG}}'
GIT_COMMIT: '{{.PACKAGING_GIT_COMMIT}}'
PACKAGE_ARCH: '{{.PACKAGE_ARCH | default .PACKAGING_HOST_ARCH}}'
cmds:
- cmd: '{{.REPO_ROOT}}/.github/packaging/scripts/validate-rpm.sh'
10 changes: 4 additions & 6 deletions .github/packaging/nfpm/avalanchego.yml → .github/packaging/nfpm/avalanchego-rpm.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: avalanchego
arch: "${RPM_ARCH}"
arch: "${PACKAGE_ARCH}"
version: "${VERSION}"
maintainer: "Ava Labs <security@avalabs.org>"
description: "AvalancheGo node — the official Avalanche protocol implementation"
Expand All @@ -8,14 +8,12 @@ license: "BSD-3-Clause"
depends:
- "glibc >= 2.34"
contents:
- src: "${AVALANCHEGO_BINARY}"
- src: "${BINARY_PATH}"
dst: /var/opt/avalanchego/bin/avalanchego
expand: true
file_info:
mode: 0755
# changelog and key_file paths are set to well-known locations by build-rpm.sh
changelog: "/build/build/nfpm-changelog.yml"
changelog: "${NFPM_CHANGELOG}"
rpm:
compression: zstd
signature:
key_file: "/build/build/gpg/signing-key.asc"
Comment thread
maru-ava marked this conversation as resolved.
key_file: "${NFPM_SIGNING_KEY}"
10 changes: 4 additions & 6 deletions .github/packaging/nfpm/subnet-evm.yml → .github/packaging/nfpm/subnet-evm-rpm.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: subnet-evm
arch: "${RPM_ARCH}"
arch: "${PACKAGE_ARCH}"
version: "${VERSION}"
maintainer: "Ava Labs <security@avalabs.org>"
description: "Subnet-EVM plugin for AvalancheGo"
Expand All @@ -8,15 +8,13 @@ license: "BSD-3-Clause"
depends:
- "glibc >= 2.34"
contents:
- src: "${SUBNET_EVM_BINARY}"
- src: "${BINARY_PATH}"
# SUBNET_EVM_VM_ID is sourced from graft/subnet-evm/scripts/constants.sh
dst: /var/opt/avalanchego/plugins/${SUBNET_EVM_VM_ID}
expand: true
file_info:
mode: 0755
# changelog and key_file paths are set to well-known locations by build-rpm.sh
changelog: "/build/build/nfpm-changelog.yml"
changelog: "${NFPM_CHANGELOG}"
rpm:
compression: zstd
signature:
key_file: "/build/build/gpg/signing-key.asc"
key_file: "${NFPM_SIGNING_KEY}"
5 changes: 4 additions & 1 deletion .github/packaging/scripts/build-builder-image.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,14 @@
# GO_VERSION - Go version to install (e.g., "1.24.12")
# DOCKER_IMAGE - Name for the built Docker image
# CONTEXT_DIR - Path to the Dockerfile directory
# DOCKERFILE - Dockerfile name (e.g., "Dockerfile.rpm")

set -euo pipefail

: "${GO_VERSION:?GO_VERSION must be set}"
: "${DOCKER_IMAGE:?DOCKER_IMAGE must be set}"
: "${CONTEXT_DIR:?CONTEXT_DIR must be set}"
: "${DOCKERFILE:?DOCKERFILE must be set (e.g. Dockerfile.rpm)}"

command -v jq >/dev/null 2>&1 || { echo "ERROR: jq is required but not found on PATH" >&2; exit 1; }

Expand Down Expand Up @@ -45,13 +47,14 @@ build_flags=()
build_driver=$(
docker buildx inspect 2>/dev/null \
| awk '/^Driver:/ { print $2; exit }'
)
) || true
if [[ "${build_driver}" == "docker-container" ]]; then
build_flags+=(--load)
fi

docker build "${build_flags[@]}" \
--build-arg GO_VERSION="${GO_VERSION}" \
--build-arg GO_CHECKSUM="${checksum}" \
-f "${CONTEXT_DIR}/${DOCKERFILE}" \
-t "${DOCKER_IMAGE}" \
"${CONTEXT_DIR}"
64 changes: 64 additions & 0 deletions .github/packaging/scripts/build-package.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
#!/usr/bin/env bash

# Build and sign a Linux package inside the container.

set -euo pipefail

: "${PACKAGE:?PACKAGE must be set (avalanchego or subnet-evm)}"
: "${VERSION:?VERSION must be set (semver without v prefix, e.g. 1.14.1)}"
: "${TAG:?TAG must be set (git tag, e.g. v1.14.1)}"
: "${PACKAGE_ARCH:?PACKAGE_ARCH must be set (x86_64 or aarch64)}"
: "${OUTPUT_DIR:?OUTPUT_DIR must be set (bind-mounted output dir)}"

: "${PKG_FORMAT:?PKG_FORMAT must be set (RPM or DEB)}"
pkg_format_lower="${PKG_FORMAT,,}"

REPO_ROOT="/build"
PACKAGING_DIR="${REPO_ROOT}/.github/packaging"

# shellcheck disable=SC1091
source "${PACKAGING_DIR}/scripts/lib-build-common.sh"

# Well-known paths referenced by nfpm configs
export NFPM_CHANGELOG="${REPO_ROOT}/build/nfpm-changelog.yml"
export NFPM_SIGNING_KEY="${REPO_ROOT}/build/gpg/signing-key.asc"

echo "=== Building ${PACKAGE} ${PKG_FORMAT} for ${PACKAGE_ARCH} (tag: ${TAG}) ==="

init_build_env
build_binary "${PACKAGE}"
generate_changelog "${VERSION}"

# ── GPG signing ───────────────────────────────────────────────────

GPG_KEY_FILE="${GPG_KEY_FILE:-}"
GPG_PUBLIC_KEY="${OUTPUT_DIR}/GPG-KEY-avalanchego"

# nfpm reads the signing passphrase from a packager-specific env var
Copy link
Copy Markdown
Contributor

@maru-ava maru-ava May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(No action required) With the switch to signing DEBs with nfpm, some of the extractions this script to lib-build-common.sh appear to make less sense. e.g. Rather than using something like use_ephemeral_gpg_passphrase, a conditional check for the file could choose directly between setting to the provided value or the ephemeral value.

# (NFPM_RPM_PASSPHRASE, NFPM_DEB_PASSPHRASE, ...); mirror our format-
# agnostic GPG_KEY_PASSPHRASE into the name nfpm expects.
nfpm_passphrase_var="NFPM_${PKG_FORMAT}_PASSPHRASE"
export "${nfpm_passphrase_var}=${GPG_KEY_PASSPHRASE:-}"

# Ephemeral keys use a known throwaway passphrase so local and CI builds
# exercise passphrase handling without release credentials.
if [[ -z "${GPG_KEY_FILE}" ]]; then
use_ephemeral_gpg_passphrase "${nfpm_passphrase_var}"
fi

setup_gpg "${GPG_KEY_FILE}" "${GPG_PUBLIC_KEY}" "${PKG_FORMAT}"

# ── Package with nfpm ─────────────────────────────────────────────

export VERSION PACKAGE_ARCH BINARY_PATH

PKG_FILENAME="${PACKAGE}-${TAG}-${PACKAGE_ARCH}.${pkg_format_lower}"
PKG_PATH="${OUTPUT_DIR}/${PKG_FILENAME}"

run_nfpm_package \
"${PACKAGING_DIR}/nfpm/${PACKAGE}-${pkg_format_lower}.yml" \
"${REPO_ROOT}/build/${PACKAGE}-${pkg_format_lower}-resolved.yml" \
"${pkg_format_lower}" \
"${PKG_PATH}"

echo "${PKG_FORMAT} built: ${PKG_PATH}"
156 changes: 0 additions & 156 deletions .github/packaging/scripts/build-rpm.sh
View file
Open in desktop

This file was deleted.

Loading
Loading