Skip to content

Add dnf/apt package publishing pipeline#425

Draft
maqeel75 wants to merge 8 commits into
mainfrom
feat/publish-to-dnf-apt
Draft

Add dnf/apt package publishing pipeline#425
maqeel75 wants to merge 8 commits into
mainfrom
feat/publish-to-dnf-apt

Conversation

@maqeel75

@maqeel75 maqeel75 commented Jul 3, 2026

Copy link
Copy Markdown
Member

What this does

Adds a package publishing pipeline so control-plane RPM/DEB packages flow into the pgEdge dnf/apt repos, without changing how packages are built. Build stays in CircleCI (goreleaser + nfpm); a new publish-only GitHub workflow reacts to the published release and pushes to the repos.

This is a draft for initial review — not yet run end-to-end on a real tag.

Approach

  • CircleCI (build + sign, unchanged location): per-distro nfpm packages, version normalization (rc.1rc1), gzip-pinned debs for reprepro, embedded per-format-signed SBOM (RPM key signs the rpm SBOM, APT key signs the deb SBOM), RPM signing (rpmsign --addsign), and the release is created as a draft so signed assets can be attached before it goes public.
  • GitHub Actions (publish.yml, publish-only): triggers on: release: published (fires when CircleCI un-drafts). Downloads the rpm/deb from the release (no rebuild) → routes repo type via pgedge-parse-release-tag → pushes dnf + apt → S3 backup → manifest + Slack.

Files changed

  • .goreleaser.yaml — per-distro nfpms, ~-safe versioning, gzip, per-format SBOM, draft release
  • .circleci/config.yml — SBOM sign + rpm sign + un-draft after upload
  • .github/workflows/publish.yml — new publish-only pipeline (389 lines)

Reviewer notes / open items before merge

  • End-to-end test on a throwaway tag (e.g. v1.0.0-test1 → daily)
  • Confirm CircleCI + GitHub secrets are present (GPG base64 keys, S3/CloudFront, Slack, PGEDGE_BUILDER_TOKEN)
  • Confirm pgedge-repo-manager promote.yml picks up control-plane (may need a config entry)
  • Key handoff assumptions to sanity-check: gh release upload/edit --draft=false resolve the goreleaser draft by tag; parse-release-tag suffix → repo_type; apt-repo-builder accepts the codename→image target JSON shape

🤖 Generated with Claude Code

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 35e80331-1233-4808-8ebd-6ca352024069

📥 Commits

Reviewing files that changed from the base of the PR and between 56f921d and c8458ee.

📒 Files selected for processing (2)
  • .circleci/config.yml
  • .github/workflows/publish.yml
🚧 Files skipped from review as they are similar to previous changes (2)
  • .circleci/config.yml
  • .github/workflows/publish.yml

📝 Walkthrough

Walkthrough

Updates package packaging and release handling for signed RPM/DEB artifacts, adds CircleCI SBOM signing and publish steps, and introduces a GitHub Actions workflow that pushes released packages to DNF/APT repositories with backup and notification reporting.

Changes

Signed Package Build and Publish Pipeline

Layer / File(s) Summary
Goreleaser nfpm packaging and SBOM contents
.goreleaser.yaml
Restructures nfpms into per-distro entries via shared defaults, embeds SBOM JSON and signature files into packages, and keeps the GitHub release in draft mode.
CircleCI SBOM generation and signing
.circleci/config.yml
Validates FIPS keys, installs syft and rpm, derives key IDs, generates a CycloneDX SBOM, and signs SBOM outputs for RPM and DEB.
Dual goreleaser invocation
.circleci/config.yml
Normalizes CIRCLE_TAG into PKG_TAG and runs goreleaser release twice to separate canonical release output from package generation.
RPM signing and release publish
.circleci/config.yml
Signs dist/*.rpm with rpmsign, optionally verifies signatures, uploads signed RPM/DEB artifacts, and publishes the release with gh release edit --draft=false.
Publish workflow trigger and repo routing
.github/workflows/publish.yml
Adds the Publish workflow trigger and concurrency setup, then parses release tags into repo_type with suffix-based routing.
DNF and APT repo push jobs
.github/workflows/publish.yml
Downloads release RPM/DEB assets, groups them by distro metadata, and pushes them to DNF/APT repositories with backup artifacts.
Manifest aggregation and Slack notification
.github/workflows/publish.yml
Aggregates successful push results into manifest.json, composes Slack fields, runs the publisher action, and uploads the manifest artifact.

Poem

A rabbit hopped through keys and gpg,
Signing SBOMs beneath the tree 🌳
RPMs and DEBs, now sealed so tight,
Published at last from draft to light 🌙
Hop, hop, hooray — the pipeline's bright!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description covers the goal and changes, but it misses the required Summary, Testing, and Checklist sections from the template. Rewrite it to match the template with Summary, Changes, Testing, Checklist, and Notes for Reviewers sections, and add the missing test steps and checklist items.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding a dnf/apt package publishing pipeline.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/publish-to-dnf-apt

Comment @coderabbitai help to get the list of available commands.

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.circleci/config.yml:
- Around line 141-143: The Syft install step currently uses the remote install
script, which should be replaced with a release tarball flow. Update the
.circleci config around the Syft setup to download the v1.45.1 tarball and its
checksums file, verify the tarball against the published checksum, and then
install the extracted syft binary with sudo install. Keep the change localized
to the Syft installation block so the pipeline still sets up the same version
via the existing SYFT_VERSION variable.

In @.github/workflows/publish.yml:
- Around line 111-118: The release asset download step in publish workflow
currently trusts all matching RPM/DEB files from gh release download without
verification. Add a post-download verification gate in the publish job around
the Download RPMs from the release and the corresponding DEB download step,
using the downloaded artifacts’ unique symbols/steps in this workflow to verify
RPM signatures and validate DEB provenance or checksums against a signed
manifest/SBOM before any repository publication occurs.
- Around line 56-64: The private action checkout steps in the workflow currently
use git clone with the token embedded in the URL, which can leave credentials
stored in the cloned repo’s git config. Update the checkout logic for
pgedge-parse-release-tag and the other private action fetches to use an
ephemeral auth approach that does not persist the token in the workspace, and
make sure the referenced action repositories are pinned to an immutable tag or
SHA rather than a mutable branch.
- Around line 125-143: The publish workflow currently allows a successful no-op
when no RPM publish targets are derived. Add the same jq length check after
building the target arrays in both target-building steps that populate push,
backups, and cells, and fail the job if any of them are empty so misnamed or
missing assets do not continue to manifest/Slack reporting. Use the existing jq
array variables and the shell block that writes to GITHUB_OUTPUT as the place to
enforce the guard.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5f24354d-56c7-4e6b-8535-e061bb90aaa6

📥 Commits

Reviewing files that changed from the base of the PR and between fea3b6a and ff402fe.

📒 Files selected for processing (3)
  • .circleci/config.yml
  • .github/workflows/publish.yml
  • .goreleaser.yaml

Comment thread .circleci/config.yml Outdated
Comment thread .github/workflows/publish.yml
Comment thread .github/workflows/publish.yml
Comment thread .github/workflows/publish.yml
@maqeel75 maqeel75 requested a review from jason-lynch July 3, 2026 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant