Add dnf/apt package publishing pipeline#425
Conversation
…malize pre-release version (rc.1->rc1) and pin deb gzip for reprepro
…T keys (base64 CircleCI secrets), via nfpms overrides
…OM signature differs)
…o dnf/apt repos via GitHub workflow
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughUpdates package packaging and release handling for signed RPM/DEB artifacts, adds CircleCI SBOM signing and publish steps, and introduces a GitHub Actions workflow that pushes released packages to DNF/APT repositories with backup and notification reporting. ChangesSigned Package Build and Publish Pipeline
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Up to standards ✅🟢 Issues
|
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.circleci/config.yml:
- Around line 141-143: The Syft install step currently uses the remote install
script, which should be replaced with a release tarball flow. Update the
.circleci config around the Syft setup to download the v1.45.1 tarball and its
checksums file, verify the tarball against the published checksum, and then
install the extracted syft binary with sudo install. Keep the change localized
to the Syft installation block so the pipeline still sets up the same version
via the existing SYFT_VERSION variable.
In @.github/workflows/publish.yml:
- Around line 111-118: The release asset download step in publish workflow
currently trusts all matching RPM/DEB files from gh release download without
verification. Add a post-download verification gate in the publish job around
the Download RPMs from the release and the corresponding DEB download step,
using the downloaded artifacts’ unique symbols/steps in this workflow to verify
RPM signatures and validate DEB provenance or checksums against a signed
manifest/SBOM before any repository publication occurs.
- Around line 56-64: The private action checkout steps in the workflow currently
use git clone with the token embedded in the URL, which can leave credentials
stored in the cloned repo’s git config. Update the checkout logic for
pgedge-parse-release-tag and the other private action fetches to use an
ephemeral auth approach that does not persist the token in the workspace, and
make sure the referenced action repositories are pinned to an immutable tag or
SHA rather than a mutable branch.
- Around line 125-143: The publish workflow currently allows a successful no-op
when no RPM publish targets are derived. Add the same jq length check after
building the target arrays in both target-building steps that populate push,
backups, and cells, and fail the job if any of them are empty so misnamed or
missing assets do not continue to manifest/Slack reporting. Use the existing jq
array variables and the shell block that writes to GITHUB_OUTPUT as the place to
enforce the guard.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5f24354d-56c7-4e6b-8535-e061bb90aaa6
📒 Files selected for processing (3)
.circleci/config.yml.github/workflows/publish.yml.goreleaser.yaml
# Conflicts: # .goreleaser.yaml
… fail publish on empty targets
What this does
Adds a package publishing pipeline so
control-planeRPM/DEB packages flow into the pgEdge dnf/apt repos, without changing how packages are built. Build stays in CircleCI (goreleaser + nfpm); a new publish-only GitHub workflow reacts to the published release and pushes to the repos.This is a draft for initial review — not yet run end-to-end on a real tag.
Approach
rc.1→rc1), gzip-pinned debs for reprepro, embedded per-format-signed SBOM (RPM key signs the rpm SBOM, APT key signs the deb SBOM), RPM signing (rpmsign --addsign), and the release is created as a draft so signed assets can be attached before it goes public.publish.yml, publish-only): triggerson: release: published(fires when CircleCI un-drafts). Downloads the rpm/deb from the release (no rebuild) → routes repo type viapgedge-parse-release-tag→ pushes dnf + apt → S3 backup → manifest + Slack.Files changed
.goreleaser.yaml— per-distro nfpms,~-safe versioning, gzip, per-format SBOM, draft release.circleci/config.yml— SBOM sign + rpm sign + un-draft after upload.github/workflows/publish.yml— new publish-only pipeline (389 lines)Reviewer notes / open items before merge
v1.0.0-test1→ daily)PGEDGE_BUILDER_TOKEN)pgedge-repo-managerpromote.yml picks upcontrol-plane(may need a config entry)gh release upload/edit --draft=falseresolve the goreleaser draft by tag;parse-release-tagsuffix → repo_type; apt-repo-builder accepts the codename→image target JSON shape🤖 Generated with Claude Code