Add Packit automation for COPR builds and Fedora packaging #196
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces Packit automation for COPR builds and Fedora packaging via a .packit.yaml configuration. However, the configuration contains a high-severity vulnerability: an internal xtask script lacks proper validation of version strings, risking RPM spec file injection and Remote Code Execution (RCE). Insecure artifact selection is also possible due to wildcard usage in shell commands. Additionally, the configuration includes debugging artifacts and could be simplified for better maintainability, with suggestions provided to streamline the build process.
gursewak1997
force-pushed
the
add-packit-automation
branch
2 times, most recently
from
874498e to
00888b6
Compare
|
OK I added this manually, https://copr.fedorainfracloud.org/coprs/rhcontainerbot/bootc/package/bcvk/ |
contrib/packaging/bcvk.spec
Outdated
|
|
||
| # https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval | ||
| ExcludeArch: %{ix86} | ||
| # bcvk only supports x86_64 and aarch64 |
There was a problem hiding this comment.
Hmmm...I guess it's quite possible the SMBIOS usage for systemd credentials doesn't work on at least s390.
But I bet we at least compile there. This seems well worth linking to an issue or so.
There was a problem hiding this comment.
true. Removing s390x and ppc64le from ExcludeArch - code will compile on those architectures if someone wants to build locally but we won't include in .packit though
Now of course two things on this; I think we can associate a COPR with a FAS group and ensure you're in it? And in theory it might be possible to somehow auto-sync the packit enablement to a COPR. |
This adds Packit configuration to enable: - Automated COPR builds on PRs and commits to main - Automated Fedora package proposals on releases - Koji builds and Bodhi updates for Fedora releases Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: gursewak1997 <gursmangat@gmail.com>
gursewak1997
force-pushed
the
add-packit-automation
branch
from
00888b6 to
5d3923b
Compare
I requested the permissions |
| BuildRequires: make | ||
| BuildRequires: openssl-devel | ||
| BuildRequires: go-md2man | ||
| BuildRequires: openssh-clients |
There was a problem hiding this comment.
I don't think this is a build requirement is it? It's just a runtime requirement...unless this is about the unit tests?
The problem is RPM doesn't have a concept of TestRequires but it's worth a comment like # Required for unit tests if so.
There was a problem hiding this comment.
Already merged now but yes, openssh-clients is only needed for the unit tests (specifically test_generate_ssh_keypair), not for building the binary
There was a problem hiding this comment.
Already merged now
Yes tangent but IMO not everything needs to be fixed pre-merge, this is one we can just roll it into a followup PR.
This adds Packit configuration to enable:
Assisted-by: Claude Code (Sonnet 4.5)