Skip to content

packit: Add COPR build job for PRs#78

Merged
jlebon merged 2 commits intomainfrom
issue-59-packit-copr
Mar 4, 2026
Merged

packit: Add COPR build job for PRs#78
jlebon merged 2 commits intomainfrom
issue-59-packit-copr

Conversation

@jlebon
Copy link
Copy Markdown
Member

@jlebon jlebon commented Mar 4, 2026

Add a copr_build job to build RPMs in COPR on every PR for
early packaging feedback. The create-archive action calls
tools/create-archives.sh, a new shared script that generates source
and vendor tarballs from the current tree. release.py is updated to
use the same script, deduplicating the archive creation logic.

Closes: #59
Assisted-by: Claude Opus 4.6

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Mar 4, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds a COPR build job for pull requests, which is a great addition for getting early packaging feedback. However, it introduces a potential command injection vulnerability in the .packit.yaml configuration. The fix-spec-file action uses sed with environment variables that can be influenced by a pull request author, potentially allowing an attacker to inject malicious sed commands and execute arbitrary code in the Packit build environment. Additionally, while the refactoring to deduplicate archive creation into tools/create-archives.sh improves maintainability, the new script could be made more robust by adding argument validation.

Comment thread .packit.yaml
Comment thread tools/create-archives.sh
jlebon added 2 commits March 4, 2026 16:49
@jlebon
tree: update GitHub URLs from jlebon/chunkah to coreos/chunkah
37de991 
The canonical repo now lives in the coreos org.

Assisted-by: Claude Opus 4.6
@jlebon
packit: Add COPR build job for PRs
3813ff8 
Add a `copr_build` job to build RPMs in COPR on every PR for
early packaging feedback. The create-archive action calls
`tools/create-archives.sh`, a new shared script that generates source
and vendor tarballs from the current tree. `release.py` is updated to
use the same script, deduplicating the archive creation logic.

While we're here, tweak the vendor-filterer invocation to match bootc
(add `--tier 2` and use `*-unknown-linux-gnu` glob).

Closes: #59
Assisted-by: Claude Opus 4.6
@jlebon jlebon force-pushed the issue-59-packit-copr branch from 69abbee to 3813ff8 Compare March 4, 2026 22:01
@jlebon jlebon enabled auto-merge (rebase) March 4, 2026 22:07
@jlebon jlebon merged commit ffecd68 into main Mar 4, 2026
10 checks passed
@jlebon jlebon deleted the issue-59-packit-copr branch March 4, 2026 22:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Hook up Packit COPR builds to CI

1 participant

@jlebon