Building RPMs using COPR

[pmtk]

Usage:

mkdir -p /tmp/microshift-srpm-copr

# Create SRPM
make srpm SRPM_WORKDIR=/tmp/microshift-srpm-copr

# Push SRPM to COPR and store the build ID in the $SRPM_WORKDIR/build.txt
make copr-create-build COPR_REPO_NAME=USER/PROJECT SRPM_WORKDIR=/tmp/microshift-srpm-copr

# Wait until build is finished
make copr-watch-build SRPM_WORKDIR=/tmp/microshift-srpm-copr

# Create a container image with the RPMs from COPR for usage in runner image
make rpm-copr SRPM_WORKDIR=/tmp/microshift-srpm-copr 

# Build runner image with builder override
make image BUILDER_IMAGE=rpm-copr-builder

Part of #71

Summary by CodeRabbit

• New Features

  • Added COPR (Cool Other Package Repository) integration for RPM builds with new build targets for creating, monitoring, and managing COPR builds.
  • New build workflows for extracting and managing RPMs from COPR-based builds.

• Chores

  • Improved build configuration flexibility by making builder image references overridable and modernizing build system infrastructure.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR introduces COPR (Community Projects RPM) integration for building MicroShift RPMs. Changes include making the builder image overridable in the Makefile, creating new Containerfiles for COPR-based RPM builds and a COPR CLI image, and adding Makefile targets and shell scripts to orchestrate the COPR workflow.

Changes

Cohort / File(s)	Summary
Makefile configuration Makefile	Made BUILDER_IMAGE variable overridable (from := to ?=), added PROJECT_DIR variable, introduced RPM_BUILDER_IMAGE build-arg to image build step, and updated error messaging to reference both make rpm and make rpm-copr workflows.
Container image build-arg support packaging/microshift-runner.Containerfile	Added ARG RPM_BUILDER_IMAGE and updated builder stage to use dynamic image reference via \${RPM_BUILDER_IMAGE} instead of hardcoded localhost/microshift-okd-builder:latest.
COPR RPM builder image packaging/rpms-copr.Containerfile	New Containerfile for COPR-based RPM builds; installs copr-cli, createrepo, rpm tools, and executes bash script to download RPMs from COPR, extract source RPMs, and regenerate repository metadata.
COPR CLI image src/copr/copr-cli.Containerfile	New Containerfile based on Fedora 42 that installs copr-cli package.
COPR build orchestration src/copr/copr.mk, src/copr/create-build.sh	New Makefile with targets for COPR workflow (rpm-copr, copr-cli, copr-create-build, copr-delete-build, copr-watch-build, copr-regenerate-repos, copr-cfg-ensure-podman-secret, copr-help) and shell script to trigger COPR builds and extract build IDs.

Sequence Diagram

sequenceDiagram
    participant User
    participant Make as make rpm-copr
    participant PodmanCLI as Podman (copr-cli)
    participant PodmanImg as Podman (RPM build)
    participant COPR as COPR Service
    participant BuildScript as create-build.sh

    User->>Make: invoke rpm-copr
    Make->>Make: copr-cli target: build copr-cli image
    Make->>PodmanCLI: run copr-cli image with secret mount
    PodmanCLI->>BuildScript: execute create-build.sh
    BuildScript->>COPR: copr-cli create-build (via config)
    COPR-->>BuildScript: build ID response
    BuildScript->>BuildScript: extract & validate build ID
    BuildScript->>BuildScript: write build.txt with ID
    Make->>Make: rpm-copr target: build RPM builder image
    Make->>PodmanImg: build rpms-copr image with RPM_BUILDER_IMAGE arg
    PodmanImg->>COPR: copr download-build (using COPR_BUILD_ID)
    COPR-->>PodmanImg: RPM packages
    PodmanImg->>PodmanImg: extract & organize RPMs
    PodmanImg->>PodmanImg: regenerate repository metadata
    Make->>Make: extract RPMs from built image
    Make-->>User: rpm-copr complete

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Attention areas:
  • src/copr/copr.mk: Complex build orchestration with Podman secret management and multiple interdependent targets; verify variable defaults and target ordering
  • src/copr/create-build.sh: Bash script with strict error handling and build ID extraction logic; validate regex and error paths
  • packaging/rpms-copr.Containerfile: Multi-step RUN block with complex shell heredoc; ensure error handling and cleanup logic
  • Makefile: Verify backward compatibility of BUILDER_IMAGE change from := to ?= and that PROJECT_DIR is correctly computed

Suggested reviewers

• ggiguash
• praveenkumar

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Building RPMs using COPR' directly and clearly describes the main change: introducing a workflow for building RPMs via Fedora COPR, which is well-supported by all the new files and modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (2)

packaging/rpms-copr.Containerfile (1)

14-14: Hardcoded chroot limits flexibility.

The epel-9 chroot is hardcoded. Consider making it configurable via an ARG for different target distributions.

Apply this diff to make the chroot configurable:

 ARG COPR_BUILD_ID=
 ARG BUILDER_RPM_REPO_PATH=/home/microshift/microshift/_output/rpmbuild/RPMS
+ARG COPR_CHROOT=epel-9
 
 # hadolint ignore=DL3003,DL4006,SC3040
 RUN <<EOT bash
     set -xeuo pipefail
-    copr download-build --rpms --chroot "epel-9-$(uname -m)" --dest /tmp/rpms ${COPR_BUILD_ID}
+    copr download-build --rpms --chroot "${COPR_CHROOT}-$(uname -m)" --dest /tmp/rpms ${COPR_BUILD_ID}
     mkdir -p /home/microshift/microshift
-    cd /tmp/rpms/"epel-9-$(uname -m)"/
+    cd /tmp/rpms/"${COPR_CHROOT}-$(uname -m)"/
     rpm2cpio microshift-*.src.rpm | cpio -idmv
     tar xf microshift-*.tar.gz -C /home/microshift/microshift --strip-components=1
     mkdir -p ${BUILDER_RPM_REPO_PATH}
-    mv /tmp/rpms/"epel-9-$(uname -m)"/*.rpm ${BUILDER_RPM_REPO_PATH}/
+    mv /tmp/rpms/"${COPR_CHROOT}-$(uname -m)"/*.rpm ${BUILDER_RPM_REPO_PATH}/
     createrepo -v ${BUILDER_RPM_REPO_PATH}
     rm -rf /tmp/rpms
 EOT

src/copr/create-build.sh (1)

4-11: Consider using JSON output format instead of parsing text.

The code parses copr-cli output with grep and cut, which is fragile if the output format changes. The copr-cli tool supports --output-format json for the build command, providing structured output that eliminates this parsing fragility.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d1cc1c5 and 551ee5d.

📒 Files selected for processing (6)

• Makefile (3 hunks)
• packaging/microshift-runner.Containerfile (1 hunks)
• packaging/rpms-copr.Containerfile (1 hunks)
• src/copr/copr-cli.Containerfile (1 hunks)
• src/copr/copr.mk (1 hunks)
• src/copr/create-build.sh (1 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: pmtk
Repo: microshift-io/microshift PR: 151
File: docs/workflows.md:74-76
Timestamp: 2025-12-04T13:35:05.230Z
Learning: The COPR group microshift-io/microshift exists at https://copr.fedorainfracloud.org/coprs/g/microshift-io/microshift/ and is used for publishing MicroShift RPM packages in the microshift-io/microshift repository.

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: .github/workflows/builders.yaml:75-84
Timestamp: 2025-10-17T10:53:08.461Z
Learning: In the microshift repository, the RPM-to-Debian conversion workflow follows this pattern: `convert.sh` receives an RPM directory as input and outputs .deb files to a `deb/` subdirectory within that directory. The `install.sh` script expects to receive the parent RPM directory (not the deb subdirectory) and uses recursive `find` commands to locate the .deb files in subdirectories.

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 137
File: src/quickrpm.sh:83-98
Timestamp: 2025-11-26T06:46:33.353Z
Learning: In the microshift-io/microshift repository, the quickrpm.sh script only supports RHEL 9 or above (and equivalent CentOS/Fedora versions), where util-linux includes the `--nooverlap` flag for losetup.

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• packaging/microshift-runner.Containerfile
• src/copr/copr.mk
• Makefile

📚 Learning: 2025-12-04T13:35:05.230Z

Learnt from: pmtk
Repo: microshift-io/microshift PR: 151
File: docs/workflows.md:74-76
Timestamp: 2025-12-04T13:35:05.230Z
Learning: The COPR group microshift-io/microshift exists at https://copr.fedorainfracloud.org/coprs/g/microshift-io/microshift/ and is used for publishing MicroShift RPM packages in the microshift-io/microshift repository.

Applied to files:

• src/copr/create-build.sh
• packaging/rpms-copr.Containerfile
• src/copr/copr.mk
• src/copr/copr-cli.Containerfile
• Makefile

📚 Learning: 2025-10-17T10:53:08.461Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: .github/workflows/builders.yaml:75-84
Timestamp: 2025-10-17T10:53:08.461Z
Learning: In the microshift repository, the RPM-to-Debian conversion workflow follows this pattern: `convert.sh` receives an RPM directory as input and outputs .deb files to a `deb/` subdirectory within that directory. The `install.sh` script expects to receive the parent RPM directory (not the deb subdirectory) and uses recursive `find` commands to locate the .deb files in subdirectories.

Applied to files:

• src/copr/create-build.sh
• packaging/rpms-copr.Containerfile
• src/copr/copr.mk

📚 Learning: 2025-11-26T06:46:33.353Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 137
File: src/quickrpm.sh:83-98
Timestamp: 2025-11-26T06:46:33.353Z
Learning: In the microshift-io/microshift repository, the quickrpm.sh script only supports RHEL 9 or above (and equivalent CentOS/Fedora versions), where util-linux includes the `--nooverlap` flag for losetup.

Applied to files:

• src/copr/create-build.sh
• packaging/rpms-copr.Containerfile

🔇 Additional comments (14)

packaging/microshift-runner.Containerfile (1)

4-6: LGTM!

The ARG makes the builder image configurable while maintaining backward compatibility with the default value.

src/copr/create-build.sh (1)

1-2: LGTM!

Proper error handling with set -euo pipefail.

packaging/rpms-copr.Containerfile (1)

1-6: LGTM!

Good practices: disabling weak dependencies and cleaning DNF cache.

Makefile (4)

39-39: LGTM!

Making BUILDER_IMAGE overridable enables the COPR workflow while maintaining backward compatibility.

---

45-46: LGTM!

Standard approach for computing project directory and modular include.

---

119-120: LGTM!

Clear error message guiding users to both RPM build workflows.

---

132-132: LGTM!

Correctly propagates BUILDER_IMAGE to the container build as RPM_BUILDER_IMAGE.

src/copr/copr.mk (6)

10-34: LGTM!

Excellent documentation of the COPR workflow with clear step-by-step instructions.

---

35-51: LGTM!

Target structure mirrors the main rpm target, maintaining consistency.

---

52-58: LGTM!

Proper secret management: removes stale secret before creating new one.

---

60-66: LGTM!

Simple CLI container build.

---

67-75: LGTM!

Proper dependencies and secret handling for delete operation.

---

76-84: LGTM!

Correct implementation for repo regeneration.

src/copr/copr-cli.Containerfile (1)

1-1: No action required. Fedora 42 was released on April 15, 2025, and is available as a base image.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Validate COPR_BUILD_ID is provided.

COPR_BUILD_ID is required but has an empty default. The script should fail early if not provided.

Add validation after the ARG declarations:

 ARG COPR_BUILD_ID=
 ARG BUILDER_RPM_REPO_PATH=/home/microshift/microshift/_output/rpmbuild/RPMS
 
+RUN if [ -z "${COPR_BUILD_ID}" ]; then \
+        echo "ERROR: COPR_BUILD_ID build argument is required" >&2; \
+        exit 1; \
+    fi
+
 # hadolint ignore=DL3003,DL4006,SC3040

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In packaging/rpms-copr.Containerfile around lines 8 to 9, ARG COPR_BUILD_ID is
declared with an empty default but is required; add a validation immediately
after the ARG declarations that checks if COPR_BUILD_ID is empty and, if so,
prints a clear error message and exits non‑zero to fail the build early (e.g.,
test the variable and call exit 1). Ensure the validation runs during image
build so the Docker/Cool variant fails fast when COPR_BUILD_ID is not provided.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Validate SRPM_WORKDIR before reading build.txt.

COPR_BUILD_ID reads from ${SRPM_WORKDIR}/build.txt but SRPM_WORKDIR may not be set or the file may not exist. Targets using COPR_BUILD_ID should validate this.

Add validation to targets that use COPR_BUILD_ID:

 .PHONY: rpm-copr
 rpm-copr:
+	@if [ -z "${SRPM_WORKDIR}" ]; then \
+		echo "ERROR: SRPM_WORKDIR is not set" ; \
+		exit 1 ; \
+	fi
+	@if [ ! -f "${SRPM_WORKDIR}/build.txt" ]; then \
+		echo "ERROR: ${SRPM_WORKDIR}/build.txt not found. Run 'make copr-create-build' first" ; \
+		exit 1 ; \
+	fi
 	@echo "Building MicroShift RPM image using COPR"

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In src/copr/copr.mk around line 3, COPR_BUILD_ID is unconditionally defined by
reading "${SRPM_WORKDIR}/build.txt" which can fail if SRPM_WORKDIR is unset or
the file doesn't exist; update the Makefile so targets that use COPR_BUILD_ID
first validate SRPM_WORKDIR is set and that "${SRPM_WORKDIR}/build.txt" exists
before attempting to read it, and emit a clear make error (or skip/handle
gracefully) if validation fails; implement this by moving the file-read into a
recipe or guarded shell expression used by those targets (or by making
COPR_BUILD_ID empty by default and having targets perform a check using test -n
and test -f and failing with @echo and exit 1 when missing).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Validate SRPM_WORKDIR in copr-create-build.

The target mounts ${SRPM_WORKDIR} but doesn't validate it's set or that the directory exists.

Add validation at the start of the target:

 .PHONY: copr-create-build
 copr-create-build: copr-cfg-ensure-podman-secret copr-cli
+	@if [ -z "${SRPM_WORKDIR}" ]; then \
+		echo "ERROR: SRPM_WORKDIR is not set" ; \
+		exit 1 ; \
+	fi
+	@if [ ! -d "${SRPM_WORKDIR}" ]; then \
+		echo "ERROR: ${SRPM_WORKDIR} directory not found" ; \
+		exit 1 ; \
+	fi
 	@echo "Creating the COPR build"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	.PHONY: copr-create-build
	copr-create-build: copr-cfg-ensure-podman-secret copr-cli
	@echo "Creating the COPR build"
	sudo podman run \
	--rm \
	--secret ${COPR_SECRET_NAME} \
	--env COPR_REPO_NAME="${COPR_REPO_NAME}" \
	--volume "${SRPM_WORKDIR}:/srpms:Z" \
	--volume "./src/copr/create-build.sh:/create-build.sh:Z" \
	"${COPR_CLI_IMAGE}" \
	bash -c "bash -x /create-build.sh"
	.PHONY: copr-create-build
	copr-create-build: copr-cfg-ensure-podman-secret copr-cli
	@if [ -z "${SRPM_WORKDIR}" ]; then \
	echo "ERROR: SRPM_WORKDIR is not set" ; \
	exit 1 ; \
	fi
	@if [ ! -d "${SRPM_WORKDIR}" ]; then \
	echo "ERROR: ${SRPM_WORKDIR} directory not found" ; \
	exit 1 ; \
	fi
	@echo "Creating the COPR build"
	sudo podman run \
	--rm \
	--secret ${COPR_SECRET_NAME} \
	--env COPR_REPO_NAME="${COPR_REPO_NAME}" \
	--volume "${SRPM_WORKDIR}:/srpms:Z" \
	--volume "./src/copr/create-build.sh:/create-build.sh:Z" \
	"${COPR_CLI_IMAGE}" \
	bash -c "bash -x /create-build.sh"

🤖 Prompt for AI Agents

In src/copr/copr.mk around lines 85 to 96, the copr-create-build target mounts
${SRPM_WORKDIR} but does not validate that SRPM_WORKDIR is set or that the
directory exists; add a validation at the start of the target that (1) verifies
the SRPM_WORKDIR variable is non-empty and (2) verifies the path exists and is a
directory, and if either check fails, print a clear error to stderr and exit the
recipe with a non-zero status so the make target aborts before running podman.
Use simple shell checks (e.g., [ -n "${SRPM_WORKDIR}" ] and [ -d
"${SRPM_WORKDIR}" ]) and ensure the error message references the variable name
and the failing condition.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Validate SRPM_WORKDIR in copr-watch-build.

The target reads ${SRPM_WORKDIR}/build.txt but doesn't validate the directory or file exists.

Add validation:

 .PHONY: copr-watch-build
 copr-watch-build: copr-cli
+	@if [ -z "${SRPM_WORKDIR}" ]; then \
+		echo "ERROR: SRPM_WORKDIR is not set" ; \
+		exit 1 ; \
+	fi
+	@if [ ! -f "${SRPM_WORKDIR}/build.txt" ]; then \
+		echo "ERROR: ${SRPM_WORKDIR}/build.txt not found. Run 'make copr-create-build' first" ; \
+		exit 1 ; \
+	fi
 	@echo "Watching the COPR build"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	.PHONY: copr-watch-build
	copr-watch-build: copr-cli
	@echo "Watching the COPR build"
	sudo podman run \
	--rm \
	--volume "${SRPM_WORKDIR}:/srpms:Z" \
	"${COPR_CLI_IMAGE}" \
	bash -c "copr-cli watch-build \$$(cat /srpms/build.txt)"
	.PHONY: copr-watch-build
	copr-watch-build: copr-cli
	@if [ -z "${SRPM_WORKDIR}" ]; then \
	echo "ERROR: SRPM_WORKDIR is not set" ; \
	exit 1 ; \
	fi
	@if [ ! -f "${SRPM_WORKDIR}/build.txt" ]; then \
	echo "ERROR: ${SRPM_WORKDIR}/build.txt not found. Run 'make copr-create-build' first" ; \
	exit 1 ; \
	fi
	@echo "Watching the COPR build"
	sudo podman run \
	--rm \
	--volume "${SRPM_WORKDIR}:/srpms:Z" \
	"${COPR_CLI_IMAGE}" \
	bash -c "copr-cli watch-build \$$(cat /srpms/build.txt)"

🤖 Prompt for AI Agents

In src/copr/copr.mk around lines 97 to 104, the copr-watch-build target uses
${SRPM_WORKDIR}/build.txt without validating that SRPM_WORKDIR exists or that
build.txt is present; add a check before running podman that SRPM_WORKDIR is a
directory and that "${SRPM_WORKDIR}/build.txt" is a readable file, printing a
clear error and exiting with non‑zero status if either check fails, then proceed
to run the podman command only when both checks pass.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Handle glob expansion failure.

If no SRPM files match microshift*.src.rpm, the command will fail with an unclear error.

Apply this diff to validate the SRPM exists:

+if ! ls /srpms/microshift*.src.rpm 1> /dev/null 2>&1; then
+    echo "ERROR: No SRPM files found matching /srpms/microshift*.src.rpm"
+    exit 1
+fi
+
 out="$(copr-cli --config /run/secrets/copr-cfg build --nowait "${COPR_REPO_NAME}" /srpms/microshift*.src.rpm)"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	out="$(copr-cli --config /run/secrets/copr-cfg build --nowait "${COPR_REPO_NAME}" /srpms/microshift*.src.rpm)"
	if ! ls /srpms/microshift*.src.rpm 1> /dev/null 2>&1; then
	echo "ERROR: No SRPM files found matching /srpms/microshift*.src.rpm"
	exit 1
	fi
	out="$(copr-cli --config /run/secrets/copr-cfg build --nowait "${COPR_REPO_NAME}" /srpms/microshift*.src.rpm)"

🤖 Prompt for AI Agents

In src/copr/create-build.sh around line 4, the copr-cli command assumes the glob
/srpms/microshift*.src.rpm expands to at least one file; if it doesn't the
command fails with an unclear error. Before invoking copr-cli, test whether any
files match that glob (e.g., capture the glob expansion into a variable or
array, check its length), and if none are found print a clear error and exit
non‑zero; otherwise pass the expanded file path(s) to copr-cli (properly
quoted/iterated to handle spaces) so the command only runs when SRPM(s) actually
exist.