From 58b23f96312c2a8122657a153a1a18933b3bd007 Mon Sep 17 00:00:00 2001 From: 1570005763 Date: Fri, 30 Jan 2026 18:23:05 +0800 Subject: [PATCH] refactor(ci): add multi-arch RPM build with SLSA provenance support - Add buildspec templates for x86_64 and aarch64 architectures - Expose rpm_name_al8 output for cross-job reference - Integrate GuanFu reproducible build system - Enable SLSA provenance generation and Rekor upload Signed-off-by: 1570005763 --- .github/workflows/build-rpm.yml | 112 ++++++++++++------ ...tpilot.al8.aarch64.buildspec.yaml.template | 58 +++++++++ ...ptpilot.al8.x86_64.buildspec.yaml.template | 58 +++++++++ 3 files changed, 194 insertions(+), 34 deletions(-) create mode 100644 rpm/alinux3/cryptpilot.al8.aarch64.buildspec.yaml.template create mode 100644 rpm/alinux3/cryptpilot.al8.x86_64.buildspec.yaml.template diff --git a/.github/workflows/build-rpm.yml b/.github/workflows/build-rpm.yml index 156c10f..8e3358c 100644 --- a/.github/workflows/build-rpm.yml +++ b/.github/workflows/build-rpm.yml @@ -13,6 +13,8 @@ on: jobs: create-tarball: runs-on: ubuntu-latest + outputs: + PRE_RELEASE: ${{ steps.check-pre-release.outputs.PRE_RELEASE }} steps: - name: Checkout repository uses: actions/checkout@v4 @@ -20,6 +22,7 @@ jobs: submodules: 'true' - name: Check pre-release + id: check-pre-release run: | tag="${GITHUB_REF#refs/*/}" echo "tag=tag" @@ -30,7 +33,7 @@ jobs: prerelease=false fi echo "prerelease=$prerelease" - echo "PRE_RELEASE=$prerelease" >> $GITHUB_ENV + echo "PRE_RELEASE=$prerelease" >> $GITHUB_OUTPUT - uses: dtolnay/rust-toolchain@1.82.0 @@ -56,6 +59,8 @@ jobs: runner: ubuntu-24.04-arm runs-on: ${{ matrix.runner }} needs: create-tarball + outputs: + rpm_name_al8: ${{ steps.extract-rpm-name.outputs.rpm_name_al8 }} steps: - name: Checkout repository uses: actions/checkout@v4 @@ -66,23 +71,60 @@ jobs: uses: actions/download-artifact@v4 with: name: source-tarball - path: /tmp/ + path: ./ - - name: Build RPM package + - name: Prepare Alinux3 buildspec and export version info + id: extract-rpm-name run: | - make rpm-build-in-docker - mkdir -p $GITHUB_WORKSPACE/rpmbuild - cp -r ~/rpmbuild/SRPMS/ $GITHUB_WORKSPACE/rpmbuild/ - cp -r ~/rpmbuild/RPMS/ $GITHUB_WORKSPACE/rpmbuild/ + GITHUB_RELEASE="${{ github.ref_name || 'no_tag' }}" + VERSION=$(grep -m1 '^Version:' cryptpilot.spec | awk '{print $2}') + RELEASE=$(grep -m1 '^%define release_num' cryptpilot.spec | awk '{print $3}') + + echo "Using GITHUB_RELEASE: $GITHUB_RELEASE" + echo "Using VERSION: $VERSION" + echo "Using RELEASE: $RELEASE" + + # Create buildspec for release + export GITHUB_RELEASE VERSION RELEASE + envsubst '$GITHUB_RELEASE $VERSION $RELEASE' \ + < rpm/alinux3/cryptpilot.al8.${{ matrix.arch }}.buildspec.yaml.template \ + > ./cryptpilot-${VERSION}-${RELEASE}.al8.${{ matrix.arch }}.buildspec.yaml + + # Copy buildspec for local build + # Install yq + YQ_ARCH=${{ matrix.arch == 'aarch64' && 'arm64' || 'amd64' }} + sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${YQ_ARCH} + sudo chmod +x /usr/local/bin/yq + + cp ./cryptpilot-${VERSION}-${RELEASE}.al8.${{ matrix.arch }}.buildspec.yaml rpm/alinux3/cryptpilot.al8.${{ matrix.arch }}.buildspec.yaml + # Replace URL with local path for local build + yq -i ".inputs.vendored-source.url = \"file://${GITHUB_WORKSPACE}/cryptpilot-${VERSION}-vendored-source.tar.gz\"" rpm/alinux3/cryptpilot.al8.${{ matrix.arch }}.buildspec.yaml + + # Export rpm_name for use in other steps and jobs + echo "rpm_name_al8=cryptpilot-${VERSION}-${RELEASE}.al8" >> $GITHUB_OUTPUT + + - name: Upload build input artifact + uses: actions/upload-artifact@v4 + with: + name: build-input-${{ matrix.arch }} + if-no-files-found: error + path: | + ./cryptpilot-*-vendored-source.tar.gz + ./cryptpilot-*.al8.${{ matrix.arch }}.buildspec.yaml - - name: Upload artifact + - name: Build RPM package + uses: 1570005763/GuanFu@v1 + with: + spec_path: rpm/alinux3/cryptpilot.al8.${{ matrix.arch }}.buildspec.yaml + + - name: Upload build output artifact uses: actions/upload-artifact@v4 with: - name: rpm-packages-${{ matrix.arch }} + name: build-output-${{ matrix.arch }} if-no-files-found: error path: | - ./rpmbuild/SRPMS/*.src.rpm - ./rpmbuild/RPMS/*/*.rpm + /tmp/rpmbuild/SRPMS/cryptpilot-*.al8.src.rpm + /tmp/rpmbuild/RPMS/${{ matrix.arch }}/cryptpilot-*.al8.${{ matrix.arch }}.rpm test: strategy: @@ -118,7 +160,7 @@ jobs: - name: Download artifacts uses: actions/download-artifact@v4 with: - name: rpm-packages-${{ matrix.arch }} + name: build-output-${{ matrix.arch }} path: ./rpm-packages/ merge-multiple: false @@ -135,25 +177,27 @@ jobs: release: if: startsWith(github.ref, 'refs/tags/') - runs-on: ubuntu-latest - needs: test - steps: - - name: Download all artifacts - uses: actions/download-artifact@v4 - with: - path: ./artifacts/ - merge-multiple: false - - - name: Reorganize artifacts - run: | - mkdir -p ./release-packages/ - # Copy tarball from source-tarball artifact - find ./artifacts/source-tarball/ -type f -name '*.tar.gz' -exec cp {} ./release-packages/ \; - # Copy RPMs from architecture-specific artifacts - find ./artifacts/rpm-packages-*/ -type f -name '*.rpm' -exec cp {} ./release-packages/ \; - - name: Release - uses: softprops/action-gh-release@v2 - with: - fail_on_unmatched_files: true - prerelease: ${{ env.PRE_RELEASE }} - files: ./release-packages/* + needs: + - create-tarball + - build + - test + strategy: + max-parallel: 1 + matrix: + include: + - arch: x86_64 + - arch: aarch64 + permissions: + actions: read + contents: write + id-token: write + uses: 1570005763/GuanFu/.github/workflows/release.yml@v1 + with: + input_artifact: build-input-${{ matrix.arch }} + output_artifact: build-output-${{ matrix.arch }} + release_slsa_provenance: true + provenance_name: "${{ needs.build.outputs.rpm_name_al8 }}.${{ matrix.arch }}.intoto.jsonl" + rpm_detail_provenance: true + upload_provenance_to_rekor: true + release_tag_name: "${{ github.ref_name }}" + prerelease: ${{ needs.create-tarball.outputs.PRE_RELEASE == 'true' }} \ No newline at end of file diff --git a/rpm/alinux3/cryptpilot.al8.aarch64.buildspec.yaml.template b/rpm/alinux3/cryptpilot.al8.aarch64.buildspec.yaml.template new file mode 100644 index 0000000..bcfb52c --- /dev/null +++ b/rpm/alinux3/cryptpilot.al8.aarch64.buildspec.yaml.template @@ -0,0 +1,58 @@ +version: 1 + +container: + image: "alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3@sha256:b58b364f952c99f5caa21e24172b1e2786328c4d0f2816b326b227654b623fe3" + +inputs: + vendored-source: + url: "https://github.com/openanolis/cryptpilot/releases/download/${GITHUB_RELEASE}/cryptpilot-${VERSION}-vendored-source.tar.gz" + targetPath: "/tmp/cryptpilot-${VERSION}-vendored-source.tar.gz" + +environment: + systemPackages: + - name: "tar" + version: "2:1.30-11.0.1.al8" + - name: "cmake" + version: "3.26.5-2.0.2.al8" + - name: "rpm-build" + version: "4.14.3-32.0.1.1.al8" + - name: "cryptsetup-devel" + version: "2.3.7-7.0.1.al8" + - name: "device-mapper-devel" + version: "8:1.02.181-15.0.1.al8" + - name: "perl-IPC-Cmd" + version: "2:1.02-1.1.al8" + - name: "protobuf-compiler" + version: "3.5.0-15.al8" + - name: "fuse3-devel" + version: "3.3.0-19.1.al8" + + tools: + - name: "clang" + version: "15.0.7-1.0.3.al8" + - name: "clang-libs" + version: "15.0.7-1.0.3.al8" + +phases: + prepare: + commands: + - mkdir -p /tmp/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS} + - cp "/tmp/cryptpilot-${VERSION}-vendored-source.tar.gz" /tmp/rpmbuild/SOURCES/ + - tar -xzf /tmp/cryptpilot-${VERSION}-vendored-source.tar.gz -C /tmp/rpmbuild/SPECS --strip-components=2 cryptpilot-${VERSION}/src/cryptpilot.spec + # Prepare rust-1.91.1 toolchain + - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --no-modify-path --default-toolchain none + - echo '. "$HOME/.cargo/env"' >> ~/.bashrc + - rustup toolchain install 1.91.1 --profile minimal --component rustc,cargo + - rustup default 1.91.1 + # Change yum source from Anolis to Alinux + - sed -i -E 's|https?://mirrors.cloud.aliyuncs.com/|https://mirrors.aliyun.com/|g' /etc/yum.repos.d/*.repo + build: + commands: + - rpmbuild --define "_topdir /tmp/rpmbuild" -ba /tmp/rpmbuild/SPECS/cryptpilot.spec --define 'with_rustup 1' + +outputs: + - path: /tmp/rpmbuild/SRPMS/cryptpilot-${VERSION}-${RELEASE}.al8.src.rpm + - path: /tmp/rpmbuild/RPMS/aarch64/cryptpilot-${VERSION}-${RELEASE}.al8.aarch64.rpm + - path: /tmp/rpmbuild/RPMS/aarch64/cryptpilot-crypt-${VERSION}-${RELEASE}.al8.aarch64.rpm + - path: /tmp/rpmbuild/RPMS/aarch64/cryptpilot-fde-${VERSION}-${RELEASE}.al8.aarch64.rpm + - path: /tmp/rpmbuild/RPMS/aarch64/cryptpilot-verity-${VERSION}-${RELEASE}.al8.aarch64.rpm diff --git a/rpm/alinux3/cryptpilot.al8.x86_64.buildspec.yaml.template b/rpm/alinux3/cryptpilot.al8.x86_64.buildspec.yaml.template new file mode 100644 index 0000000..d8c53ff --- /dev/null +++ b/rpm/alinux3/cryptpilot.al8.x86_64.buildspec.yaml.template @@ -0,0 +1,58 @@ +version: 1 + +container: + image: "alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3@sha256:6e12168b7ec59a0bea10d0884e6be48e1e3bd49518084841239a5b7c48a61860" + +inputs: + vendored-source: + url: "https://github.com/openanolis/cryptpilot/releases/download/${GITHUB_RELEASE}/cryptpilot-${VERSION}-vendored-source.tar.gz" + targetPath: "/tmp/cryptpilot-${VERSION}-vendored-source.tar.gz" + +environment: + systemPackages: + - name: "tar" + version: "2:1.30-11.0.1.al8" + - name: "cmake" + version: "3.26.5-2.0.2.al8" + - name: "rpm-build" + version: "4.14.3-32.0.1.1.al8" + - name: "cryptsetup-devel" + version: "2.3.7-7.0.1.al8" + - name: "device-mapper-devel" + version: "8:1.02.181-15.0.1.al8" + - name: "perl-IPC-Cmd" + version: "2:1.02-1.1.al8" + - name: "protobuf-compiler" + version: "3.5.0-15.al8" + - name: "fuse3-devel" + version: "3.3.0-19.1.al8" + + tools: + - name: "clang" + version: "15.0.7-1.0.3.al8" + - name: "clang-libs" + version: "15.0.7-1.0.3.al8" + +phases: + prepare: + commands: + - mkdir -p /tmp/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS} + - cp "/tmp/cryptpilot-${VERSION}-vendored-source.tar.gz" /tmp/rpmbuild/SOURCES/ + - tar -xzf /tmp/cryptpilot-${VERSION}-vendored-source.tar.gz -C /tmp/rpmbuild/SPECS --strip-components=2 cryptpilot-${VERSION}/src/cryptpilot.spec + # Prepare rust-1.91.1 toolchain + - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --no-modify-path --default-toolchain none + - echo '. "$HOME/.cargo/env"' >> ~/.bashrc + - rustup toolchain install 1.91.1 --profile minimal --component rustc,cargo + - rustup default 1.91.1 + # Change yum source from Anolis to Alinux + - sed -i -E 's|https?://mirrors.cloud.aliyuncs.com/|https://mirrors.aliyun.com/|g' /etc/yum.repos.d/*.repo + build: + commands: + - rpmbuild --define "_topdir /tmp/rpmbuild" -ba /tmp/rpmbuild/SPECS/cryptpilot.spec --define 'with_rustup 1' + +outputs: + - path: /tmp/rpmbuild/SRPMS/cryptpilot-${VERSION}-${RELEASE}.al8.src.rpm + - path: /tmp/rpmbuild/RPMS/x86_64/cryptpilot-${VERSION}-${RELEASE}.al8.x86_64.rpm + - path: /tmp/rpmbuild/RPMS/x86_64/cryptpilot-crypt-${VERSION}-${RELEASE}.al8.x86_64.rpm + - path: /tmp/rpmbuild/RPMS/x86_64/cryptpilot-fde-${VERSION}-${RELEASE}.al8.x86_64.rpm + - path: /tmp/rpmbuild/RPMS/x86_64/cryptpilot-verity-${VERSION}-${RELEASE}.al8.x86_64.rpm