refactor(ci): add multi-arch RPM build with SLSA provenance support

.github/workflows/build-rpm.yml

@@ -13,13 +13,16 @@ on:
 jobs:
   create-tarball:
     runs-on: ubuntu-latest
+    outputs:
+      PRE_RELEASE: ${{ steps.check-pre-release.outputs.PRE_RELEASE }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           submodules: 'true'
 
       - name: Check pre-release
+        id: check-pre-release
         run: |
           tag="${GITHUB_REF#refs/*/}"
           echo "tag=tag"
@@ -30,7 +33,7 @@ jobs:
               prerelease=false
           fi
           echo "prerelease=$prerelease"
-          echo "PRE_RELEASE=$prerelease" >> $GITHUB_ENV
+          echo "PRE_RELEASE=$prerelease" >> $GITHUB_OUTPUT
 
       - uses: dtolnay/rust-toolchain@1.82.0
 
@@ -56,6 +59,8 @@ jobs:
             runner: ubuntu-24.04-arm
     runs-on: ${{ matrix.runner }}
     needs: create-tarball
+    outputs:
+      rpm_name_al8: ${{ steps.extract-rpm-name.outputs.rpm_name_al8 }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -66,23 +71,60 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: source-tarball
-          path: /tmp/
+          path: ./
 
-      - name: Build RPM package
+      - name: Prepare Alinux3 buildspec and export version info
+        id: extract-rpm-name
         run: |
-          make rpm-build-in-docker
-          mkdir -p $GITHUB_WORKSPACE/rpmbuild
-          cp -r ~/rpmbuild/SRPMS/ $GITHUB_WORKSPACE/rpmbuild/
-          cp -r ~/rpmbuild/RPMS/ $GITHUB_WORKSPACE/rpmbuild/
+          GITHUB_RELEASE="${{ github.ref_name || 'no_tag' }}"
+          VERSION=$(grep -m1 '^Version:' cryptpilot.spec | awk '{print $2}')
+          RELEASE=$(grep -m1 '^%define release_num' cryptpilot.spec | awk '{print $3}')
+
+          echo "Using GITHUB_RELEASE: $GITHUB_RELEASE"
+          echo "Using VERSION: $VERSION"
+          echo "Using RELEASE: $RELEASE"
+
+          # Create buildspec for release
+          export GITHUB_RELEASE VERSION RELEASE
+          envsubst '$GITHUB_RELEASE $VERSION $RELEASE' \
+            < rpm/alinux3/cryptpilot.al8.${{ matrix.arch }}.buildspec.yaml.template \
+            > ./cryptpilot-${VERSION}-${RELEASE}.al8.${{ matrix.arch }}.buildspec.yaml
+
+          # Copy buildspec for local build
+          # Install yq
+          YQ_ARCH=${{ matrix.arch == 'aarch64' && 'arm64' || 'amd64' }}
+          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${YQ_ARCH}
+          sudo chmod +x /usr/local/bin/yq
+
+          cp ./cryptpilot-${VERSION}-${RELEASE}.al8.${{ matrix.arch }}.buildspec.yaml rpm/alinux3/cryptpilot.al8.${{ matrix.arch }}.buildspec.yaml
+          # Replace URL with local path for local build
+          yq -i ".inputs.vendored-source.url = \"file://${GITHUB_WORKSPACE}/cryptpilot-${VERSION}-vendored-source.tar.gz\"" rpm/alinux3/cryptpilot.al8.${{ matrix.arch }}.buildspec.yaml
+
+          # Export rpm_name for use in other steps and jobs
+          echo "rpm_name_al8=cryptpilot-${VERSION}-${RELEASE}.al8" >> $GITHUB_OUTPUT
+
+      - name: Upload build input artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-input-${{ matrix.arch }}
+          if-no-files-found: error
+          path: |
+            ./cryptpilot-*-vendored-source.tar.gz
+            ./cryptpilot-*.al8.${{ matrix.arch }}.buildspec.yaml
 
-      - name: Upload artifact
+      - name: Build RPM package
+        uses: 1570005763/GuanFu@v1
+        with:
+          spec_path: rpm/alinux3/cryptpilot.al8.${{ matrix.arch }}.buildspec.yaml
+
+      - name: Upload build output artifact
         uses: actions/upload-artifact@v4
         with:
-          name: rpm-packages-${{ matrix.arch }}
+          name: build-output-${{ matrix.arch }}
           if-no-files-found: error
           path: |
-            ./rpmbuild/SRPMS/*.src.rpm
-            ./rpmbuild/RPMS/*/*.rpm
+            /tmp/rpmbuild/SRPMS/cryptpilot-*.al8.src.rpm
+            /tmp/rpmbuild/RPMS/${{ matrix.arch }}/cryptpilot-*.al8.${{ matrix.arch }}.rpm
 
   test:
     strategy:
@@ -118,7 +160,7 @@ jobs:
       - name: Download artifacts
         uses: actions/download-artifact@v4
         with:
-          name: rpm-packages-${{ matrix.arch }}
+          name: build-output-${{ matrix.arch }}
           path: ./rpm-packages/
           merge-multiple: false
 
@@ -135,25 +177,27 @@ jobs:
 
   release:
     if: startsWith(github.ref, 'refs/tags/')
-    runs-on: ubuntu-latest
-    needs: test
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: ./artifacts/
-          merge-multiple: false
-
-      - name: Reorganize artifacts
-        run: |
-          mkdir -p ./release-packages/
-          # Copy tarball from source-tarball artifact
-          find ./artifacts/source-tarball/ -type f -name '*.tar.gz' -exec cp {} ./release-packages/ \;
-          # Copy RPMs from architecture-specific artifacts
-          find ./artifacts/rpm-packages-*/ -type f -name '*.rpm' -exec cp {} ./release-packages/ \;
-      - name: Release
-        uses: softprops/action-gh-release@v2
-        with:
-          fail_on_unmatched_files: true
-          prerelease: ${{ env.PRE_RELEASE }}
-          files: ./release-packages/*
+    needs:
+      - create-tarball
+      - build
+      - test
+    strategy:
+      max-parallel: 1
+      matrix:
+        include:
+          - arch: x86_64
+          - arch: aarch64
+    permissions:
+      actions: read
+      contents: write
+      id-token: write
+    uses: 1570005763/GuanFu/.github/workflows/release.yml@v1
+    with:
+      input_artifact: build-input-${{ matrix.arch }}
+      output_artifact: build-output-${{ matrix.arch }}
+      release_slsa_provenance: true
+      provenance_name: "${{ needs.build.outputs.rpm_name_al8 }}.${{ matrix.arch }}.intoto.jsonl"
+      rpm_detail_provenance: true
+      upload_provenance_to_rekor: true
+      release_tag_name: "${{ github.ref_name }}"
+      prerelease: ${{ needs.create-tarball.outputs.PRE_RELEASE == 'true' }}

rpm/alinux3/cryptpilot.al8.aarch64.buildspec.yaml.template

@@ -0,0 +1,58 @@
+version: 1
+
+container:
+  image: "alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3@sha256:b58b364f952c99f5caa21e24172b1e2786328c4d0f2816b326b227654b623fe3"
+
+inputs:
+  vendored-source:
+    url: "https://github.com/openanolis/cryptpilot/releases/download/${GITHUB_RELEASE}/cryptpilot-${VERSION}-vendored-source.tar.gz"
+    targetPath: "/tmp/cryptpilot-${VERSION}-vendored-source.tar.gz"
+
+environment:
+  systemPackages:
+    - name: "tar"
+      version: "2:1.30-11.0.1.al8"
+    - name: "cmake"
+      version: "3.26.5-2.0.2.al8"
+    - name: "rpm-build"
+      version: "4.14.3-32.0.1.1.al8"
+    - name: "cryptsetup-devel"
+      version: "2.3.7-7.0.1.al8"
+    - name: "device-mapper-devel"
+      version: "8:1.02.181-15.0.1.al8"
+    - name: "perl-IPC-Cmd"
+      version: "2:1.02-1.1.al8"
+    - name: "protobuf-compiler"
+      version: "3.5.0-15.al8"
+    - name: "fuse3-devel"
+      version: "3.3.0-19.1.al8"
+
+  tools:
+    - name: "clang"
+      version: "15.0.7-1.0.3.al8"
+    - name: "clang-libs"
+      version: "15.0.7-1.0.3.al8"
+
+phases:
+  prepare:
+    commands:
+      - mkdir -p /tmp/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
+      - cp "/tmp/cryptpilot-${VERSION}-vendored-source.tar.gz" /tmp/rpmbuild/SOURCES/
+      - tar -xzf /tmp/cryptpilot-${VERSION}-vendored-source.tar.gz -C /tmp/rpmbuild/SPECS --strip-components=2 cryptpilot-${VERSION}/src/cryptpilot.spec
+      # Prepare rust-1.91.1 toolchain
+      - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --no-modify-path --default-toolchain none
+      - echo '. "$HOME/.cargo/env"' >> ~/.bashrc
+      - rustup toolchain install 1.91.1 --profile minimal --component rustc,cargo
+      - rustup default 1.91.1
+      # Change yum source from Anolis to Alinux
+      - sed -i -E 's|https?://mirrors.cloud.aliyuncs.com/|https://mirrors.aliyun.com/|g' /etc/yum.repos.d/*.repo
+  build:
+    commands:
+      - rpmbuild --define "_topdir /tmp/rpmbuild" -ba /tmp/rpmbuild/SPECS/cryptpilot.spec --define 'with_rustup 1'
+
+outputs:
+  - path: /tmp/rpmbuild/SRPMS/cryptpilot-${VERSION}-${RELEASE}.al8.src.rpm
+  - path: /tmp/rpmbuild/RPMS/aarch64/cryptpilot-${VERSION}-${RELEASE}.al8.aarch64.rpm
+  - path: /tmp/rpmbuild/RPMS/aarch64/cryptpilot-crypt-${VERSION}-${RELEASE}.al8.aarch64.rpm
+  - path: /tmp/rpmbuild/RPMS/aarch64/cryptpilot-fde-${VERSION}-${RELEASE}.al8.aarch64.rpm
+  - path: /tmp/rpmbuild/RPMS/aarch64/cryptpilot-verity-${VERSION}-${RELEASE}.al8.aarch64.rpm

rpm/alinux3/cryptpilot.al8.x86_64.buildspec.yaml.template

@@ -0,0 +1,58 @@
+version: 1
+
+container:
+  image: "alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3@sha256:6e12168b7ec59a0bea10d0884e6be48e1e3bd49518084841239a5b7c48a61860"
+
+inputs:
+  vendored-source:
+    url: "https://github.com/openanolis/cryptpilot/releases/download/${GITHUB_RELEASE}/cryptpilot-${VERSION}-vendored-source.tar.gz"
+    targetPath: "/tmp/cryptpilot-${VERSION}-vendored-source.tar.gz"
+
+environment:
+  systemPackages:
+    - name: "tar"
+      version: "2:1.30-11.0.1.al8"
+    - name: "cmake"
+      version: "3.26.5-2.0.2.al8"
+    - name: "rpm-build"
+      version: "4.14.3-32.0.1.1.al8"
+    - name: "cryptsetup-devel"
+      version: "2.3.7-7.0.1.al8"
+    - name: "device-mapper-devel"
+      version: "8:1.02.181-15.0.1.al8"
+    - name: "perl-IPC-Cmd"
+      version: "2:1.02-1.1.al8"
+    - name: "protobuf-compiler"
+      version: "3.5.0-15.al8"
+    - name: "fuse3-devel"
+      version: "3.3.0-19.1.al8"
+
+  tools:
+    - name: "clang"
+      version: "15.0.7-1.0.3.al8"
+    - name: "clang-libs"
+      version: "15.0.7-1.0.3.al8"
+
+phases:
+  prepare:
+    commands:
+      - mkdir -p /tmp/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
+      - cp "/tmp/cryptpilot-${VERSION}-vendored-source.tar.gz" /tmp/rpmbuild/SOURCES/
+      - tar -xzf /tmp/cryptpilot-${VERSION}-vendored-source.tar.gz -C /tmp/rpmbuild/SPECS --strip-components=2 cryptpilot-${VERSION}/src/cryptpilot.spec
+      # Prepare rust-1.91.1 toolchain
+      - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --no-modify-path --default-toolchain none
+      - echo '. "$HOME/.cargo/env"' >> ~/.bashrc
+      - rustup toolchain install 1.91.1 --profile minimal --component rustc,cargo
+      - rustup default 1.91.1
+      # Change yum source from Anolis to Alinux
+      - sed -i -E 's|https?://mirrors.cloud.aliyuncs.com/|https://mirrors.aliyun.com/|g' /etc/yum.repos.d/*.repo
+  build:
+    commands:
+      - rpmbuild --define "_topdir /tmp/rpmbuild" -ba /tmp/rpmbuild/SPECS/cryptpilot.spec --define 'with_rustup 1'
+
+outputs:
+  - path: /tmp/rpmbuild/SRPMS/cryptpilot-${VERSION}-${RELEASE}.al8.src.rpm
+  - path: /tmp/rpmbuild/RPMS/x86_64/cryptpilot-${VERSION}-${RELEASE}.al8.x86_64.rpm
+  - path: /tmp/rpmbuild/RPMS/x86_64/cryptpilot-crypt-${VERSION}-${RELEASE}.al8.x86_64.rpm
+  - path: /tmp/rpmbuild/RPMS/x86_64/cryptpilot-fde-${VERSION}-${RELEASE}.al8.x86_64.rpm
+  - path: /tmp/rpmbuild/RPMS/x86_64/cryptpilot-verity-${VERSION}-${RELEASE}.al8.x86_64.rpm