CI: add tagged release workflow

Upon pushing a tag with the name "v*", this workflow will now:
 1. build and execute all tests for both make and cmake
 2. run all static analysis and formatting checks
Assuming successful execution of the above:
 3. build RPMs for fedora, el, suse for both x86_64 and ppc64le
 4. build a static binaries for x86_64 and ppc64le
Assuming successful execution of the above:
 5. generate a new release in GitHub, and attach all the build artifacts

New build targets can be added to the build matrix in the release.yml
workflow, though some additional work may be needed to support a new
distro target (e.g. adding debian-based distros will need their own
build script)

Signed-off-by: Eric Richter <[email protected]>

.github/workflows/release.yml

@@ -0,0 +1,99 @@
+name: Generate Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+
+jobs:
+  tests:
+    uses: ./.github/workflows/build_test.yml
+
+  static:
+    uses: ./.github/workflows/format_static.yml
+
+  rpmbuild:
+    runs-on: ubuntu-latest
+    needs: ["tests", "static"]
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: ["x86_64", "ppc64le"]
+        image:
+          - "almalinux:8"
+          - "almalinux:9"
+          - "fedora:37"
+          - "fedora:38"
+          - "fedora:rawhide"
+          - "opensuse/leap:15"
+          - "opensuse/tumbleweed:latest"
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: 'recursive'
+
+      - name: prepare qemu
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: "${{ matrix.arch }}"
+
+      - run: echo IMAGE_NAME=$(echo ${{ matrix.image }} | sed "s/:/_/g")-${{ matrix.arch }} >> $GITHUB_ENV
+
+      - name: build docker image
+        run: docker build -t ${IMAGE_NAME} --platform linux/${{ matrix.arch }} --build-arg="BUILD_IMAGE=${{ matrix.image }}" -f ci/Dockerfile .
+
+      - name: run docker build
+        run: docker run -t --platform linux/${{ matrix.arch }} -v $(pwd):/build ${IMAGE_NAME} bash -c "cd build && ci/build-rpm.sh"
+
+      - name: upload rpms
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ matrix.arch }}
+          path: rpms/*
+
+  staticbuild:
+    runs-on: ubuntu-latest
+    needs: ["tests", "static"]
+    strategy:
+      fail-fast: true
+      matrix:
+        arch: ["x86_64", "ppc64le"]
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: 'recursive'
+
+      - uses: docker/setup-qemu-action@v2
+        with:
+          platforms: "${{ matrix.arch }}"
+
+      - name: build docker image
+        run: docker build -t alpine-${{ matrix.arch }} --platform linux/${{ matrix.arch }} -f ci/Dockerfile.alpine .
+
+      - name: run docker build
+        run: docker run -t --platform linux/${{ matrix.arch }} -v $(pwd):/build -e ARCH=${{ matrix.arch }} alpine-${{ matrix.arch }} bash -c "cd build && ci/build-static.sh"
+
+      - name: upload rpms
+        uses: actions/upload-artifact@v3
+        with:
+          name: static
+          path: secvarctl.${{ matrix.arch }}
+
+  release:
+    runs-on: ubuntu-latest
+    needs: ["rpmbuild", "staticbuild"]
+    steps:
+      - name: download rpms
+        uses: actions/download-artifact@v3
+
+      - name: generate release
+        uses: softprops/action-gh-release@v1
+        with:
+          prerelease: ${{ contains(github.ref_name, '-') }}
+          files: |
+            */*.rpm
+            static/*

ci/Dockerfile

@@ -0,0 +1,12 @@
+ARG BUILD_IMAGE
+FROM ${BUILD_IMAGE}
+ARG BUILD_IMAGE
+ARG RPMS="cmake openssl openssl-devel gcc rpm-build"
+
+# Ensure BUILD_IMAGE is set, fail the container build otherwise
+RUN if [[ -z "${BUILD_IMAGE}" ]]; then exit 1; fi
+
+# Install the dependencies for the given image
+RUN if [[ "${BUILD_IMAGE}" == *"fedora"* ]]; then dnf install -y ${RPMS}; fi
+RUN if [[ "${BUILD_IMAGE}" == *"almalinux"* ]]; then yum install -y ${RPMS}; fi
+RUN if [[ "${BUILD_IMAGE}" == *"opensuse"* ]]; then zypper install -y ${RPMS}; fi

ci/Dockerfile.alpine

@@ -0,0 +1,2 @@
+FROM alpine:latest
+RUN apk add gcc make libc-dev openssl-dev openssl-libs-static argp-standalone bash

ci/build-rpm.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+RPMBUILD_ROOT=$(rpmbuild -E %_topdir)
+
+# Get version for rpmbuild tarball generation
+# Ignore the extra version string, it's not needed for tarball generation
+source VERSION
+SECVARCTL_VERSION=${SECVARCTL_VERSION%${SECVARCTL_VERSION_EXTRA}}
+
+set -e
+
+# Generate source tarball
+ln -s . secvarctl-${SECVARCTL_VERSION}
+tar czf secvarctl-${SECVARCTL_VERSION}.tar.gz secvarctl-${SECVARCTL_VERSION}/*
+mkdir -p ${RPMBUILD_ROOT}/SOURCES
+cp secvarctl-${SECVARCTL_VERSION}.tar.gz ${RPMBUILD_ROOT}/SOURCES
+
+# Run Build
+if [[ "x86_64" == $(uname -m) ]]; then
+  # Only one srpm is needed, so just arbitrarily pick the faster x86_64 build to do it
+  rpmbuild -ba secvarctl.spec
+else
+  rpmbuild -bb secvarctl.spec
+fi
+
+# Move generated RPMs out of container
+mkdir -p rpms
+cp ${RPMBUILD_ROOT}/RPMS/*/*.rpm rpms/
+if [[ "x86_64" == $(uname -m) ]]; then
+  # Only the x86_64 build generates the srpm, same for all arches
+  cp ${RPMBUILD_ROOT}/SRPMS/*.rpm rpms/
+fi
+
+# SUSE rpms don't appear to insert a distro tag, so invent one
+source /etc/os-release
+
+function rename_rpm {
+  cd rpms/
+  for rpm in *.rpm; do
+    # This feels kind of fragile, if this ever breaks it should be updated
+    NEW="$(echo $rpm | cut -d . -f -2).$1.$(echo $rpm | cut -d . -f 3-)"
+    mv $rpm $NEW
+  done
+  cd -
+}
+
+case $ID in
+  opensuse-tumbleweed)
+    rename_rpm stw
+  ;;
+
+  opensuse-leap)
+    rename_rpm "s$(echo $VERSION | cut -d . -f 1)"
+  ;;
+
+esac

ci/build-static.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+if [[ -z "${ARCH}" ]]; then
+  echo "ARCH is not set to a valid architecture"
+  exit 1
+fi
+
+make STATIC=1 LDFLAGS=-largp
+cp bin/secvarctl secvarctl.${ARCH}