Restructure project layout for better CI/CD integration

- Flattened nested bootupd/bootupd/ structure to root level - Moved all core project files to root directory - Added proper Debian packaging structure (debian/ directory) - Created build scripts and CI configuration - Improved project organization for CI/CD tools - All Rust source, tests, and configuration now at root level - Added GitHub Actions workflow for automated testing - Maintained all original functionality while improving structure
2025-08-09 23:11:42 -07:00 · 2025-08-09 23:11:42 -07:00 · aaf662d5b1
commit aaf662d5b1
parent 5e8730df43
87 changed files with 1334 additions and 570 deletions
--- a/.github/ISSUE_TEMPLATE/release-checklist.md
+++ b/.github/ISSUE_TEMPLATE/release-checklist.md
@ -0,0 +1,111 @@
+# Release process
+
+The release process follows the usual PR-and-review flow, allowing an external reviewer to have a final check before publishing.
+
+In order to ease downstream packaging of Rust binaries, an archive of vendored dependencies is also provided (only relevant for offline builds).
+
+## Requirements
+
+This guide requires:
+
+ * A web browser (and network connectivity)
+ * `git`
+ * [GPG setup][GPG setup] and personal key for signing
+ * [git-evtag](https://github.com/cgwalters/git-evtag/)
+ * `cargo` (suggested: latest stable toolchain from [rustup][rustup])
+ * `cargo-release` (suggested: `cargo install -f cargo-release`)
+ * `cargo vendor-filterer` (suggested: `cargo install -f cargo-vendor-filterer`)
+ * A verified account on crates.io
+ * Write access to this GitHub project
+ * Upload access to this project on GitHub, crates.io
+ * Membership in the [Fedora CoreOS Crates Owners group](https://github.com/orgs/coreos/teams/fedora-coreos-crates-owners/members)
+
+## Release checklist
+
+- Prepare local branch+commit
+  - [ ] `git checkout -b release`
+  - [ ] Bump the version number in `Cargo.toml`.  Usually you just want to bump the patch.
+  - [ ] Run `cargo build` to ensure `Cargo.lock` would be updated
+  - [ ] Commit changes `git commit -a -m 'Release x.y.z'`; include some useful brief changelog.
+
+- Prepare the release
+  - [ ] Run `./ci/prepare-release.sh`
+
+- Validate that `origin` points to the canonical upstream repository and not your fork:
+  `git remote show origin` should not be `github.com/$yourusername/$project` but should
+  be under the organization ownership.  The remote `yourname` should be for your fork.
+
+- open and merge a PR for this release:
+  - [ ] `git push --set-upstream origin release`
+  - [ ] open a web browser and create a PR for the branch above
+  - [ ] make sure the resulting PR contains the commit
+  - [ ] in the PR body, write a short changelog with relevant changes since last release
+  - [ ] get the PR reviewed, approved and merged
+
+- publish the artifacts (tag and crate):
+  - [ ] `git fetch origin && git checkout ${RELEASE_COMMIT}`
+  - [ ] verify `Cargo.toml` has the expected version
+  - [ ] `git-evtag sign v${RELEASE_VER}`
+  - [ ] `git push --tags origin v${RELEASE_VER}`
+  - [ ] `cargo publish`
+
+- publish this release on GitHub:
+  - [ ] find the new tag in the [GitHub tag list](https://github.com/coreos/bootupd/tags), click the triple dots menu, and create a release for it
+  - [ ] write a short changelog with `git shortlog $last_tag..` (i.e. re-use the PR content). See previous releases for format, for example [`v0.2.25`](https://hackmd.io/@hhei/SkYe0AtMye)
+  - [ ] upload `target/${PROJECT}-${RELEASE_VER}-vendor.tar.gz`
+  - [ ] record digests of local artifacts:
+    - `sha256sum target/package/${PROJECT}-${RELEASE_VER}.crate`
+    - `sha256sum target/${PROJECT}-${RELEASE_VER}-vendor.tar.gz`
+  - [ ] publish release
+
+- clean up:
+  - [ ] `git push origin :release`
+  - [ ] `cargo clean`
+  - [ ] `git checkout main`
+
+- Fedora packaging:
+  - [ ] update the `rust-bootupd` spec file in [Fedora](https://src.fedoraproject.org/rpms/rust-bootupd)
+    - bump the `Version`
+    - remove any patches obsoleted by the new release
+  - [ ] run `spectool -g -S rust-bootupd.spec`
+  - [ ] run `kinit your_fas_account@FEDORAPROJECT.ORG`
+  - [ ] run `fedpkg new-sources <crate-name> <vendor-tarball-name>`
+  - [ ] PR the changes in [Fedora](https://src.fedoraproject.org/rpms/rust-bootupd)
+  - [ ] once the PR merges to rawhide, merge rawhide into the other relevant branches (e.g. f35) then push those, for example:
+    ```bash
+    git checkout rawhide
+    git pull --ff-only
+    git checkout f35
+    git merge --ff-only rawhide
+    git push origin f35
+    ```
+  - [ ] on each of those branches run `fedpkg build`
+  - [ ] once the builds have finished, submit them to [bodhi](https://bodhi.fedoraproject.org/updates/new), filling in:
+    - `rust-bootupd` for `Packages`
+    - selecting the build(s) that just completed, except for the rawhide one (which gets submitted automatically)
+    - writing brief release notes like "New upstream release; see release notes at `link to GitHub release`"
+    - leave `Update name` blank
+    - `Type`, `Severity` and `Suggestion` can be left as `unspecified` unless it is a security release. In that case select `security` with the appropriate severity.
+    - `Stable karma` and `Unstable` karma can be set to `2` and `-1`, respectively.
+  - [ ] [submit a fast-track](https://github.com/coreos/fedora-coreos-config/actions/workflows/add-override.yml) for FCOS testing-devel
+  - [ ] [submit a fast-track](https://github.com/coreos/fedora-coreos-config/actions/workflows/add-override.yml) for FCOS next-devel if it is [open](https://github.com/coreos/fedora-coreos-pipeline/blob/main/next-devel/README.md)
+
+- RHCOS packaging:
+  - [ ] update the `rust-bootupd` spec file
+    - bump the `Version`
+    - switch the `Release` back to `1%{?dist}`
+    - remove any patches obsoleted by the new release
+    - update changelog
+  - [ ] run `spectool -g -S rust-bootupd.spec`
+  - [ ] run `kinit your_account@REDHAT.COM`
+  - [ ] run `rhpkg new-sources <crate-name> <vendor-tarball-name>`
+  - [ ] PR the changes
+  - [ ] get the PR reviewed and merge it
+  - [ ] update your local repo and run `rhpkg build`
+
+CentOS Stream 9 packaging:
+  - [ ] to be written
+
+[rustup]: https://rustup.rs/
+[crates-io]: https://crates.io/
+[GPG setup]: https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,26 @@
+# Maintained in https://github.com/coreos/repo-templates
+# Do not edit downstream.
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels: ["skip-notes"]
+    open-pull-requests-limit: 3
+  - package-ecosystem: cargo
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    labels:
+      - area/dependencies
+
+    # Group all updates together in a single PR. We can remove some
+    # updates from a combined update PR via comments to dependabot:
+    # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-updates-with-comment-commands
+    groups:
+      build:
+        patterns:
+          - "*"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,101 @@
+name: CI
+
+permissions:
+  actions: read
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  c9s-bootc-e2e:
+    strategy:
+      matrix:
+        runner:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+
+    runs-on: [ "${{ matrix.runner }}" ]
+
+    steps:
+      - name: Get a newer podman for heredoc support (from debian testing)
+        run: |
+          set -eux
+          echo 'deb [trusted=yes] https://ftp.debian.org/debian/ testing main' | sudo tee /etc/apt/sources.list.d/testing.list
+          sudo apt update
+          sudo apt install -y crun/testing podman/testing skopeo/testing
+
+      - uses: actions/checkout@v4
+
+      - name: Install podman
+        if: ( matrix.runner == 'ubuntu-24.04-arm' )
+        run: |
+          sudo apt update -y
+          sudo apt install -y podman
+
+      - name: build
+        run: sudo podman build -t localhost/bootupd:latest -f Dockerfile .
+
+      - name: bootupctl status in container
+        run: |
+          set -xeuo pipefail
+          sudo podman run --rm -v $PWD:/run/src -w /run/src --privileged localhost/bootupd:latest tests/tests/bootupctl-status-in-bootc.sh
+
+      - name: bootc install to disk
+        run: |
+          set -xeuo pipefail
+          sudo truncate -s 10G myimage.raw
+          sudo podman run --rm --privileged -v .:/target --pid=host --security-opt label=disable \
+            -v /var/lib/containers:/var/lib/containers \
+            -v /dev:/dev \
+            localhost/bootupd:latest bootc install to-disk --skip-fetch-check \
+            --disable-selinux --generic-image --via-loopback /target/myimage.raw
+          # Verify we installed grub.cfg and shim on the disk
+          sudo losetup -P -f myimage.raw
+          device=$(losetup -a myimage.raw --output NAME -n)
+          esp_part=$(sudo sfdisk -l -J "${device}" | jq -r '.partitiontable.partitions[] | select(.type == "C12A7328-F81F-11D2-BA4B-00A0C93EC93B").node')
+          sudo mount "${esp_part}" /mnt/
+          arch="$(uname --machine)"
+          if [[ "${arch}" == "x86_64" ]]; then
+            shim="shimx64.efi"
+          else
+            # Assume aarch64 for now
+            shim="shimaa64.efi"
+          fi
+          sudo ls /mnt/EFI/centos/{grub.cfg,${shim}}
+          sudo umount /mnt
+          # check /boot/grub2/grub.cfg permission
+          root_part=$(sudo sfdisk -l -J "${device}" | jq -r '.partitiontable.partitions[] | select(.name == "root").node')
+          sudo mount "${root_part}" /mnt/
+          sudo ls /mnt/boot/grub2/grub.cfg
+          [ $(sudo stat -c "%a" /mnt/boot/grub2/grub.cfg) == "600" ]
+          sudo umount /mnt
+          sudo losetup -D "${device}"
+          sudo rm -f myimage.raw
+
+      - name: bootc install to filesystem
+        run: |
+          set -xeuo pipefail
+          sudo podman run --rm -ti --privileged -v /:/target --pid=host --security-opt label=disable \
+            -v /dev:/dev -v /var/lib/containers:/var/lib/containers \
+            localhost/bootupd:latest bootc install to-filesystem --skip-fetch-check \
+            --acknowledge-destructive \
+            --disable-selinux --replace=alongside /target
+          # Verify we injected static configs
+          jq -re '.["static-configs"].version' /boot/bootupd-state.json
+          [ $(sudo stat -c "%a" /boot/grub2/grub.cfg) == "600" ]
+
+      - name: bootupctl generate-update-metadata
+        run: |
+          set -xeuo pipefail
+          sudo podman run --rm -v $PWD:/run/src -w /run/src --privileged localhost/bootupd:latest tests/tests/move-content-to-usr.sh
--- a/.github/workflows/cross.yml
+++ b/.github/workflows/cross.yml
@ -0,0 +1,43 @@
+name: Cross build
+
+on: [push, pull_request]
+
+permissions:
+  actions: read
+
+jobs:
+  crossarch-check:
+    runs-on: ubuntu-22.04
+    name: Build on ${{ matrix.arch }}
+
+    strategy:
+      matrix:
+        include:
+          - arch: s390x
+            distro: ubuntu_latest
+          - arch: ppc64le
+            distro: ubuntu_latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+          set-safe-directory: true
+
+      - uses: uraimo/run-on-arch-action@v3.0.0
+        name: Build
+        id: build
+        with:
+          arch: ${{ matrix.arch }}
+          distro: ${{ matrix.distro }}
+
+          githubToken: ${{ github.token }}
+
+          run: |
+            set -xeu
+            apt update -y
+            apt install -y gcc make curl libssl-dev pkg-config
+            # Install Rust 1.84.1
+            curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain 1.84.1
+            source $HOME/.cargo/env
+            rustc --version
+            cargo check
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@ -0,0 +1,119 @@
+# Maintained in https://github.com/coreos/repo-templates
+# Do not edit downstream.
+
+name: Rust
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+permissions:
+  contents: read
+
+# don't waste job slots on superseded code
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  CARGO_TERM_COLOR: always
+  # Pinned toolchain for linting
+  ACTIONS_LINTS_TOOLCHAIN: 1.84.1
+
+jobs:
+  tests-stable:
+    name: Tests, stable toolchain
+    runs-on: ubuntu-latest
+    container: quay.io/coreos-assembler/fcos-buildroot:testing-devel
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Install toolchain
+        uses: dtolnay/rust-toolchain@v1
+        with:
+          toolchain: stable
+      - name: Cache build artifacts
+        uses: Swatinem/rust-cache@v2
+      - name: cargo build
+        run: cargo build --all-targets
+      - name: cargo test
+        run: cargo test --all-targets
+  tests-release-stable:
+    name: Tests (release), stable toolchain
+    runs-on: ubuntu-latest
+    container: quay.io/coreos-assembler/fcos-buildroot:testing-devel
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Install toolchain
+        uses: dtolnay/rust-toolchain@v1
+        with:
+          toolchain: stable
+      - name: Cache build artifacts
+        uses: Swatinem/rust-cache@v2
+      - name: cargo build (release)
+        run: cargo build --all-targets --release
+      - name: cargo test (release)
+        run: cargo test --all-targets --release
+  tests-release-msrv:
+    name: Tests (release), minimum supported toolchain
+    runs-on: ubuntu-latest
+    container: quay.io/coreos-assembler/fcos-buildroot:testing-devel
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Detect crate MSRV
+        run: |
+          msrv=$(cargo metadata --format-version 1 --no-deps | \
+              jq -r '.packages[0].rust_version')
+          echo "Crate MSRV: $msrv"
+          echo "MSRV=$msrv" >> $GITHUB_ENV
+      - name: Install toolchain
+        uses: dtolnay/rust-toolchain@v1
+        with:
+          toolchain: ${{ env.MSRV }}
+      - name: Cache build artifacts
+        uses: Swatinem/rust-cache@v2
+      - name: cargo build (release)
+        run: cargo build --all-targets --release
+      - name: cargo test (release)
+        run: cargo test --all-targets --release
+  linting:
+    name: Lints, pinned toolchain
+    runs-on: ubuntu-latest
+    container: quay.io/coreos-assembler/fcos-buildroot:testing-devel
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Install toolchain
+        uses: dtolnay/rust-toolchain@v1
+        with:
+          toolchain: ${{ env.ACTIONS_LINTS_TOOLCHAIN }}
+          components: rustfmt, clippy
+      - name: Cache build artifacts
+        uses: Swatinem/rust-cache@v2
+      - name: cargo fmt (check)
+        run: cargo fmt -- --check -l
+      - name: cargo clippy (warnings)
+        run: cargo clippy --all-targets -- -D warnings
+  tests-other-channels:
+    name: Tests, unstable toolchain
+    runs-on: ubuntu-latest
+    container: quay.io/coreos-assembler/fcos-buildroot:testing-devel
+    continue-on-error: true
+    strategy:
+      matrix:
+        channel: [beta, nightly]
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Install toolchain
+        uses: dtolnay/rust-toolchain@v1
+        with:
+          toolchain: ${{ matrix.channel }}
+      - name: Cache build artifacts
+        uses: Swatinem/rust-cache@v2
+      - name: cargo build
+        run: cargo build --all-targets
+      - name: cargo test
+        run: cargo test --all-targets