Leon/issue/31/rpm packaging

[zluudg]

Summary by CodeRabbit

• New Features
  • Added RPM packaging support, including new Makefile targets for creating tarballs and source RPMs.
  • Introduced systemd service and timer units for automated DNSTAPIR EDGE certificate renewal.
  • Provided an RPM spec file for streamlined installation and management of the tapir-cli tool.
• Chores
  • Updated .gitignore to exclude RPM build artifacts and related files.
  • Added a helper Makefile for COPR build automation and prerequisite installation.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The changes introduce RPM packaging support for the project. This includes enhancements to the main Makefile for building source RPMs, new systemd service and timer unit files for certificate renewal, a new RPM spec file, and a dedicated Makefile for COPR builds. The .gitignore is updated to exclude RPM-related artifacts.

Changes

File(s) / Path(s)	Change Summary
Makefile	Added RPM packaging support: new SPECFILE variable, tarball and srpm targets, extended clean.
.copr/Makefile	New Makefile for COPR builds with prereq and srpm targets.
.gitignore	Updated to ignore .tar.gz, .src.rpm, and commented patterns for RPM build artifacts.
rpm/SOURCES/tapir-renew.service	Added new systemd service unit for DNSTAPIR EDGE certificate renewal.
rpm/SOURCES/tapir-renew.timer	Added new systemd timer unit to trigger certificate renewal weekly.
rpm/SPECS/tapir-cli.spec	New RPM spec file for tapir-cli, including build, install, and user/group setup instructions.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Makefile
    participant rpmbuild
    participant Systemd

    User->>Makefile: make srpm
    Makefile->>Makefile: Create tarball from Git HEAD
    Makefile->>Makefile: Verify version in spec file
    Makefile->>rpmbuild: Build source RPM using spec file
    rpmbuild-->>Makefile: Return built SRPM

    User->>Systemd: Enable tapir-renew.timer
    Systemd->>tapir-renew.timer: Trigger weekly
    tapir-renew.timer->>tapir-renew.service: Start service if certs exist
    tapir-renew.service->>/usr/bin/tapir-cli: Run certificate renewal

Loading

Possibly related PRs

• Leon/issue/31/rpm packaging #33: Introduces RPM packaging support in the Makefile with the same SPECFILE variable, tarball and srpm targets, and related clean target enhancements.

Suggested reviewers

• johanix

Poem

🐇
A hop and a skip, RPMs we now bake,
With timers and services, for security’s sake.
Makefiles enhanced, new rules in the den,
Certificates renewed, again and again.
From source to a package, the journey is clear—
Release day is coming, so let’s all cheer!

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0a623f8 and ff1ce0c.

📒 Files selected for processing (6)

• .copr/Makefile (1 hunks)
• .gitignore (1 hunks)
• Makefile (2 hunks)
• rpm/SOURCES/tapir-renew.service (1 hunks)
• rpm/SOURCES/tapir-renew.timer (1 hunks)
• rpm/SPECS/tapir-cli.spec (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (3)

cmd/root.go (1)

45-46: Hardcoded path should be configurable

While adding a default path is good, hardcoding /etc/dnstapir/tapir-cli.yaml may cause issues in different environments or platforms.

Consider making this configurable through an environment variable:

-const default_TAPIR_CLI_CFG_FILE = "/etc/dnstapir/tapir-cli.yaml"
+const default_TAPIR_CLI_CFG_FILE_PATH = "/etc/dnstapir"
+const default_TAPIR_CLI_CFG_FILE_NAME = "tapir-cli.yaml"
+
+func getDefaultConfigFile() string {
+    if path := os.Getenv("TAPIR_CLI_CONFIG_DIR"); path != "" {
+        return filepath.Join(path, default_TAPIR_CLI_CFG_FILE_NAME)
+    }
+    return filepath.Join(default_TAPIR_CLI_CFG_FILE_PATH, default_TAPIR_CLI_CFG_FILE_NAME)
+}

Then update the config flag initialization to use this function.

.github/workflows/release.yaml (1)

31-58: Duplicate upload step name

There are two steps named "Upload Tarball" which can cause confusion.

The first "Upload Tarball" step (which is empty) should be removed, and the remaining upload steps should have clear, unique names.

Makefile (1)

45-52: New binary distribution target

The bindist target that depends on srcdist builds a binary from the source tarball.

Consider adding error checking to handle potential build failures more gracefully:

 bindist: srcdist
 	-mkdir -p dist/bin/build
 	cp dist/src/$(PROG)-$(VERSION).tar.gz dist/bin/build/
 	tar xvf dist/bin/build/$(PROG)-$(VERSION).tar.gz -C dist/bin/build
 	rm -f dist/bin/build/*.tar.gz
-	cd dist/bin/build/$(PROG) && make build
+	cd dist/bin/build/$(PROG) && make build || { echo "Build failed"; exit 1; }
 	mv dist/bin/build/$(PROG)/$(PROG) dist/bin/

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bea8a90 and ff0bc2a.

⛔ Files ignored due to path filters (7)

• dist/.gitignore is excluded by !**/dist/**
• dist/rpm/SOURCES/tapir-cli.sysusers is excluded by !**/dist/**
• dist/rpm/SOURCES/tapir-cli.yaml is excluded by !**/dist/**
• dist/rpm/SOURCES/tapir-renew.service is excluded by !**/dist/**
• dist/rpm/SOURCES/tapir-renew.timer is excluded by !**/dist/**
• dist/rpm/SPECS/tapir-cli.spec.in is excluded by !**/dist/**
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• .github/workflows/release.yaml (1 hunks)
• Makefile (2 hunks)
• cmd/root.go (4 hunks)
• go.mod (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/release.yaml

11-11: the runner of "actions/checkout@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

18-18: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

18-18: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

18-18: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

18-18: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

18-18: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

18-18: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

26-26: string should not be empty

(syntax-check)

---

28-28: string should not be empty

(syntax-check)

---

30-30: string should not be empty

(syntax-check)

🔇 Additional comments (13)

go.mod (2)

8-8: Dependency version update looks good

The updated version of the github.com/dnstapir/tapir module includes newer changes that are likely required for the RPM packaging functionality added in this PR.

---

1-66:

Details

❓ Verification inconclusive

Verify the removed dependency is no longer needed

According to the summary, the dependency on github.com/google/uuid has been removed. Please ensure that no code in the project still relies on this library.

---

🏁 Script executed:

#!/bin/bash
# Check if there are any remaining imports of the uuid package in the codebase
rg -l "github.com/google/uuid" --type go

Length of output: 40

---

Confirm Removal of github.com/google/uuid

The initial search using "rg -l 'github.com/google/uuid' --type go" returned no results, which suggests that there are no remaining import statements for this dependency in the Go source files. However, since the search output was completely empty and might not cover all possible code paths (such as non-Go files or indirect references), please perform a manual verification to be certain that no part of the project still relies on github.com/google/uuid.

• Double-check all source and test files: Ensure that the removal of this dependency doesn’t affect any indirect usage or build scripts.
• Confirm removal across the entire repository: Consider reviewing any non-Go files or configuration scripts that might reference this dependency inadvertently.

cmd/root.go (6)

20-20: Code simplification looks good

Removing unnecessary variables (imr, servername, certname, and Prog) and keeping only the essential cfgFile makes the code cleaner.

---

51-53: Changed default behavior to standalone mode

The default for --standalone is now true, which changes the application's behavior to not connect to TAPIR-POP by default.

Is this change intentional and communicated to users? This could potentially break existing workflows for users who upgrade.

---

91-98: Simplified configuration loading logic

The configuration file handling has been streamlined, which is good. However, the error handling is now more strict, as it will terminate on any config read error.

This change will make the application terminate if the config file cannot be found. Please confirm this behavior is intentional and expected by users.

---

105-114: Updated configuration key references

The code now directly references cli.tapir-pop in error messages rather than using variables.

---

119-119: Updated API key configuration

The API key is now retrieved from the updated configuration path.

---

63-64:

Details

✅ Verification successful

New commands added

Two new commands (EnrollCmd and RenewCmd) have been added, expanding the CLI functionality.

---

🏁 Script executed:

#!/bin/bash
# Check if these commands are properly implemented in the codebase
rg -A 5 "var EnrollCmd" --type go
rg -A 5 "var RenewCmd" --type go

Length of output: 70

---

🏁 Script executed:

#!/bin/bash
echo "Searching the repository for any occurrence of 'EnrollCmd' in Go files..."
rg -n "EnrollCmd" --type go

echo "Searching the repository for any occurrence of 'RenewCmd' in Go files..."
rg -n "RenewCmd" --type go

Length of output: 477

---

CLI Command Registration Verified

In cmd/root.go at lines 63-64, the new commands (EnrollCmd and RenewCmd) are correctly registered with rootCmd.AddCommand(...). A repository-wide search confirmed their presence, ensuring the CLI expansion is properly implemented.

.github/workflows/release.yaml (1)

1-5: New release workflow is a good addition

Adding an automated workflow for releasing artifacts when a release is published improves the project's CI/CD capabilities.

Makefile (4)

34-36: Enhanced clean target

The clean target has been improved to remove all distribution-related directories, which is important for the new packaging targets.

---

41-44: New source distribution target

The srcdist target creates a source tarball using git archive, which is a clean way to package the source code.

---

53-58:

Details

✅ Verification successful

New RPM packaging target

The rpm target depends on bindist and creates an RPM package, which is good for systems that use RPM package management.

---

🏁 Script executed:

#!/bin/bash
# Check if the RPM spec template file exists
find . -name "*.spec.in"

Length of output: 61

---

RPM Packaging Target Verified

The RPM packaging target now appears solid. Verification confirms that the RPM spec template (found as ./dist/rpm/SPECS/tapir-cli.spec.in) exists. The target correctly depends on bindist, creates the necessary directories, copies the binary, processes the spec template with sed to inject the version, and finally calls rpmbuild as intended.

No further changes are required.

---

6-6:

Details

✅ Verification successful

Updated build flags

Added -B gobuildid to the Go build flags.

---

🌐 Web query:

What does -B gobuildid flag do in Go build flags?

💡 Result:

The -B flag in Go's build system is used to set the build ID of the generated binary. This flag is passed to the linker (cmd/link) and influences the unique identifier embedded in the executable, which is critical for Go's build caching and reproducibility mechanisms.

Key Details:

1. Purpose:
   The build ID is a hash-based identifier computed from the binary's content. It helps the Go toolchain determine if a rebuild is necessary by checking if inputs (or their dependencies) have changed[10].

2. Usage:
   When building the Go toolchain itself, -B can cause issues because the build ID becomes part of the binary's content. This creates a circular dependency: modifying the build ID alters the binary, which in turn changes the build ID in subsequent compilations[10]. For example:

   # Hypothetical example (not standard practice)
   go build -ldflags="-B custom_build_id" .

3. Impact on Reproducibility:
   Overriding the build ID with -B can disrupt deterministic builds, as the ID is typically derived from the binary's content. Forcing a specific ID may require careful handling in scenarios like toolchain compilation[10].

Related Flags:

• -ldflags="-buildid=..." is another way to set the build ID during linking[7].
• Stripping the build ID (e.g., -ldflags="-buildid= -s") removes it entirely, reducing binary size[7].

In summary, -B directly modifies the build ID, which is integral to Go's build caching and dependency tracking. Its use is rare outside specialized contexts like debugging build-system behavior or ensuring specific build fingerprints.

Citations:

• 1: https://blog.cyphur.com/what-the-bin-nim-golang-cpp/
• 2: https://pkg.go.dev/cmd/go
• 3: https://www.hitzhangjie.pro/debugger101.io/6-develop-inst-debugger/3-process_start_attach.html
• 4: https://programmingpercy.tech/blog/modify-variables-during-build/
• 5: https://www.hitzhangjie.pro/debugger101.io/5-debugger-skeleton/2-debugger_demo.html
• 6: https://opensource.com/article/22/4/go-build-options
• 7: https://pkg.go.dev/github.com/mjl-/gobuild
• 8: https://blog.howardjohn.info/posts/go-build-times/
• 9: https://groups.google.com/g/golang-nuts/c/6wFhfrlbqYA
• 10: golang/go#63934

---

Build Flag Update Verified

The addition of the -B gobuildid flag in the Makefile is correct. As confirmed by our query, this flag explicitly sets the build ID in the binary via the linker, thereby influencing Go's build caching and reproducibility mechanisms. This change is intentional and aligns with our build strategy.

File: Makefile
Line: 6

Final Snippet:

GOFLAGS:=-v -ldflags "-X app.version=$(VERSION)-$(COMMIT) -B gobuildid"

[johanix]

I have no opinion on all the RPM stuff, I only understand the go code (and Makefile, etc).

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

Makefile (1)

55-55: Update PHONY targets
The .PHONY declaration needs to include the new tarball and srpm targets to prevent collisions with files of the same name.

🧹 Nitpick comments (10)

.copr/Makefile (2)

3-5: Mark prereq as phony
Add a .PHONY: prereq directive to avoid collisions with any file named prereq.

---

6-7: Mark srpm as phony and reduce verbosity
Add .PHONY: srpm and consider prefixing the $(MAKE) invocation with @ to suppress redundant output during automated runs.

Makefile (2)

34-39: Consolidate cleanup commands
You can merge the multiple rm invocations into one pattern for clarity, e.g.:

clean:
	@rm -rf $(PROG) *~ cmd/*~ *.tar.gz rpm/{SOURCES/*.tar.gz,BUILD,BUILDROOT,SRPMS,RPMS}

---

44-46: Quote tarball filename
Wrap $(PROG)-$(VERSION).tar.gz in quotes to guard against unexpected characters, e.g.:

-	git archive --format=tar.gz --prefix=$(PROG)/ -o $(PROG)-$(VERSION).tar.gz HEAD
+	git archive --format=tar.gz --prefix=$(PROG)/ -o "$(PROG)-$(VERSION).tar.gz" HEAD

rpm/SPECS/tapir-cli.spec (6)

15-16: Fix typo in description
Change DNSTAPIR EDGE ClI Tool to DNSTAPIR EDGE CLI Tool for consistent casing.

---

24-26: Consider using %make_build macro
For consistency with other RPM workflows, you may swap make for %make_build, though the explicit call is acceptable.

---

27-36: Explicitly name installed config file
While install -m 0640 %{SOURCE3} …/dnstapir/ drops the YAML into the directory, specifying the full path (e.g., …/dnstapir/tapir-cli.yaml) improves clarity.

---

45-48: Combine user/group creation
To reduce boilerplate, merge the two getent checks into a single shell block, e.g.:

%pre
getent group dnstapir || groupadd -r dnstapir
getent passwd tapir-renew || useradd -r -d /etc/dnstapir -G dnstapir -s /sbin/nologin tapir-renew

---

49-56: Remove empty scriptlets until needed
Omit the unused %post, %preun, %postun, and %check sections to keep the spec concise; add them when scripts are required.

---

57-58: Add initial changelog entry
An empty %changelog misses history; include at least one entry for version 0.3 to track the initial release.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5bb3f51 and 0a623f8.

📒 Files selected for processing (6)

• .copr/Makefile (1 hunks)
• .gitignore (1 hunks)
• Makefile (2 hunks)
• rpm/SOURCES/tapir-renew.service (1 hunks)
• rpm/SOURCES/tapir-renew.timer (1 hunks)
• rpm/SPECS/tapir-cli.spec (1 hunks)

✅ Files skipped from review due to trivial changes (3)

• rpm/SOURCES/tapir-renew.service
• rpm/SOURCES/tapir-renew.timer
• .gitignore

🧰 Additional context used

🪛 RuboCop (1.75.5)

rpm/SPECS/tapir-cli.spec

[fatal] 1-1: unexpected token tCOLON
(Using Ruby 2.7 parser; configure using TargetRubyVersion parameter, under AllCops)

(Lint/Syntax)

🔇 Additional comments (5)

.copr/Makefile (1)

1-1: Correct project root resolution
The top variable accurately resolves the parent directory of this Makefile, ensuring COPR builds invoke the top-level Makefile.

Makefile (1)

13-13: Validate SPECFILE path
Ensure the spec file at rpm/SPECS/tapir-cli.spec exists relative to the repo root and consider quoting the variable (e.g. $(SPECFILE)) if paths may contain spaces.

rpm/SPECS/tapir-cli.spec (3)

18-20: Macro fallbacks look good
The %{!?_unitdir} and %{!?_sysusersdir} definitions ensure compatibility across distros.

---

21-23: %prep section is correct
Using %setup -n %{name} matches the tarball’s root directory.

---

37-44: Verify file ownership and permissions
You’ve set the binary’s permissions to 0770. Confirm this restrictive mode is intended—if wider system access is required, consider 0755.