Build and publish nightly RPMs using COPR

[pmtk]

Usage:

mkdir -p /tmp/microshift-srpm-copr

# Create SRPM
make srpm SRPM_WORKDIR=/tmp/microshift-srpm-copr

# Push SRPM to COPR and store the build ID in the $SRPM_WORKDIR/build.txt
make copr-create-build COPR_REPO_NAME=USER/PROJECT SRPM_WORKDIR=/tmp/microshift-srpm-copr

# Wait until build is finished
make copr-watch-build SRPM_WORKDIR=/tmp/microshift-srpm-copr

# Create a container image with the RPMs from COPR for usage in runner image
make rpm-copr SRPM_WORKDIR=/tmp/microshift-srpm-copr 

# Build runner image with builder override
make image BUILDER_IMAGE=rpm-copr-builder

Part of #71

Summary by CodeRabbit

• New Features

  • Added a COPR-based RPM build workflow with commands to create, watch, manage, and extract COPR builds.
  • Added nightly CI to build RPMs, run tests, and regenerate COPR repositories.
  • Introduced container images and a helper script to drive COPR CLI operations and RPM extraction.

• Chores

  • Made the RPM image name overridable and passed it into container builds.
  • Updated messaging to reference both RPM build options and added CI input for selecting the RPM image.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds COPR-based RPM build and retrieval: Makefile includes COPR make fragment; new COPR containerfiles, script, and make targets to create/watch COPR builds and extract RPMs; boot image build accepts overridable RPM_IMAGE; and a GitHub Actions workflow automates nightly COPR build/test/regeneration.

Changes

Cohort / File(s)	Summary
Top-level Makefile Makefile	Make RPM_IMAGE overridable (RPM_IMAGE ?= microshift-okd-rpm), add PROJECT_DIR, include src/copr/copr.mk, update image target message to reference make rpm or make rpm-copr, and pass --build-arg RPM_IMAGE="${RPM_IMAGE}" to boot container build.
COPR Make & helper script src/copr/copr.mk, src/copr/create-build.sh	New COPR integration: introduce COPR variables and PHONY targets (rpm-copr, copr-create-build, copr-watch-build, copr-regenerate-repos, copr-cli, copr-delete-build, copr-cfg-ensure-podman-secret, copr-help), and add create-build.sh to run copr-cli, parse the build ID, and write /srpms/build.txt.
COPR-related Containerfiles src/copr/copr-cli.Containerfile, packaging/rpms-copr.Containerfile	Add COPR CLI image (Fedora 42 + copr-cli) and rpms-copr Containerfile to download COPR build RPMs, extract MicroShift sources, place RPMs into builder repo path, and regenerate repo metadata.
Boot container build packaging/bootc.Containerfile	Add ARG RPM_IMAGE and parameterize builder FROM to localhost/${RPM_IMAGE}:latest instead of a hardcoded image.
CI: GitHub Actions & composite action .github/workflows/nightly-copr.yaml, .github/actions/build/action.yaml	Add nightly-copr workflow to drive SRPM→COPR build→fetch RPMs→build/test MicroShift and regenerate repos; composite action gains rpm-image input (default microshift-okd-rpm), conditionally gates RPM steps, and propagates RPM_IMAGE into the boot image build.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer / Make
    participant Podman as Podman
    participant CLI as COPR CLI Container
    participant COPR as COPR Service
    participant Builder as rpms-copr Container
    participant Repo as RPM Repository

    Dev->>Podman: run `make rpm-copr` (mount SRPMs & COPR config)
    Podman->>CLI: start copr-cli to create build with SRPMs
    CLI->>COPR: create-build --nowait (upload SRPM)
    COPR-->>CLI: returns build ID
    CLI->>Dev: write build ID to `/srpms/build.txt`
    Dev->>Podman: run `copr-watch-build` (poll via copr-cli)
    CLI->>COPR: watch-build (poll until complete)
    COPR-->>CLI: build completed
    Podman->>Builder: run `rpms-copr` container with build ID
    Builder->>COPR: `copr download-build` (fetch RPMs)
    COPR-->>Builder: deliver RPM files
    Builder->>Repo: move RPMs into repo path and run `createrepo`
    Repo-->>Dev: RPMs available for downstream builds

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Local build from srpm #164: touches RPM_IMAGE usage and bootc/Makefile propagation, overlapping RPM-image build flow.
• RPMs build improvements #167: similar parameterization of RPM image and bootc Containerfile changes.
• Run MicroShift presubmit tests on Ubuntu #57: related edits to boot/ RPM image build steps and Makefile image handling.

Suggested reviewers

• ggiguash

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title 'Build and publish nightly RPMs using COPR' accurately describes the main objective of the changeset, which adds COPR integration for building and publishing RPMs nightly.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (2)

packaging/rpms-copr.Containerfile (1)

14-14: Hardcoded chroot limits flexibility.

The epel-9 chroot is hardcoded. Consider making it configurable via an ARG for different target distributions.

Apply this diff to make the chroot configurable:

 ARG COPR_BUILD_ID=
 ARG BUILDER_RPM_REPO_PATH=/home/microshift/microshift/_output/rpmbuild/RPMS
+ARG COPR_CHROOT=epel-9
 
 # hadolint ignore=DL3003,DL4006,SC3040
 RUN <<EOT bash
     set -xeuo pipefail
-    copr download-build --rpms --chroot "epel-9-$(uname -m)" --dest /tmp/rpms ${COPR_BUILD_ID}
+    copr download-build --rpms --chroot "${COPR_CHROOT}-$(uname -m)" --dest /tmp/rpms ${COPR_BUILD_ID}
     mkdir -p /home/microshift/microshift
-    cd /tmp/rpms/"epel-9-$(uname -m)"/
+    cd /tmp/rpms/"${COPR_CHROOT}-$(uname -m)"/
     rpm2cpio microshift-*.src.rpm | cpio -idmv
     tar xf microshift-*.tar.gz -C /home/microshift/microshift --strip-components=1
     mkdir -p ${BUILDER_RPM_REPO_PATH}
-    mv /tmp/rpms/"epel-9-$(uname -m)"/*.rpm ${BUILDER_RPM_REPO_PATH}/
+    mv /tmp/rpms/"${COPR_CHROOT}-$(uname -m)"/*.rpm ${BUILDER_RPM_REPO_PATH}/
     createrepo -v ${BUILDER_RPM_REPO_PATH}
     rm -rf /tmp/rpms
 EOT

src/copr/create-build.sh (1)

4-11: Consider using JSON output format instead of parsing text.

The code parses copr-cli output with grep and cut, which is fragile if the output format changes. The copr-cli tool supports --output-format json for the build command, providing structured output that eliminates this parsing fragility.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d1cc1c5 and 551ee5d.

📒 Files selected for processing (6)

• Makefile (3 hunks)
• packaging/microshift-runner.Containerfile (1 hunks)
• packaging/rpms-copr.Containerfile (1 hunks)
• src/copr/copr-cli.Containerfile (1 hunks)
• src/copr/copr.mk (1 hunks)
• src/copr/create-build.sh (1 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: pmtk
Repo: microshift-io/microshift PR: 151
File: docs/workflows.md:74-76
Timestamp: 2025-12-04T13:35:05.230Z
Learning: The COPR group microshift-io/microshift exists at https://copr.fedorainfracloud.org/coprs/g/microshift-io/microshift/ and is used for publishing MicroShift RPM packages in the microshift-io/microshift repository.

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: .github/workflows/builders.yaml:75-84
Timestamp: 2025-10-17T10:53:08.461Z
Learning: In the microshift repository, the RPM-to-Debian conversion workflow follows this pattern: `convert.sh` receives an RPM directory as input and outputs .deb files to a `deb/` subdirectory within that directory. The `install.sh` script expects to receive the parent RPM directory (not the deb subdirectory) and uses recursive `find` commands to locate the .deb files in subdirectories.

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 137
File: src/quickrpm.sh:83-98
Timestamp: 2025-11-26T06:46:33.353Z
Learning: In the microshift-io/microshift repository, the quickrpm.sh script only supports RHEL 9 or above (and equivalent CentOS/Fedora versions), where util-linux includes the `--nooverlap` flag for losetup.

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• packaging/microshift-runner.Containerfile
• src/copr/copr.mk
• Makefile

📚 Learning: 2025-12-04T13:35:05.230Z

Learnt from: pmtk
Repo: microshift-io/microshift PR: 151
File: docs/workflows.md:74-76
Timestamp: 2025-12-04T13:35:05.230Z
Learning: The COPR group microshift-io/microshift exists at https://copr.fedorainfracloud.org/coprs/g/microshift-io/microshift/ and is used for publishing MicroShift RPM packages in the microshift-io/microshift repository.

Applied to files:

• src/copr/create-build.sh
• packaging/rpms-copr.Containerfile
• src/copr/copr.mk
• src/copr/copr-cli.Containerfile
• Makefile

📚 Learning: 2025-10-17T10:53:08.461Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: .github/workflows/builders.yaml:75-84
Timestamp: 2025-10-17T10:53:08.461Z
Learning: In the microshift repository, the RPM-to-Debian conversion workflow follows this pattern: `convert.sh` receives an RPM directory as input and outputs .deb files to a `deb/` subdirectory within that directory. The `install.sh` script expects to receive the parent RPM directory (not the deb subdirectory) and uses recursive `find` commands to locate the .deb files in subdirectories.

Applied to files:

• src/copr/create-build.sh
• packaging/rpms-copr.Containerfile
• src/copr/copr.mk

📚 Learning: 2025-11-26T06:46:33.353Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 137
File: src/quickrpm.sh:83-98
Timestamp: 2025-11-26T06:46:33.353Z
Learning: In the microshift-io/microshift repository, the quickrpm.sh script only supports RHEL 9 or above (and equivalent CentOS/Fedora versions), where util-linux includes the `--nooverlap` flag for losetup.

Applied to files:

• src/copr/create-build.sh
• packaging/rpms-copr.Containerfile

🔇 Additional comments (14)

packaging/microshift-runner.Containerfile (1)

4-6: LGTM!

The ARG makes the builder image configurable while maintaining backward compatibility with the default value.

src/copr/create-build.sh (1)

1-2: LGTM!

Proper error handling with set -euo pipefail.

packaging/rpms-copr.Containerfile (1)

1-6: LGTM!

Good practices: disabling weak dependencies and cleaning DNF cache.

Makefile (4)

39-39: LGTM!

Making BUILDER_IMAGE overridable enables the COPR workflow while maintaining backward compatibility.

---

45-46: LGTM!

Standard approach for computing project directory and modular include.

---

119-120: LGTM!

Clear error message guiding users to both RPM build workflows.

---

132-132: LGTM!

Correctly propagates BUILDER_IMAGE to the container build as RPM_BUILDER_IMAGE.

src/copr/copr.mk (6)

10-34: LGTM!

Excellent documentation of the COPR workflow with clear step-by-step instructions.

---

35-51: LGTM!

Target structure mirrors the main rpm target, maintaining consistency.

---

52-58: LGTM!

Proper secret management: removes stale secret before creating new one.

---

60-66: LGTM!

Simple CLI container build.

---

67-75: LGTM!

Proper dependencies and secret handling for delete operation.

---

76-84: LGTM!

Correct implementation for repo regeneration.

src/copr/copr-cli.Containerfile (1)

1-1: No action required. Fedora 42 was released on April 15, 2025, and is available as a base image.

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yaml (1)

227-234: inputs.build is undefined – conditionals will always evaluate to false.

The workflow defines ushift-gitref, okd-version-tag, and copr-repo inputs, but lines 228 and 234 reference inputs.build which doesn't exist. These steps will be skipped.

      - name: Login to GitHub Container Registry
-       if: contains(fromJSON('["all", "bootc-image"]'), inputs.build)
+       # Remove condition or add 'build' input if selective behavior is needed
        uses: ./.github/actions/podman-login

      - name: Publish Bootc container image manifest
-       if: contains(fromJSON('["all", "bootc-image"]'), inputs.build)
+       # Remove condition or add 'build' input if selective behavior is needed
        shell: bash

🤖 Fix all issues with AI agents

In @.github/actions/build/action.yaml:
- Line 48: The workflow conditional is referencing the wrong input name: update
the if expression that currently uses "inputs.rpm-builder" to use the correct
input identifier "inputs.rpm-image" so the branch evaluating "==
'microshift-okd-rpm'" works as intended; locate the conditional expression (the
if: inputs.rpm-builder == 'microshift-okd-rpm' line) and replace rpm-builder
with rpm-image.
- Line 52: The conditional uses the wrong input name: change the occurrence of
"if: inputs.rpm-builder == 'microshift-okd-rpm'" to use the correct input key
"rpm-image" (e.g., "if: inputs.rpm-image == 'microshift-okd-rpm'") so the action
reads the intended input; update any other references of "rpm-builder" in this
file to "rpm-image" to keep names consistent.

In `@packaging/rpms-copr.Containerfile`:
- Around line 11-18: The RUN block contains a shell cd (cd
/tmp/rpms/"epel-9-$(uname -m)"/) which triggers hadolint DL3003; either add
DL3003 to the hadolint ignore list on that RUN (augment the existing "# hadolint
ignore=DL4006" to include DL3003) or refactor the RUN to avoid cd (use absolute
paths or a subshell/pushd/popd pattern) so the DL3003 violation is removed;
update the RUN block containing the cd command accordingly.

In `@src/copr/create-build.sh`:
- Around line 1-4: The script src/copr/create-build.sh uses the COPR_REPO_NAME
variable without verifying it is non-empty; add an explicit validation at the
top of the script (before calling copr-cli) that checks COPR_REPO_NAME is set
and not empty, prints a clear error message to stderr (including the variable
name) and exits non-zero if the check fails, then proceed to run the existing
copr-cli build command; reference COPR_REPO_NAME and the copr-cli invocation
when adding the guard.

♻️ Duplicate comments (3)

src/copr/create-build.sh (1)

4-4: Handle glob expansion failure.

If no SRPM files match microshift*.src.rpm, the command fails with an unclear error.

Proposed fix

+shopt -s nullglob
+srpms=(/srpms/microshift*.src.rpm)
+shopt -u nullglob
+if [[ ${`#srpms`[@]} -eq 0 ]]; then
+    echo "ERROR: No SRPM files found matching /srpms/microshift*.src.rpm"
+    exit 1
+fi
+
-out="$(copr-cli --config /run/secrets/copr-cfg build --nowait "${COPR_REPO_NAME}" /srpms/microshift*.src.rpm)"
+out="$(copr-cli --config /run/secrets/copr-cfg build --nowait "${COPR_REPO_NAME}" "${srpms[@]}")"

packaging/rpms-copr.Containerfile (1)

8-9: Validate COPR_BUILD_ID is provided.

COPR_BUILD_ID has an empty default but is required. The build should fail early if not provided.

Proposed fix

 ARG COPR_BUILD_ID=
 ARG BUILDER_RPM_REPO_PATH=/home/microshift/microshift/_output/rpmbuild/RPMS

+RUN if [ -z "${COPR_BUILD_ID}" ]; then \
+        echo "ERROR: COPR_BUILD_ID build argument is required" >&2; \
+        exit 1; \
+    fi
+
 # hadolint ignore=DL4006

src/copr/copr.mk (1)

85-104: SRPM_WORKDIR validation still missing.

Previous review comments requested validation that SRPM_WORKDIR is set and exists before these targets run. This remains unaddressed.

🧹 Nitpick comments (1)

.github/workflows/release.yaml (1)

24-73: COPR build job looks correct.

The sequence follows the required pattern: SRPM build → COPR create → watch. Artifacts are properly persisted for downstream jobs.

One minor note: the COPR_CONFIG secret is written to /tmp/copr-config without restrictive permissions. Consider adding chmod 600 after writing.

Suggested improvement

          echo "${COPR_CONFIG}" > /tmp/copr-config
+         chmod 600 /tmp/copr-config

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 551ee5d and 97d4fab.

📒 Files selected for processing (9)

• .github/actions/build/action.yaml
• .github/actions/prebuild/action.yaml
• .github/workflows/release.yaml
• Makefile
• packaging/bootc.Containerfile
• packaging/rpms-copr.Containerfile
• src/copr/copr-cli.Containerfile
• src/copr/copr.mk
• src/copr/create-build.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• src/copr/copr-cli.Containerfile

🧰 Additional context used

📓 Path-based instructions (3)

Makefile

📄 CodeRabbit inference engine (CLAUDE.md)

Build system follows three sequential stages: SRPM Build (make srpm), RPM Build (make rpm), and Bootc Image (make image). Each stage must be completed before the next can be executed.

Files:

• Makefile

**/*.sh

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.sh: Shell scripts should pass linting with shellcheck as part of the make check validation step
Build scripts must detect architecture automatically via uname -m to determine between x86_64 or aarch64

Files:

• src/copr/create-build.sh

.github/workflows/*.yaml

📄 CodeRabbit inference engine (CLAUDE.md)

CI/CD workflows should validate builds with builders.yaml, test quickstart scripts with installers.yaml, support manual release workflow via release.yaml, and run daily OKD ARM builds via release-okd.yaml

Files:

• .github/workflows/release.yaml

🧠 Learnings (16)

📓 Common learnings

Learnt from: pmtk
Repo: microshift-io/microshift PR: 151
File: docs/workflows.md:74-76
Timestamp: 2025-12-04T13:35:05.230Z
Learning: The COPR group microshift-io/microshift exists at https://copr.fedorainfracloud.org/coprs/g/microshift-io/microshift/ and is used for publishing MicroShift RPM packages in the microshift-io/microshift repository.

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: .github/workflows/builders.yaml:75-84
Timestamp: 2025-10-17T10:53:08.461Z
Learning: In the microshift repository, the RPM-to-Debian conversion workflow follows this pattern: `convert.sh` receives an RPM directory as input and outputs .deb files to a `deb/` subdirectory within that directory. The `install.sh` script expects to receive the parent RPM directory (not the deb subdirectory) and uses recursive `find` commands to locate the .deb files in subdirectories.

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to ansible/** : Ansible roles should support automated builds and deployments for both containerized and host-based MicroShift installations

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/image/prebuild.sh : Replace component images with OKD references during SRPM build stage

Applied to files:

• .github/actions/prebuild/action.yaml
• packaging/bootc.Containerfile
• packaging/rpms-copr.Containerfile
• .github/actions/build/action.yaml
• Makefile
• src/copr/create-build.sh
• .github/workflows/release.yaml
• src/copr/copr.mk

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : RPM build container requires SRPM image from previous stage and outputs to `RPM_OUTDIR`

Applied to files:

• .github/actions/prebuild/action.yaml
• packaging/bootc.Containerfile
• packaging/rpms-copr.Containerfile
• .github/actions/build/action.yaml
• Makefile
• src/copr/create-build.sh
• .github/workflows/release.yaml
• src/copr/copr.mk

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Always build SRPM before RPM, and RPM before bootc image to maintain dependency chain

Applied to files:

• .github/actions/prebuild/action.yaml
• packaging/bootc.Containerfile
• packaging/rpms-copr.Containerfile
• .github/actions/build/action.yaml
• Makefile
• .github/workflows/release.yaml
• src/copr/copr.mk

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/rpm/** : RPM installation scripts should manage repository creation/deletion and execute post-install configuration before service start

Applied to files:

• .github/actions/prebuild/action.yaml
• packaging/rpms-copr.Containerfile

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Bootc image build requires RPM image from previous stage, is configurable via `WITH_KINDNET`, `WITH_TOPOLVM`, `WITH_OLM`, and `EMBED_CONTAINER_IMAGES`, and is based on `BOOTC_IMAGE_URL:BOOTC_IMAGE_TAG`

Applied to files:

• packaging/bootc.Containerfile
• packaging/rpms-copr.Containerfile
• .github/actions/build/action.yaml
• Makefile
• .github/workflows/release.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : SRPM build container must clone MicroShift from upstream repository at `USHIFT_GITREF` and replace component images with OKD references via `src/image/prebuild.sh`

Applied to files:

• packaging/bootc.Containerfile
• packaging/rpms-copr.Containerfile
• .github/actions/build/action.yaml
• Makefile
• src/copr/create-build.sh
• .github/workflows/release.yaml
• src/copr/copr.mk

📚 Learning: 2025-10-17T07:44:32.742Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 92
File: .github/workflows/release.yaml:44-50
Timestamp: 2025-10-17T07:44:32.742Z
Learning: When Podman builds an image without a registry prefix (e.g., `podman build -t microshift-okd`), it automatically adds the `localhost/` prefix and `:latest` tag, resulting in `localhost/microshift-okd:latest`. This means the Makefile in microshift-io/microshift building with `-t microshift-okd` produces `localhost/microshift-okd:latest` without explicit retagging.

Applied to files:

• packaging/bootc.Containerfile
• .github/actions/build/action.yaml
• Makefile
• .github/workflows/release.yaml
• src/copr/copr.mk

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to Makefile : Build system follows three sequential stages: SRPM Build (`make srpm`), RPM Build (`make rpm`), and Bootc Image (`make image`). Each stage must be completed before the next can be executed.

Applied to files:

• packaging/bootc.Containerfile
• .github/actions/build/action.yaml
• Makefile
• .github/workflows/release.yaml
• src/copr/copr.mk

📚 Learning: 2025-12-04T13:35:05.230Z

Learnt from: pmtk
Repo: microshift-io/microshift PR: 151
File: docs/workflows.md:74-76
Timestamp: 2025-12-04T13:35:05.230Z
Learning: The COPR group microshift-io/microshift exists at https://copr.fedorainfracloud.org/coprs/g/microshift-io/microshift/ and is used for publishing MicroShift RPM packages in the microshift-io/microshift repository.

Applied to files:

• packaging/rpms-copr.Containerfile
• .github/actions/build/action.yaml
• Makefile
• src/copr/create-build.sh
• .github/workflows/release.yaml
• src/copr/copr.mk

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to packaging/Containerfile* : Containerfiles should pass linting with hadolint as part of the `make check` validation step

Applied to files:

• packaging/rpms-copr.Containerfile

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to ansible/** : Ansible roles should support automated builds and deployments for both containerized and host-based MicroShift installations

Applied to files:

• packaging/rpms-copr.Containerfile
• .github/actions/build/action.yaml
• .github/workflows/release.yaml

📚 Learning: 2025-10-17T10:53:08.461Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 57
File: .github/workflows/builders.yaml:75-84
Timestamp: 2025-10-17T10:53:08.461Z
Learning: In the microshift repository, the RPM-to-Debian conversion workflow follows this pattern: `convert.sh` receives an RPM directory as input and outputs .deb files to a `deb/` subdirectory within that directory. The `install.sh` script expects to receive the parent RPM directory (not the deb subdirectory) and uses recursive `find` commands to locate the .deb files in subdirectories.

Applied to files:

• packaging/rpms-copr.Containerfile
• .github/actions/build/action.yaml
• Makefile
• src/copr/create-build.sh
• .github/workflows/release.yaml
• src/copr/copr.mk

📚 Learning: 2025-11-26T06:46:33.353Z

Learnt from: ggiguash
Repo: microshift-io/microshift PR: 137
File: src/quickrpm.sh:83-98
Timestamp: 2025-11-26T06:46:33.353Z
Learning: In the microshift-io/microshift repository, the quickrpm.sh script only supports RHEL 9 or above (and equivalent CentOS/Fedora versions), where util-linux includes the `--nooverlap` flag for losetup.

Applied to files:

• packaging/rpms-copr.Containerfile
• .github/actions/build/action.yaml
• src/copr/create-build.sh

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to .github/workflows/*.yaml : CI/CD workflows should validate builds with `builders.yaml`, test quickstart scripts with `installers.yaml`, support manual release workflow via `release.yaml`, and run daily OKD ARM builds via `release-okd.yaml`

Applied to files:

• .github/actions/build/action.yaml
• .github/workflows/release.yaml

📚 Learning: 2025-12-13T11:22:03.985Z

Learnt from: CR
Repo: microshift-io/microshift PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T11:22:03.985Z
Learning: Applies to src/okd/** : OKD version auto-detection should query latest-amd64 or latest-arm64 tags based on detected architecture

Applied to files:

• Makefile
• .github/workflows/release.yaml

🪛 GitHub Actions: linters

packaging/rpms-copr.Containerfile

[error] 12-12: Hadolint failed on containerfile with DL3003: Use WORKDIR to switch to a directory. (This is reported as a warning by Hadolint, but the step exited with an error in the CI pipeline.)

🔇 Additional comments (15)

.github/actions/prebuild/action.yaml (1)

31-31: LGTM!

Adding /mnt/srpm aligns with the COPR workflow's SRPM_WORKDIR usage.

packaging/bootc.Containerfile (1)

4-6: LGTM!

The RPM_IMAGE build argument enables flexible RPM source selection while maintaining backward compatibility with the default microshift-okd-rpm.

src/copr/create-build.sh (1)

6-10: LGTM!

Build ID extraction with proper error handling.

.github/actions/build/action.yaml (2)

34-37: LGTM!

The rpm-image input enables flexible RPM image selection for COPR workflows.

---

79-83: LGTM!

Correctly propagates RPM_IMAGE to the bootc image build.

packaging/rpms-copr.Containerfile (1)

14-14: LGTM on architecture detection.

Using uname -m for architecture detection aligns with coding guidelines.

Makefile (3)

41-48: LGTM – COPR integration cleanly wired in.

Making RPM_IMAGE overridable with ?= enables the COPR workflow path. The PROJECT_DIR pattern is idiomatic and the include is correctly placed.

---

121-121: Good UX improvement.

Error message now guides users to both RPM build paths.

---

133-133: Correct build-arg addition.

Passing RPM_IMAGE as a build-arg enables the bootc stage to consume RPMs from either local or COPR builds.

.github/workflows/release.yaml (2)

18-21: COPR repo input properly configured.

Default matches the known COPR group. Based on learnings, this aligns with the existing @microshift-io/microshift COPR repository.

---

253-262: COPR regenerate step properly placed in release flow.

Regenerating repos after successful builds ensures package availability. Same suggestion applies here: add chmod 600 after writing the config file.

src/copr/copr.mk (4)

1-7: Variables and defaults look reasonable.

The $$() in COPR_BUILD_ID correctly defers shell expansion to recipe time.

---

10-33: Helpful documentation for the COPR workflow.

The copr-help target provides clear usage guidance aligned with the PR description.

---

52-58: Secret rotation approach is correct.

Deleting and recreating ensures the secret reflects the current config file state.

---

67-83: COPR CLI invocations look correct.

Both copr-delete-build and copr-regenerate-repos properly use the secret and CLI image.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/nightly-copr.yaml:
- Around line 95-103: The workflow passes an unsupported input named rpm-image
to the local custom action (uses: ./.github/actions/build) which actionlint
flags; either remove or rename the rpm-image input in the workflow to match an
existing input the build action exposes, or add rpm-image to the action’s
metadata (action.yml) under inputs with a sensible default/description so the
build action accepts it; locate the action by the uses: ./.github/actions/build
reference and update its action.yml inputs section (or the workflow step) to
ensure rpm-image is defined and used consistently by the build logic.
- Around line 32-49: Guard the COPR steps so they skip on forked PRs by adding a
conditional that checks the PR fork flag; update the step named "Create COPR
build" (and the related copr-create-build / copr-watch-build invocation block(s)
referenced elsewhere) to include an if expression like: only run when there is
no forked PR (e.g. if: ${{ github.event.pull_request == null ||
github.event.pull_request.head.repo.fork == false }}), or similarly move the
check to the containing job so the COPR_CONFIG secret is never referenced for
forked PRs.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/actions/build/action.yaml:
- Around line 46-48: The "Prepare the build and run environment" step currently
only runs when `if: inputs.rpm-image == 'microshift-okd-rpm'`, which skips
prebuild for custom RPM images and breaks non-default paths; remove that `if`
condition (or change it so the step runs for all `inputs.rpm-image` values) so
the `uses: ./.github/actions/prebuild` step always executes and ensures the
environment is prepared for bootc build/run.

♻️ Duplicate comments (1)

.github/workflows/nightly-copr.yaml (1)

32-49: Guard COPR secret usage on forked PRs.
Forked PRs won’t receive COPR_CONFIG, so these steps will fail.

Proposed fix

       - name: Create COPR build
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
         shell: bash
         env:
           COPR_CONFIG: |
             ${{ secrets.COPR_CONFIG }}

...

       - name: Delete PR build
-        if: github.event_name == 'pull_request'
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false }}
         shell: bash
         env:
           COPR_CONFIG: |
             ${{ secrets.COPR_CONFIG }}

Also applies to: 140-150

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@packaging/rpms-copr.Containerfile`:
- Around line 13-24: The hard-coded COPR chroot string "epel-9-$(uname -m)"
should be parameterized: introduce an ARG (e.g., COPR_CHROOT) with a sensible
default (like "epel-9-$(uname -m)") and replace all occurrences of the literal
chroot in the Dockerfile block (the copr download-build call and the /tmp/rpms
path used in cd and mv) with that ARG; keep existing variables such as
COPR_BUILD_ID and BUILDER_RPM_REPO_PATH unchanged so callers/workflows can
override the chroot (e.g., to epel-10) without causing build/download
mismatches.

♻️ Duplicate comments (2)

packaging/rpms-copr.Containerfile (1)

8-9: Fail fast when COPR_BUILD_ID is missing.
This was flagged previously; still needed.

.github/workflows/nightly-copr.yaml (1)

32-65: Guard COPR secret usage on forked PRs.
This was flagged previously; still needed so fork PRs don’t fail.

✅ Example guard

 jobs:
   build-rpms:
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
     runs-on: ubuntu-24.04

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@src/copr/copr.mk`:
- Around line 67-75: The Make target copr-delete-build currently uses a
hard-coded config path (/run/secrets/copr-cfg) that ignores the secret name
override; update the command that runs "${COPR_CLI_IMAGE}" in copr-delete-build
to reference the mounted secret using the COPR_SECRET_NAME variable (i.e.,
/run/secrets/${COPR_SECRET_NAME}) so the copr-cli --config points to the actual
mounted secret, keeping the existing COPR_BUILD_ID and COPR_CLI_IMAGE variables
intact.
- Around line 1-9: COPR_BUILD_ID and COPR_CHROOT are being evaluated incorrectly
because the Makefile uses shell syntax that is not executed by make; replace the
current assignments so make runs the shell commands at parse time: set
COPR_BUILD_ID ?= $(shell cat "${SRPM_WORKDIR}/build.txt") (use $(shell ...)
instead of $$(cat ...)) and set COPR_CHROOT ?= epel-10-$(shell uname -m) (remove
the literal quotes and use $(shell uname -m)); update those definitions for
COPR_BUILD_ID and COPR_CHROOT accordingly.

♻️ Duplicate comments (2)

src/copr/copr.mk (2)

36-50: Validate SRPM_WORKDIR/build.txt before using COPR_BUILD_ID.

---

76-83: Apply the same secret-path fix here.

🛠️ Proposed fix

-		bash -c "copr-cli --config /run/secrets/copr-cfg regenerate-repos ${COPR_REPO_NAME}"
+		bash -c "copr-cli --config /run/secrets/${COPR_SECRET_NAME} regenerate-repos ${COPR_REPO_NAME}"

[pmtk]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.