ci: Redesign matrix configuration based on Nix images (#7385)

Co-authored-by: semgrep-companion-app[bot] <218312740+semgrep-companion-app[bot]@users.noreply.github.com>
2026-06-08 19:26:45 +00:00 · 2026-06-04 21:02:59 +01:00
parent 5b8e6cd1dd
commit 8abe82eefa
19 changed files with 512 additions and 648 deletions
--- a/.github/workflows/reusable-package.yml
+++ b/.github/workflows/reusable-package.yml
@@ -1,8 +1,7 @@
 # Build Linux packages (DEB and RPM) from pre-built binary artifacts.
-# Discovers which configurations to package from linux.json (os entries
-# with "package": true) and fans out one job per entry. Today only
-# linux/amd64 is emitted; the architecture is hardcoded both here
-# (runner) and in generate.py.
+# Discovers which configurations to package from linux.json (configs in
+# "package_configs") and fans out one job per distro. Only linux/amd64 is
+# supported; the runner is hardcoded in the job below.
 name: Package

 on:
@@ -33,13 +32,12 @@ jobs:
      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
-          python-version: 3.13
+          python-version: "3.13"

      - name: Generate packaging matrix
        id: generate
        working-directory: .github/scripts/strategy-matrix
-        run: |
-          ./generate.py --packaging --config=linux.json >>"${GITHUB_OUTPUT}"
+        run: ./generate.py --packaging >>"${GITHUB_OUTPUT}"

  generate-version:
    runs-on: ubuntu-latest
@@ -66,10 +64,35 @@ jobs:
    permissions:
      contents: read
    runs-on: ["self-hosted", "Linux", "X64", "heavy"]
-    container: ${{ format('ghcr.io/xrplf/ci/{0}-{1}:{2}-{3}-sha-{4}', matrix.os.distro_name, matrix.os.distro_version, matrix.os.compiler_name, matrix.os.compiler_version, matrix.os.image_sha) }}
+    container: ${{ matrix.image }}
    timeout-minutes: 30

    steps:
+      # Packaging runs in a vanilla distro image, so the tooling has to come
+      # from the distro's archive: debhelper for deb, rpm-build (and the
+      # systemd / find-debuginfo macros it depends on) for rpm. Run this
+      # before actions/checkout so the latter can use git (real history) for
+      # build_pkg.sh's SOURCE_DATE_EPOCH; otherwise it falls back to a tarball
+      # download and the timestamp comes from wall-clock time.
+      - name: Install packaging tooling (deb)
+        if: ${{ matrix.distro == 'debian' }}
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update
+          apt-get install -y --no-install-recommends \
+              ca-certificates \
+              debhelper \
+              git
+
+      - name: Install packaging tooling (rpm)
+        if: ${{ matrix.distro == 'rhel' }}
+        run: |
+          dnf install -y --setopt=install_weak_deps=False \
+              git \
+              rpm-build \
+              redhat-rpm-config \
+              systemd-rpm-macros
+
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2