ci: Add Fedora RPM build workflow with GPG signing

Implement comprehensive CI workflow for building and signing Fedora RPM packages. When RPM_SIGNING_KEY secret is configured, packages are automatically signed with GPG and signature verified. Public key distributed via repository for user package verification. Includes complete RPM installation documentation with repository setup, package management, and troubleshooting guidance. Documentation integrated into mdBook site for better discoverability.
2025-09-11 03:32:49 +02:00 · 2025-08-30 19:37:04 +01:00 · 2025-08-30 19:37:04 +01:00 · 0ab7e5aef5
commit 0ab7e5aef5
parent 34417c96ae
5 changed files with 467 additions and 5 deletions
--- a/fedora/RPM-GPG-KEY-continuwuity.asc
+++ b/fedora/RPM-GPG-KEY-continuwuity.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEaLM5LhYJKwYBBAHaRw8BAQdAlnMcp/fMzYfwqeExDsEx2qfZg8NjamGh0slC
+9bkUpQW0O0NvbnRpbnV3dWl0eSBDSSAoUlBNIFBhY2thZ2UgU2lnbmluZykgPGNp
+QGNvbnRpbnV3dWl0eS5vcmc+iJYEExYIAD4WIQShcq3anZQUJ0FNTm1eD/c/QRqv
+ygUCaLM5LgIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBeD/c/
+QRqvyk3QAQCjurJLpDANckZflsEVRwxDOUCrED4LdyWpbOuVmhGikwD/fGwkpdUa
+ngP1l+bhlprJN5J1P5UOeNZtKce0vFZaBwC4MwRoszkuFgkrBgEEAdpHDwEBB0CJ
+RpQlzJt/TdYx8AOkNIYan6qbxijjjpZWDIbZp95CfIj1BBgWCAAmFiEEoXKt2p2U
+FCdBTU5tXg/3P0Ear8oFAmizOS4CGwIFCQPCZwAAgQkQXg/3P0Ear8p2IAQZFggA
+HRYhBN/tBNmxKe70FHf4CRoGaPIa/K9qBQJoszkuAAoJEBoGaPIa/K9qf7EBAJ9D
+pdKRji4gy9LWR3w9Ha7Tekmw7kSPGYLZlkDqjiuCAQCCupMGB9r2XPc2/G/KIV+7
+HpWfIANhPsCn1Q9kcloCCIv9AQCy+xDsdtkOw7JnB4g1EKfPlPhN6j3Cjk1vlG2N
+WN/p2AEAkozKVDAbvWEi/s7W9DNWckXm1SS0Og/sv5nGV8okIg4=
+=dxDr
+-----END PGP PUBLIC KEY BLOCK-----
--- a/fedora/continuwuity.spec.rpkg
+++ b/fedora/continuwuity.spec.rpkg
@ -1,6 +1,5 @@
-# This should be run using rpkg-util: https://docs.pagure.org/rpkg-util
+# This should be run using rpkg: https://docs.pagure.org/rpkg
 # it requires Internet access and is not suitable for Fedora main repos
-# TODO: rpkg-util is no longer maintained, find a replacement

 Name:           continuwuity
 Version:        {{{ git_repo_version }}}
@ -38,7 +37,7 @@ sed -i 's/^offline = true$//' .cargo/config.toml
 %cargo_build

 # Here's the one legally required mystery incantation in this file.
-# Some of our dependencies have source files which are (for some reason) marked as excutable.
+# Some of our dependencies have source files which are (for some reason) marked as executable.
 # Files in .cargo/registry/ are copied into /usr/src/ by the debuginfo machinery
 # at the end of the build step, and then the BRP shebang mangling script checks
 # the entire buildroot to find executable files, and fails the build because
@ -46,7 +45,7 @@ sed -i 's/^offline = true$//' .cargo/config.toml
 # So we have to clear the executable bit on all of them before that happens.
 find .cargo/registry/ -executable -name "*.rs" -exec chmod -x {} +

-# TODO: this fails currently because it's forced to run in offline mode	
+# TODO: this fails currently because it's forced to run in offline mode
 # {cargo_license -- --no-dev} > LICENSE.dependencies

 %install
@ -77,4 +76,4 @@ install -Dpm0644 conduwuit-example.toml %{buildroot}%{_sysconfdir}/conduwuit/con
 %systemd_postun_with_restart conduwuit.service

 %changelog
-{{{ git_repo_changelog }}}
+{{{ git_repo_changelog }}}