Merge remote-tracking branch 'bootupd/main' into merge-bootupd

This executes on coreos/bootupd#432

Basically, bootupd doesn't have any users outside of
the rpm-ostree/bootc ecosystem and carrying a separate
project adds huge amounts of logistical overhead.

bootupd/.cargo/config.toml

@@ -0,0 +1,2 @@
+[alias]
+xtask = "run --manifest-path ./xtask/Cargo.toml --"

bootupd/.cci.jenkinsfile

@@ -0,0 +1,78 @@
+// Documentation: https://github.com/coreos/coreos-ci/blob/main/README-upstream-ci.md
+
+properties([
+  // abort previous runs when a PR is updated to save resources
+  disableConcurrentBuilds(abortPrevious: true)
+])
+
+stage("Build") {
+parallel build: {
+  def n = 5
+  buildPod(runAsUser: 0, memory: "2Gi", cpu: "${n}") {
+      checkout scm
+      stage("Core build") {
+        shwrap("""
+          make -j ${n} 
+        """)
+      }
+      stage("Unit tests") {
+        shwrap("""
+          cargo test
+        """)
+      }
+      shwrap("""
+        make install DESTDIR=\$(pwd)/insttree/
+        tar -c -C insttree/ -zvf insttree.tar.gz .
+      """)
+      stash includes: 'insttree.tar.gz', name: 'build'
+  }
+},
+codestyle: {
+  buildPod {
+      checkout scm
+      shwrap("cargo fmt -- --check")
+  }
+}
+}
+
+// Build FCOS and do a kola basic run
+// FIXME update to main branch once https://github.com/coreos/fedora-coreos-config/pull/595 merges
+cosaPod(runAsUser: 0, memory: "4608Mi", cpu: "4") {
+  stage("Build FCOS") {
+    checkout scm
+    unstash 'build'
+    // Note that like {rpm-,}ostree we want to install to both / and overrides/rootfs
+    // because bootupd is used both during the `rpm-ostree compose tree` as well as
+    // inside the target operating system.
+    shwrap("""
+      mkdir insttree
+      tar -C insttree -xzvf insttree.tar.gz
+      rsync -rlv insttree/ /
+      coreos-assembler init --force https://github.com/coreos/fedora-coreos-config
+      mkdir -p overrides/rootfs
+      mv insttree/* overrides/rootfs/
+      rmdir insttree
+      cosa fetch
+      cosa build
+    """)
+  }
+  // The e2e-adopt test will use the ostree commit we just generated above
+  // but a static qemu base image.
+  try {
+    // Now a test that upgrades using bootupd
+    stage("e2e upgrade test") {
+      shwrap("""
+        git config --global --add safe.directory "\$(pwd)"
+        env COSA_DIR=${env.WORKSPACE} ./tests/e2e-update/e2e-update.sh
+      """)
+    }
+    stage("Kola testing") {
+      // The previous e2e leaves things only having built an ostree update
+      shwrap("cosa build")
+      // bootupd really can't break upgrades for the OS
+      kola(cosaDir: "${env.WORKSPACE}", extraArgs: "ext.*bootupd*", skipUpgrade: true, skipBasicScenarios: true)
+    }
+  } finally {
+    archiveArtifacts allowEmptyArchive: true, artifacts: 'tmp/console.txt'
+  }
+}

bootupd/.copr/Makefile

@@ -0,0 +1,7 @@
+srpm:
+	dnf -y install cargo git openssl-devel
+	# similar to https://github.com/actions/checkout/issues/760, but for COPR
+	git config --global --add safe.directory '*'
+	cargo install cargo-vendor-filterer
+	cargo xtask package-srpm
+	mv target/*.src.rpm $$outdir

bootupd/.dockerignore

@@ -0,0 +1,2 @@
+target
+.cosa

bootupd/.github/ISSUE_TEMPLATE/release-checklist.md

@@ -0,0 +1,111 @@
+# Release process
+
+The release process follows the usual PR-and-review flow, allowing an external reviewer to have a final check before publishing.
+
+In order to ease downstream packaging of Rust binaries, an archive of vendored dependencies is also provided (only relevant for offline builds).
+
+## Requirements
+
+This guide requires:
+
+ * A web browser (and network connectivity)
+ * `git`
+ * [GPG setup][GPG setup] and personal key for signing
+ * [git-evtag](https://github.com/cgwalters/git-evtag/)
+ * `cargo` (suggested: latest stable toolchain from [rustup][rustup])
+ * A verified account on crates.io
+ * Write access to this GitHub project
+ * Upload access to this project on GitHub, crates.io
+ * Membership in the [Fedora CoreOS Crates Owners group](https://github.com/orgs/coreos/teams/fedora-coreos-crates-owners/members)
+
+## Release checklist
+
+- Prepare local branch+commit
+  - [ ] `git checkout -b release`
+  - [ ] Bump the version number in `Cargo.toml`.  Usually you just want to bump the patch.
+  - [ ] Run `cargo build` to ensure `Cargo.lock` would be updated
+  - [ ] Commit changes `git commit -a -m 'Release x.y.z'`; include some useful brief changelog.
+
+- Prepare the release
+  - [ ] Run `./ci/prepare-release.sh`
+
+- Validate that `origin` points to the canonical upstream repository and not your fork:
+  `git remote show origin` should not be `github.com/$yourusername/$project` but should
+  be under the organization ownership.  The remote `yourname` should be for your fork.
+
+- open and merge a PR for this release:
+  - [ ] `git push --set-upstream origin release`
+  - [ ] open a web browser and create a PR for the branch above
+  - [ ] make sure the resulting PR contains the commit
+  - [ ] in the PR body, write a short changelog with relevant changes since last release
+  - [ ] get the PR reviewed, approved and merged
+
+- publish the artifacts (tag and crate):
+  - [ ] `git fetch origin && git checkout ${RELEASE_COMMIT}`
+  - [ ] verify `Cargo.toml` has the expected version
+  - [ ] `git-evtag sign v${RELEASE_VER}`
+  - [ ] `git push --tags origin v${RELEASE_VER}`
+  - [ ] `cargo publish`
+
+- publish this release on GitHub:
+  - [ ] find the new tag in the [GitHub tag list](https://github.com/coreos/bootupd/tags), click the triple dots menu, and create a release for it
+  - [ ] write a short changelog (i.e. re-use the PR content)
+  - [ ] upload `target/${PROJECT}-${RELEASE_VER}-vendor.tar.gz`
+  - [ ] record digests of local artifacts:
+    - `sha256sum target/package/${PROJECT}-${RELEASE_VER}.crate`
+    - `sha256sum target/${PROJECT}-${RELEASE_VER}-vendor.tar.gz`
+  - [ ] publish release
+
+- clean up:
+  - [ ] `git push origin :release`
+  - [ ] `cargo clean`
+  - [ ] `git checkout main`
+
+- Fedora packaging:
+  - [ ] update the `rust-bootupd` spec file in [Fedora](https://src.fedoraproject.org/rpms/rust-bootupd)
+    - bump the `Version`
+    - switch the `Release` back to `1%{?dist}`
+    - remove any patches obsoleted by the new release
+    - update changelog
+  - [ ] run `spectool -g -S rust-bootupd.spec`
+  - [ ] run `kinit [email protected]`
+  - [ ] run `fedpkg new-sources <crate-name> <vendor-tarball-name>`
+  - [ ] PR the changes in [Fedora](https://src.fedoraproject.org/rpms/rust-bootupd)
+  - [ ] once the PR merges to rawhide, merge rawhide into the other relevant branches (e.g. f35) then push those, for example:
+    ```bash
+    git checkout rawhide
+    git pull --ff-only
+    git checkout f35
+    git merge --ff-only rawhide
+    git push origin f35
+    ```
+  - [ ] on each of those branches run `fedpkg build`
+  - [ ] once the builds have finished, submit them to [bodhi](https://bodhi.fedoraproject.org/updates/new), filling in:
+    - `rust-bootupd` for `Packages`
+    - selecting the build(s) that just completed, except for the rawhide one (which gets submitted automatically)
+    - writing brief release notes like "New upstream release; see release notes at `link to GitHub release`"
+    - leave `Update name` blank
+    - `Type`, `Severity` and `Suggestion` can be left as `unspecified` unless it is a security release. In that case select `security` with the appropriate severity.
+    - `Stable karma` and `Unstable` karma can be set to `2` and `-1`, respectively.
+  - [ ] [submit a fast-track](https://github.com/coreos/fedora-coreos-config/actions/workflows/add-override.yml) for FCOS testing-devel
+  - [ ] [submit a fast-track](https://github.com/coreos/fedora-coreos-config/actions/workflows/add-override.yml) for FCOS next-devel if it is [open](https://github.com/coreos/fedora-coreos-pipeline/blob/main/next-devel/README.md)
+
+- RHCOS packaging:
+  - [ ] update the `rust-bootupd` spec file
+    - bump the `Version`
+    - switch the `Release` back to `1%{?dist}`
+    - remove any patches obsoleted by the new release
+    - update changelog
+  - [ ] run `spectool -g -S rust-bootupd.spec`
+  - [ ] run `kinit [email protected]`
+  - [ ] run `rhpkg new-sources <crate-name> <vendor-tarball-name>`
+  - [ ] PR the changes
+  - [ ] get the PR reviewed and merge it
+  - [ ] update your local repo and run `rhpkg build`
+
+CentOS Stream 9 packaging:
+  - [ ] to be written
+
+[rustup]: https://rustup.rs/
+[crates-io]: https://crates.io/
+[GPG setup]: https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification

bootupd/.github/dependabot.yml

@@ -0,0 +1,12 @@
+# Maintained in https://github.com/coreos/repo-templates
+# Do not edit downstream.
+
+version: 2
+updates:
+  - package-ecosystem: cargo
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    labels:
+      - area/dependencies

bootupd/.github/workflows/ci.yml

@@ -0,0 +1,52 @@
+name: CI
+
+permissions:
+  actions: read
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  c9s-bootc-e2e:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v3
+      - name: build
+        run: sudo podman build -t localhost/bootupd:latest -f ci/Containerfile.c9s .
+      - name: bootc install to disk
+        run: |
+          set -xeuo pipefail
+          sudo truncate -s 10G myimage.raw
+          sudo podman run --rm -ti --privileged -v .:/target --pid=host --security-opt label=disable \
+            -v /var/lib/containers:/var/lib/containers \
+            -v /dev:/dev \
+            localhost/bootupd:latest bootc install to-disk --skip-fetch-check \
+            --disable-selinux --generic-image --via-loopback /target/myimage.raw
+          # Verify we installed grub.cfg and shim on the disk
+          sudo losetup -P -f myimage.raw
+          device=$(losetup --list --noheadings --output NAME,BACK-FILE | grep myimage.raw | awk '{print $1}')
+          sudo mount "${device}p2" /mnt/
+          sudo ls /mnt/EFI/centos/{grub.cfg,shimx64.efi}
+          sudo umount /mnt
+          sudo losetup -D "${device}"
+          sudo rm -f myimage.raw
+      - name: bootc install to filesystem
+        run: |
+          set -xeuo pipefail
+          sudo podman run --rm -ti --privileged -v /:/target --pid=host --security-opt label=disable \
+            -v /dev:/dev -v /var/lib/containers:/var/lib/containers \
+            localhost/bootupd:latest bootc install to-filesystem --skip-fetch-check \
+            --disable-selinux --replace=alongside /target
+          # Verify we injected static configs
+          jq -re '.["static-configs"].version' /boot/bootupd-state.json

bootupd/.github/workflows/cross.yml

@@ -0,0 +1,41 @@
+name: Cross build
+
+on: [push, pull_request]
+
+permissions:
+  actions: read
+
+jobs:
+  crossarch-check:
+    runs-on: ubuntu-latest
+    name: Build on ${{ matrix.arch }}
+
+    strategy:
+      matrix:
+        include:
+          - arch: aarch64
+            distro: ubuntu_latest
+          - arch: s390x
+            distro: ubuntu_latest
+          - arch: ppc64le
+            distro: ubuntu_latest
+    steps:
+      - uses: actions/[email protected]
+        with:
+          submodules: true
+          set-safe-directory: true
+
+      - uses: uraimo/[email protected]
+        name: Build
+        id: build
+        with:
+          arch: ${{ matrix.arch }}
+          distro: ${{ matrix.distro }}
+
+          githubToken: ${{ github.token }}
+
+          run: |
+            set -xeu
+            apt update -y
+            apt install -y gcc make cargo libssl-dev pkg-config
+            cargo check