Changed schedule

Runs at 1st and 15th day of each month at 4:30am
[CI/CD] Added GH Workflows
2025-12-06 09:32:38 -03:00 · 2025-05-18 04:48:05 -03:00 · 2025-04-22 17:41:02 -03:00 · 2025-04-18 10:18:48 -03:00 · 2025-04-16 08:39:53 -03:00 · 2025-03-27 05:22:55 -03:00
8 changed files with 89 additions and 81 deletions
--- a/.copr/Makefile
+++ b/.copr/Makefile
@@ -3,7 +3,7 @@
 SHELL := bash

 source:
-	dnf -y install cmake gcc gcc-c++ openssl
+	dnf -y install cmake gcc gcc-c++
 	cmake --fresh -DBUILD_RPMS=ON -B build -S .
 	cmake --build build --target srpm

--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,10 @@ on:
 jobs:
  release-ci:
    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.get_metadata.outputs.version }}
+      tag: ${{ steps.get_metadata.outputs.tag }}
+      to_release: ${{ steps.newtag.outputs.to_release }}

    steps:
      - name: Local checkout
@@ -16,15 +20,15 @@ jobs:
      - name: Install CI dependencies
        run: |
          sudo apt-get update
-          sudo apt-get -y -qq install cmake openssl g++ gcc
+          sudo apt-get -y -qq install cmake g++ gcc

      - name: Get latest package metadata
        id: get_metadata
        run: |
          cmake --fresh -B build -S .
          echo "tag=v$(cat build/version)" >> $GITHUB_OUTPUT
-          echo "hash=$(sha256sum build/hash | sed 's/\s.*//g')" >> $GITHUB_OUTPUT
-          
+          echo "version=$(cat build/version)" >> $GITHUB_OUTPUT
+
      - name: Check if package version has corresponding git tag
        id: tagged
        shell: bash
@@ -39,17 +43,16 @@ jobs:
        id: newtag
        if: steps.tagged.outputs.tagged == 0
        run: |
-          git config --global user.name "github-actions[bot]"
-          git config --global user.email "github-actions[bot]@users.noreply.github.com"
-          git tag -a ${{ steps.get_metadata.outputs.tag }} \
-            -m "New cert chain was released" \
-            --trailer "SHA256:${{ steps.get_metadata.outputs.hash }}" \
+          git tag ${{ steps.get_metadata.outputs.tag }} \
          && echo to_release=1 >> $GITHUB_OUTPUT \
          && git push origin ${{ steps.get_metadata.outputs.tag  }} \
          || exit 0

-      - name: Create and publish GitHub release
-        if: steps.newtag.outputs.to_release == 1
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ steps.get_metadata.outputs.tag }}
+  build-fedora:
+    needs: release-ci
+    uses: ./.github/workflows/fedora.yml
+    with:
+      containers: "['fedora:latest', 'fedora:41']"
+      version: ${{ needs.release-ci.outputs.version }}
+      to_release: ${{ needs.release-ci.outputs.to_release }}
+      tag: ${{ needs.release-ci.outputs.tag }}
--- a/.github/workflows/fedora.yml
+++ b/.github/workflows/fedora.yml
@@ -0,0 +1,70 @@
+on:
+  workflow_call:
+    inputs:
+      containers:
+        default: "['fedora:latest']"
+        required: false
+        type: string
+      tag:
+        required: true
+        type: string
+      to_release:
+        default: "0"
+        required: false
+        type: string
+      version:
+        required: true
+        type: string
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    strategy:
+      max-parallel: 2
+      matrix:
+        image: ${{ fromJson(inputs.containers) }}
+    runs-on: ubuntu-latest
+    container: ${{ matrix.image }}
+
+    steps:
+      - name: Prepare - local checkout
+        uses: actions/checkout@v4
+
+      - name: Prepare - install build dependencies
+        run: |
+          dnf -y install \
+            cmake \
+            gcc \
+            gcc-c++ \
+            git \
+            openssl \
+            rpm-build \
+            rpmdevtools \
+            tar
+
+      - name: Prepare - setup RPM build tree
+        run: |
+          rpmdev-setuptree
+
+      - name: Prepare - configure the source
+        run: |
+          cmake -B $(pwd)/build -S $(pwd)
+
+      - name: Build - create source tarball and SRPM package
+        run: |
+          cmake --build $(pwd)/build --target srpm
+
+      - name: Build - create RPM package
+        run: |
+          cmake --build $(pwd)/build --target rpms
+
+      - name: Publish - create GitHub release
+        uses: softprops/action-gh-release@v2
+        if: inputs.to_release == 1
+        with:
+          tag_name: ${{ inputs.tag }}
+          files: |
+            dist/*.rpm
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -32,15 +32,9 @@ include(CPackLists.txt)
 add_custom_target(clear-certs
  COMMAND rm -rf 
    certs/
-    docs/
    pki/
 )

-add_custom_target(clear-docs
-  COMMAND rm -rf 
-    docs/
-)
-
 add_custom_target(certs
  COMMAND xargs -n1 
    curl 
@@ -50,19 +44,10 @@ add_custom_target(certs
    && cd certs
    && (sha512sum -c --quiet ${HASH_FILE} || exit -1)
    && unzip ACcompactado.zip
-    && rm -f ACcompactado.zip ${HASH_FILE}
  DEPENDS
    clear-certs
 )

-add_custom_target(docs ALL
-  COMMAND mkdir docs 
-    && mv certs/*.pdf docs/
-  DEPENDS
-    clear-docs
-    certs
-)
-
 add_custom_target(isrg-root-x2.crt
  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh 
    pki/ca-trust-source/anchors/isrg-root-x2.crt
@@ -97,13 +82,6 @@ add_custom_target(anchors ALL
    icp-brasil-ca-bundle.crt
 )

-# Checks for OpeSSL utility
-find_program(OPENSSL
-  NAMES openssl openssl3
-  REQUIRED
-)
-message("-- Check for OpenSSL utility: ${OPENSSL}")
-
 # Checks which tool is used to update certificate keyring
 find_program(UPDATE_CACERTS_TOOL
  NAMES
@@ -132,16 +110,4 @@ install(
    ${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
 )

-set(DOCS_INSTALL_DIR "share/doc/${PROJECT_NAME}")
-install(
-  FILES
-  ${CMAKE_CURRENT_SOURCE_DIR}/LICENSE
-    ${CMAKE_CURRENT_SOURCE_DIR}/README.md
-    ${CMAKE_CURRENT_BINARY_DIR}/docs/cpsrootca.pdf
-    ${CMAKE_CURRENT_BINARY_DIR}/docs/DPCacraiz.pdf
-    ${CMAKE_CURRENT_BINARY_DIR}/docs/PSacraiz.pdf
-  DESTINATION
-    ${CMAKE_INSTALL_PREFIX}/${DOCS_INSTALL_DIR}
-)
-
 # vim: ts=2:sw=2:sts=2:et
--- a/CPackLists.txt
+++ b/CPackLists.txt
@@ -61,14 +61,6 @@ configure_file(
 )

 if(BUILD_RPMS)
-execute_process(
-  COMMAND bash -c
-    "LANG=C DATE=$(date +'%a %b %d %Y'); \
-      echo \"* $DATE %{packager} - ${PROJECT_VERSION}-1%{?dist}\"; \
-      echo \"- This is an automatically built package (See our Git URL for more info).\"; \
-    "
-  OUTPUT_VARIABLE CPACK_RPM_CHANGELOG
-)
 CONFIGURE_FILE("${CMAKE_CURRENT_SOURCE_DIR}/packaging/pkg.spec.in"
  "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec"
  @ONLY 
--- a/README.md
+++ b/README.md
@@ -1,5 +1,4 @@
 # ca-certificates-brazil
---
 The Brazilian Public Key Infrastructure:  ICP-Brasil

 ## Description
@@ -11,18 +10,3 @@ It is observed that the model adopted by Brazil was single-root certification,
 and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
 also has the role of accrediting and discrediting the other participants in the
 chain, supervise and audit the processes.
-
-## Documentation
-
-* [ICP-Brasil Root Certification Authority Certification Practices Statement (in Portuguese)](
-    https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
-  )
-* [Certification Practice Statement Root Certification Authority of Brazil](
-    https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
-  )
-* [Security Policy of Root-CA (in Portuguese)](
-    https://acraiz.icpbrasil.gov.br/PSacraiz.pdf
-  )
-
-These files may also have been distributed within the installation package provided
-by your distribution.
--- a/packaging/pkg.spec.in
+++ b/packaging/pkg.spec.in
@@ -1,6 +1,5 @@
 %global debug_package %{nil}
 %global source_date_epoch_from_changelog 0
-%global packager Christian Tosta <7252968+christiantosta@users.noreply.github.com>

 %define __openssl   %{_bindir}/openssl

@@ -43,10 +42,7 @@ chain, supervise and audit the processes.
 %{cmake_install}


-%files 
-%doc %{_datadir}/doc/%{name}/*.pdf
-%doc %{_datadir}/doc/%{name}/README.md
-%license %{_datadir}/doc/%{name}/LICENSE
+%files
 %{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt
 %{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
 %{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
@@ -56,4 +52,4 @@ chain, supervise and audit the processes.
 %postun -p %{_bindir}/update-ca-trust

 %changelog
-@CPACK_RPM_CHANGELOG@
+%autochangelog
--- a/3
+++ b/3
@@ -5,6 +5,3 @@ https://letsencrypt.org/certs/lets-encrypt-e1.pem
 https://letsencrypt.org/certs/lets-encrypt-e2.pem
 https://letsencrypt.org/certs/lets-encrypt-r3.pem
 https://letsencrypt.org/certs/lets-encrypt-r4.pem
-https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
-https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
-https://acraiz.icpbrasil.gov.br/PSacraiz.pdf
Author	SHA1	Message	Date
Christian Tosta	2875e9ebf9	Changed schedule Runs at 1st and 15th day of each month at 4:30am	2025-05-18 04:48:05 -03:00
Christian Tosta	0683dbbed8	[CI/CD] Added GH Workflows Some checks failed Build and Release CI / release-ci (push) Has been cancelled Details Build and Release CI / build-fedora (push) Has been cancelled Details --------- Signed-off-by: Leonardo Amaral <contato@leonardoamaral.com.br> Co-authored-by: Leonardo Amaral <contato@leonardoamaral.com.br> [CI/CD] Added GH Workflows	2025-04-22 17:41:02 -03:00
Christian Tosta	3df218f8e7	Save version on file	2025-04-18 10:18:48 -03:00
Christian Tosta	4b2bdb47bf	CA PKI update tool autodetection (legacy/p11kit)	2025-04-16 08:39:53 -03:00
Christian Tosta	921cab191b	Update README.md	2025-03-27 05:22:55 -03:00
Christian Tosta	bdc70acaaf	Initial commit	2025-03-27 05:20:04 -03:00