Architecture
Overviewβ
This project implements a Copr-like RPM build and hosting system using:
- GitHub Actions: CI/CD pipeline for building RPMs
- Mock: Isolated chroot environments for building
- Cloudflare R2: Storage for RPMs and metadata
- GPG: Package signing for security
System Componentsβ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GitHub Actions β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββ β
β β build-x86_64 β β build-aarch64 β β build (main job) β β
β β ubuntu-latest β β ubuntu-latest- β β - Checkout β β
β β β β arm64 β β - Build container β β
β β β β β β - Import GPG β β
β β β β β β - Configure R2 β β
β β β β β β - Build RPMs β β
β β β β β β - Sign RPMs β β
β β β β β β - Upload to R2 β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Mock Container β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Isolated chroot environments per target β β
β β - fedora-43-x86_64 β β
β β - almalinux-10-x86_64 β β
β β - centos-stream-10-x86_64 β β
β β - (ARM64 targets) β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Cloudflare R2 β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββ β
β β /repo/ β β /sources/ β β /public.gpg β β
β β βββ fedora-43/ β β βββ glib/ β β (GPG public key) β β
β β βββ almalinux/ β β βββ gtk4/ β β β β
β β βββ centos/ β β βββ ... β β β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ (Optional)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Cloudflare Worker β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - Custom domain routing β β
β β - dnf/yum metadata handling β β
β β - Security headers β β
β β - Request logging β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Build Pipelineβ
1. Triggerβ
- Push to
mainbranch - New tag (
v*) - dispatch
Manual workflow### 2. Container Build
FROM fedora:43
# Install build tools
RUN dnf install -y mock createrepo_c rpm-sign rpm-build ...
3. Chroot Initializationβ
Mock creates isolated environments:
- Downloads base packages
- Configures repos
- Sets up build user
4. SRPM Buildβ
rpmbuild -bs my-package.spec # Creates .src.rpm
5. RPM Buildβ
mock -r fedora-43-x86_64 --srpm my-package.src.rpm
mock -r fedora-43-x86_64 --build my-package.src.rpm
6. Signingβ
rpmsign --addsign *.rpm
7. Uploadβ
aws s3 sync output/ s3://bucket/repo/
createrepo_c --update .
Storage Layoutβ
r2://repo-james-rc/
βββ public.gpg # GPG public key
βββ repo/
β βββ fedora-43-x86_64/
β β βββ my-package-1.0.0-1.fc43.x86_64.rpm
β β βββ repodata/
β β βββ repomd.xml
β β βββ primary.xml.gz
β β βββ ...
β βββ almalinux-10-x86_64/
β βββ almalinux-10-x86_64_v2/
β βββ almalinux-10-aarch64/
β βββ centos-stream-10-x86_64/
β βββ centos-stream-10-aarch64/
βββ sources/ # Lookaside cache
βββ glib/
β βββ glib-2.80.0.tar.xz
βββ ...
Securityβ
GPG Signingβ
- Dedicated subkey for RPM signing
- Private key stored in GitHub Secrets
- Imported at build time
- All RPMs signed before upload
Network Accessβ
- R2 accessed via AWS CLI with scoped credentials
- Worker can add IP allowlisting
- CDN provides DDoS protection
Retention Policyβ
The cleanup script (scripts/cleanup.py):
- Runs after each build
- Keeps latest 3 versions of each package
- Saves storage costs
- Configurable via
--keepflag
Multi-Architectureβ
x86_64 Buildsβ
- Standard runners:
ubuntu-latest - Native execution
ARM64 Buildsβ
- Free runners:
ubuntu-latest-arm64 - Native execution on ARM
- Pre-installed QEMU in container for compatibility
x86_64_v2β
- Builds with SSE4.2/AVX2 optimizations
- Compatible with modern x86_64 CPUs
- Falls back gracefully on older CPUs
Local Developmentβ
Using justfileβ
# Build single target
just build fedora-43-x86_64
# Build all x86_64
just build-x86_64
# Build all targets
just build-all
# Publish to R2
just publish fedora-43-x86_64
Using Container Scriptβ
./scripts/build-local.sh <package> <target>
Dependenciesβ
Runtimeβ
mock: Chroot package buildercreaterepo_c: Repository metadata generatorrpm-sign: RPM signing tool
Buildβ
rpm-build: RPM building tools- Distribution-specific mock configs
Storageβ
- Cloudflare R2
- AWS CLI for S3 operations