The CI failure looks like grype had some kind of internal failure unrelated to this PR. This PR does not change the project's dependencies apart from promoting an indirect dependency on github.com/google/rpmpack to a direct dependency.

Codecov Report

❌ Patch coverage is 77.20207% with 44 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.55%. Comparing base (69ce847) to head (3e99dc0).
⚠️ Report is 6 commits behind head on main.

@@            Coverage Diff             @@
##             main    #3412      +/-   ##
==========================================
- Coverage   82.61%   82.55%   -0.07%     
==========================================
  Files         165      166       +1     
  Lines       16594    16787     +193     
==========================================
+ Hits        13709    13858     +149     
- Misses       2290     2319      +29     
- Partials      595      610      +15     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

The CI failure looks like grype had some kind of internal failure unrelated to this PR. This PR does not change the project's dependencies apart from promoting an indirect dependency on github.com/google/rpmpack to a direct dependency.

yes, it checks for vulns... and turns out that go's base image has as couple of them 👀

I think we should be able to use nfpm itself to create the source rpms, as, afaik (and pls correct me if I'm wrong), are regular rpms with some different files in different places and (maybe) extra metadata?

if there are options missing for that on nfpm, we can certainly add those there.

the rpmpack thingy also can become an issue as we are using an internal fork of it in newer versions of nfpm cc/ @goreleaser/nfpm

oh, and most importantly, thanks for the PR! 💜

Thanks for the feedback! I've updated the PR to use goreleaser/nfpm/v2. I'm reasonably sure that all the required functionality is already present.

I still need to find out exactly what the spec file should look like, so spec.tmpl is still a work in progress.

awesome @twpayne! I don't know how srpms spec files work either, but I'll study about them when I can

I think the tricky bits with the .spec file will be:

• The guidelines for .spec files vary from distribution to distribution. I've started by following the Fedora guidelines, but there's a lot of variation.
• It contains commands to build the project from source, which means in theory reproducing logic from the builds: section of GoReleaser's config.
• Some distributions (including Fedora) prefer that every single dependency (i.e. each line in go.mod) to be its own package and for the final package to depend on all of these. I think it's OK to ignore this for now.
• As an eventual inconsistency, the RPMs built by goreleaser will not be the same as the RPMs built from source RPMs built be goreleaser, but I also think this is OK.

The current approach in this PR is to provide a basic default template that should be OK for simple projects, but leave the option for the user to specify their own .spec file template if needed. I suspect that we'll need to add the option to read the .spec file template from a file (as opposed to having it inline in .goreleaser.yaml) as the template will be quite large.

For the record, I won't have much time to work on this for the next ten days or so, but am keen to get good source RPM support added to goreleaser :)

but leave the option for the user to specify their own .spec file template if needed

yes, I think this is the important bit... so users that need more/different stuff can write their spec files themselves, and still use templates for things like version, hashes, etc..

I suspect that we'll need to add the option to read the .spec file template from a file (as opposed to having it inline in .goreleaser.yaml) as the template will be quite large.

yes, probably a good idea as well

For the record, I won't have much time to work on this for the next ten days or so, but am keen to get good source RPM support added to goreleaser :)

same here! will be more offline for a couple of days next week, so if I take too long to reply its probably because of that! Any way, I'm excited to get this into goreleaser as well, if posssible on v1.12.0 or v1.13.0 (next minors) 🤘 (EDIT: no pressure whatsoever, if it is not ready by then its totally fine, and of course I'll help whenever I can 🙏)

hey! anything I could help with here?

Sorry, I haven't looked at this in a while. I think the code is correct, but it needs testing. I won't have time to look at this again for several weeks, so feel free to close this if the feature is not needed.

hey, no problem, I'll see if I find some time, or worst case, we look at it together in a couple of weeks

thanks for the heads up and the PR 💜

Hi @twpayne @caarlos0, looks like a great PR so far, thanks! Is there something I can do to support you?

I've not looked at this for a while. I've just re-pushed to resolve conflicts.

@frzifus if you'd like to help, there are a few areas:

• Testing. Firstly, does the .src.rpm file generated by this pipe actually work? What changes are needed to the .spec template?
• Is the pipeline written correctly? The PR was opened over a year ago, and goreleaser's core architecture has evolved since (e.g. how skips are handled). Are there other changes needed?
• internal/pipe/srpm/srpm.go has a few FIXME/TODO comments, mainly missing fields in structures. It would be great if you could have a look at these.

Thanks, I will come back to you asap. I will try to generate a spec/srpm using go2rpm first. Then Ive something to compare.

For info, I have some time to work on this again, but am currently blocked by #5069.

Tried again to work on this and hit #5409 🙈

@twpayne sorry for the delay, I'll review this sometime in the next couple of weeks

having a couple of crazy days here as well hehe

@twpayne what do you think about this: goreleaser/nfpm#935

Looks good to me :)

Nice! Merged & released: https://github.com/goreleaser/nfpm/releases/tag/v2.43.0

This PR is now ready for review/merging.

I think it's OK to release this as an alpha feature for advanced users. It's far from easy-to-use, but we have to start somewhere :)

• Currently, you still have to write your own .spec file template, but given the complexity of .spec files, this seems unavoidable. Maybe in the future it will be possible to provide a default .spec file template that covers simple Go projects.
• The documentation is minimal and needs to be improved. For people who understand .spec files and Go templates, the documentation is currently minimal but sufficient. Others are likely to get lost very quickly.
• I don't think any more code changes to goreleaser or nfpm are required after this PR is merged. The only remaining changes are a default .spec file template and better documentation.
• The CI failures seem unrelated to this PR.

This is probably setting a record for the longest-ever open PR (2.5 years now!) but I do want to help get this functionality into goreleaser :)

Thanks for the review!

Should we document all the options available? (I can do it btw if you don't want or can't rn).

We can, but this currently requires expertise in the .spec format to use. The changes to .goreleaser.yml and the .spec template I'm using for testing with chezmoi is in twpayne/chezmoi@225e5b5.

This .spec template is based on one written by @mikelolasagasti in https://bugzilla.redhat.com/show_bug.cgi?id=2386221.

There are some changes around the source tarball names. As I understand it, goreleaser uses .Versions like 2.64.0-SNAPSHOT-225e5b598 for snapshot builds, which rpm does not understand, so I have to use goreleaser's .RawVersion instead in some places.

To reproduce my current state:

1. Build goreleaser with this PR.

2. Checkout https://github.com/twpayne/chezmoi and switch to the srpm branch.

3. Build the srpm with goreleaser:

   goreleaser release --clean --skip=chocolatey,sign,nfpm,snapcraft,winget,scoop --snapshot
   

4. Copy the dist/chezmoi-2.64.0-SNAPSHOT-225e5b598.src.rpm to a RPM-based distro (I'm using Fedora).

5. Install the srpm with

   rpm -i chezmoi-2.64.0-SNAPSHOT-225e5b598.src.rpm
   

6. Build the srpm with

   rpmbuild --rebuild chezmoi-2.64.0-SNAPSHOT-225e5b598.src.rpm
   

On my setup, this currently fails with:

cd /home/twp/rpmbuild/BUILD/chezmoi-2.64.0-build/chezmoi-2.64.0/_build/pkg/mod/cache/vcs/ff8d3c48c38851ad2627d3f838dbec82c248632a3ab4442eac08925a273addab; git ls-remote -q origin
verifying github.com/charmbracelet/x/[email protected]: checksum mismatch
        downloaded: h1:LT77A3bpevRD0yZ5NDR5nonS7N83mxzzGwuZcTGezLE=
        go.sum:     h1:rL3Koar5XvX0pHGfovN03f5cxLbCF2YvLeyz7D2jVDQ=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
error: Bad exit status from /var/tmp/rpm-tmp.p7bb8p (%build)

...which seems related to how Fedora builds Go packages (note tens of other modules build just fine, github.com/charmbracelet/x/[email protected] is the first one to fail).

Also would be nice to have, in the docs, a minimal starter spec template, maybe? wdyt?

All of the above is a long way to say I don't have a working minimal starter spec template yet, but I don't think there are any more changes required to the goreleaser code.

Sorry, I'm not going to trawl through pages of LLM review slop to determine what is valid and what is BS.

Feel free to close this PR.

@twpayne yeah i was trying this thing out but didn't really like it too much - its way too verbose. Will disable it - sorry for the noise.

@twpayne besides docs, anything else you think is missing here?

Let me know, maybe i can finish it so we can release this 🙏

I think it's ready to be released as an experimental component. It probably needs more documentation, and there's so much variation in SRPMs that I don't think it's realistic to provide a default SRPM template.