Name: gofixcve Version: 0.1.1 Release: 1%{?dist} Summary: CLI tool for rebuilding RHEL components affected by Golang CVE fixes License: MIT URL: https://gitlab.cee.redhat.com/sustaining-engineering/container-tools/gofixcve %global src_suffix %(echo "${SRC_SUFFIX:-main}" | tr -d '[:space:]') Source0: %{url}/-/jobs/artifacts/main/raw/%{name}-%{src_suffix}.tar.gz?job=test-build#/%{name}-%{src_suffix}.tar.gz # Disable debuginfo - venv .so files have no debug symbols %global debug_package %{nil} # Build requirements BuildRequires: python3 >= 3.11 BuildRequires: python3-pip BuildRequires: python3-setuptools # Runtime requirements Requires: python3 >= 3.11 # These are needed at runtime but may not be in all repos at build time. # On RHEL: available via RCM Tools + base repos. # On Fedora: rhpkg not available - user installs separately. Recommends: rhpkg Recommends: krb5-workstation Recommends: rpmdevtools Recommends: git-core %description gofixcve - CLI tool that automates rebuilding RHEL 9.x/10.x z-stream components affected by Golang CVE fixes. Features: - Auto-detect golang version from Brew buildroot - Spec file bumping (release, BuildRequires, changelog) - Scratch builds via rhpkg - GitLab MR creation - Side-tag build support (commit + push + release build) - Jira comment parsing for build instructions - CVE cross-validation - Multi-ticket consolidation (multiple tickets -> one MR) Usage: gofixcve process --jiras RHEL-158645 --branch rhel-9.7.0 gofixcve list gofixcve check-auth %prep %setup -q -n %{name}-%{src_suffix} %build # Nothing to compile - pure Python %install # Create directories install -d %{buildroot}/opt/gofixcve install -d %{buildroot}%{_bindir} install -d %{buildroot}%{_sysconfdir}/gofixcve # Create virtualenv and install the package with all dependencies python3 -m venv %{buildroot}/opt/gofixcve/venv %{buildroot}/opt/gofixcve/venv/bin/pip install --no-cache-dir --upgrade pip setuptools wheel %{buildroot}/opt/gofixcve/venv/bin/pip install --no-cache-dir . # Fix virtualenv shebang paths (rpmbuild buildroot -> final install path) find %{buildroot}/opt/gofixcve/venv/bin/ -type f -exec \ sed -i "s|%{buildroot}||g" {} + 2>/dev/null || true # Fix pyvenv.cfg to use final install path sed -i "s|%{buildroot}||g" %{buildroot}/opt/gofixcve/venv/pyvenv.cfg # Fix absolute symlinks in venv/bin/ to be relative for link in %{buildroot}/opt/gofixcve/venv/bin/*; do [ -L "$link" ] || continue target=$(readlink "$link") case "$target" in /*) # Absolute symlink - make it relative rm -f "$link" ln -sf "../../../../usr/bin/$(basename "$target")" "$link" ;; esac done # Recompile .pyc files with correct paths (strip buildroot prefix) %{buildroot}/opt/gofixcve/venv/bin/python3 -m compileall \ -f -d /opt/gofixcve/venv \ %{buildroot}/opt/gofixcve/venv 2>/dev/null || true # Install wrapper script cat > %{buildroot}%{_bindir}/gofixcve << 'WRAPPER' #!/bin/bash exec /opt/gofixcve/venv/bin/gofixcve "$@" WRAPPER chmod 755 %{buildroot}%{_bindir}/gofixcve # Install default config if [ -f config.yaml ]; then install -m 644 config.yaml %{buildroot}%{_sysconfdir}/gofixcve/config.yaml else cat > %{buildroot}%{_sysconfdir}/gofixcve/config.yaml << 'DEFAULTCONFIG' workspace: base_path: "~/gofixcve-work" rhel_versions: "9.7.z": branch: "rhel-9.7.0" build_target: "rhel-9.7.0-candidate" "10.1.z": branch: "c10s" build_target: "c10s-candidate" component_filter: enabled: true allowed_components: - "podman" - "buildah" - "skopeo" - "containernetworking-plugins" - "runc" - "gvisor-tap-vsock" - "grafana" - "grafana-pcp" brew: url: "https://brewweb.engineering.redhat.com/brew" poll_interval: 30 max_wait_time: 7200 DEFAULTCONFIG fi # Store version echo "%{version}-%{release}" > %{buildroot}/opt/gofixcve/version %files %doc README.md %doc USER_GUIDE.md %license LICENSE # CLI wrapper %{_bindir}/gofixcve # Virtualenv with all dependencies /opt/gofixcve/ # Config file - noreplace means user edits survive upgrades %config(noreplace) %{_sysconfdir}/gofixcve/config.yaml %changelog * Wed Jun 10 2026 Vivek Naruka - 0.1.0-1 - Initial RPM package as gofixcve (renamed from golang-rebuild) - Includes: process, list, check-auth, show-config commands - Python venv at /opt/gofixcve/ with all dependencies bundled