GitHub Actions Workflows
Terra Packages uses GitHub Actions to automate package building, testing, and deployment. The CI/CD system is built around five core workflows that handle different aspects of the build process.Workflow Overview
Terra Packages implements a sophisticated multi-stage CI/CD pipeline:- Autobuild - Automatically builds packages when changes are detected
- Manual Build - Allows manual package building with custom parameters
- JSON Build - Core build engine called by other workflows
- Bootstrap - Bootstraps the build system and core tooling
- Update - Automatically updates package versions
Autobuild Workflow
The autobuild workflow (autobuild.yml) is the primary CI/CD pipeline that automatically builds packages when changes are pushed to the repository.
Triggers
The workflow triggers on:- Pushes to the
frawhidebranch that modify files underanda/ - Pull requests targeting
frawhide - Merge queue events
- Manual workflow dispatch
- Calls from other workflows
Build Matrix Generation
The first job generates a build matrix by scanning for changed packages:The
anda ci command analyzes git changes and generates a JSON matrix of packages that need to be built, including architecture and label information.Build Job
The build job delegates to the JSON Build workflow:Packages are only published when the event is a direct push (not pull requests).
AppStream Generation
After building, the workflow generates AppStream metadata for package discovery: The AppStream generation step creates metadata catalogs and reports any vetoed packages in the GitHub Actions summary.Manual Build Workflow
The manual build workflow (build.yml) allows maintainers to build specific packages on-demand with custom configurations.
Workflow Inputs
Dynamic Run Names
The workflow run is named after the packages being built for easy identification.Package Parsing
The manifest job processes the input packages and generates a build matrix:The workflow uses a clever technique of touching
.build files and creating a temporary commit to trick anda ci into detecting the specified packages as changed.JSON Build Workflow
The JSON Build workflow (json-build.yml) is the core build engine that performs the actual package compilation. It’s designed to be called by other workflows.
Workflow Call Interface
Dynamic Runner Selection
The workflow intelligently selects runners based on architecture and package size:The runner selection logic prioritizes:
- Custom builder if specified
- Large ARM64 runners for large aarch64 packages
- Standard ARM64 runners for aarch64 packages
- Large x86_64 runners for large packages
- Standard x86_64 runners as fallback
Compiler Cache (sccache)
The workflow uses sccache for distributed compilation caching: Caching is keyed by version, architecture, and package name to ensure cache hits for repeated builds.Build Process
The build process consists of several stages:Artifact Upload
Built packages are uploaded as workflow artifacts:Artifacts use compression level 0 because RPM packages are already compressed.
Repository Upload
When publishing is enabled, packages are uploaded to the Subatomic repository: Packages can be uploaded to sub-repositories using thesubrepo label, and source package uploads can be disabled with the no_upload_srpms=1 label.
Build Notifications
The workflow notifies Madoguchi (the build tracking service) of build results:Bootstrap Workflow
The bootstrap workflow (bootstrap.yml) builds the core build system tools from scratch using only Fedora base packages.
Build Matrix
The bootstrap uses minimal Fedora images and builds for both x86_64 and aarch64 architectures.
Bootstrap Process
The bootstrap follows a specific order to build the toolchain: The bootstrap sequence:- Install base system tools
- Build anda-srpm-macros using rpmbuild
- Install anda-srpm-macros
- Install build dependencies
- Build and install Anda
- Use Anda to build remaining packages
Update Workflow
The update workflow (update.yml) automatically checks for and applies package version updates.
Schedule
The workflow runs every 10 minutes to check for updates.Update Process
The update command excludes packages with
nightly=1, weekly=1, or updbranch=1 labels.Multi-Branch Commits
When updates are found, they’re committed to multiple release branches: The workflow usesgit format-patch to apply the same updates to multiple release branches (f44, f43, f42, el10).
Workflow Permissions
All workflows follow the principle of least privilege:Only the update workflow has write permissions to commit changes. All other workflows use read-only access.