Add vendoring to spec file

[buckaroogeek]

• Revised spec file with full vendoring
• Man file generation commented out as sources not available
• Test build in COPR at https://copr.fedorainfracloud.org/coprs/buckaroogeek/k8s-utils/ for F42/F43

Summary by Sourcery

Enable vendoring of Go dependencies in the RPM spec using go-vendor-tools, update licensing and build configuration, and add packaging instructions.

New Features:

• Enable full vendoring of Go dependencies in the spec file using go-vendor-tools

Enhancements:

• Add go-vendor-tools.toml with license detection configuration for vendored modules
• Revise spec file to use vendored source archive, generate and install vendor license files across prep, install, check, and files sections
• Expand License field to include all upstream licenses and adjust BuildRequires for go-vendor-tools and go-md2man
• Enable GO111MODULE and custom buildtags for gobuild and gotest, and redefine test flags accordingly
• Comment out man page generation and installation steps due to missing docs

Documentation:

• Add rpm/README.md with instructions for building the RPM locally

[sourcery-ai]

Reviewer's Guide

This PR revises the RPM spec to integrate full Go vendoring via go-vendor-tools, revamps build and test phases with module support and license management, bumps version metadata, and adds documentation for local RPM builds.

File-Level Changes

Change	Details	Files
Integrate go-vendor-tools for vendoring and license management	Added go-vendor-tools.toml with archive and license entries Replaced vendor.tar.gz placeholder with vendor archive and added Source2 Introduced %go_vendor_* macros in prep, buildrequires, install and check stages Updated %files to drive files via go_vendor_license_filelist and include vendor modules license file	rpm/podman-bootc.spec rpm/go-vendor-tools.toml
Revamp build and test logic with module support	Enabled GO111MODULE and defined GO_BUILDTAGS global Updated %build to use %gobuild against explicit path and comment out docs build Replaced %gopkg tests with %gotest invocation skipping VM and integration tests Commented out man page generation and installation since docs are missing	rpm/podman-bootc.spec
Update spec metadata and versioning	Bumped Version from 0.1.1 to 0.1.2 Consolidated description via common_description macro Expanded License field to include all vendored licenses Cleaned up obsolete %global declarations and reordered BuildRequires	rpm/podman-bootc.spec
Add local build documentation	Introduced README.md with step-by-step instructions for building the RPM locally Documented go-vendor-tools installation and usage scenarios	rpm/README.md

Possibly linked issues

• Cannot run image which includes niri: Pathname can't be converted from UTF-8 to current locale #123: The PR introduces full vendoring in the spec file, which directly addresses and fixes the dependency download issue described.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @buckaroogeek - I've reviewed your changes - here's some feedback:

• Remove the duplicated “make” entry in BuildRequires to keep the spec file tidy.
• Clean up or re-enable the commented man page generation/install sections once the docs are available to avoid confusion.
• Double-check that the consolidated License: line only includes licenses for actually vendored dependencies and doesn’t over-approximate.

Prompt for AI Agents

Please address the comments from this code review:
## Overall Comments
- Remove the duplicated “make” entry in BuildRequires to keep the spec file tidy.
- Clean up or re-enable the commented man page generation/install sections once the docs are available to avoid confusion.
- Double-check that the consolidated License: line only includes licenses for actually vendored dependencies and doesn’t over-approximate.

## Individual Comments

### Comment 1
<location> `rpm/podman-bootc.spec:26` </location>
<code_context>
-BuildRequires: golang
-BuildRequires: make
-BuildRequires: libvirt-devel
+BuildRequires:  go-vendor-tools
+BuildRequires:  make
+BuildRequires:  gcc
+BuildRequires:  make
+BuildRequires:  libvirt-devel
+BuildRequires:  go-md2man

 Requires: podman-machine
</code_context>

<issue_to_address>
Duplicate BuildRequires for 'make' detected.

Please remove the duplicate 'BuildRequires: make' line to keep the list clean.
</issue_to_address>

### Comment 2
<location> `rpm/README.md:3` </location>
<code_context>
+## Building the rpm locally
+
+The revised spec file uses [`go-vendor-tools`](https://fedora.gitlab.io/sigs/go/go-vendor-tools/scenarios/#generate-specfile-with-go2rpm) which enable vendoring for Go
+language packages in Fedora.
+
</code_context>

<issue_to_address>
Subject-verb agreement: 'which enable' should be 'which enables'.

It should be 'which enables vendoring for Go language packages in Fedora' to agree with the singular subject 'spec file.'
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
The revised spec file uses [`go-vendor-tools`](https://fedora.gitlab.io/sigs/go/go-vendor-tools/scenarios/#generate-specfile-with-go2rpm) which enable vendoring for Go
language packages in Fedora.
=======
The revised spec file uses [`go-vendor-tools`](https://fedora.gitlab.io/sigs/go/go-vendor-tools/scenarios/#generate-specfile-with-go2rpm) which enables vendoring for Go
language packages in Fedora.
>>>>>>> REPLACE

</suggested_fix>

### Comment 3
<location> `rpm/README.md:6` </location>
<code_context>
+The revised spec file uses [`go-vendor-tools`](https://fedora.gitlab.io/sigs/go/go-vendor-tools/scenarios/#generate-specfile-with-go2rpm) which enable vendoring for Go
+language packages in Fedora.
+
+Follow these steps to build an rpm locally using Fedora packagers tools.
+These steps assume a Fedora machine.
+
</code_context>

<issue_to_address>
Typo: 'packagers tools' should be 'packager tools'.

It should read 'using Fedora packager tools.'
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
Follow these steps to build an rpm locally using Fedora packagers tools.
These steps assume a Fedora machine.
=======
Follow these steps to build an rpm locally using Fedora packager tools.
These steps assume a Fedora machine.
>>>>>>> REPLACE

</suggested_fix>

### Comment 4
<location> `rpm/README.md:9` </location>
<code_context>
+Follow these steps to build an rpm locally using Fedora packagers tools.
+These steps assume a Fedora machine.
+
+1. Install packages tools. See [Installing Packager Tools](https://docs.fedoraproject.org/en-US/package-maintainers/Installing_Packager_Tools/).
+
+1. Install go-vendor-tools: `sudo dnf install go-vendor-tools*`
</code_context>

<issue_to_address>
Typo: 'packages tools' should be 'packager tools' or 'packaging tools'.

Change to 'Install packager tools' or 'Install packaging tools' for improved clarity.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
1. Install packages tools. See [Installing Packager Tools](https://docs.fedoraproject.org/en-US/package-maintainers/Installing_Packager_Tools/).
=======
1. Install packager tools. See [Installing Packager Tools](https://docs.fedoraproject.org/en-US/package-maintainers/Installing_Packager_Tools/).
>>>>>>> REPLACE

</suggested_fix>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[germag]

Hi, @buckaroogeek thanks for doing this!

Couple of things:

• do you mind adding the Signed-off-by to your commit?

• do we still need to manually vendorize in rpm/packit.sh?

[buckaroogeek]

Thanks for taking a look. Glad to help.

As far as packit integration, my understanding is that packit and go-vendor-tools now work fairly well together. This docker-compose PR seems to be working: https://src.fedoraproject.org/rpms/docker-compose/pull-request/18#request_diff.

In the golang matrix channel Maxwell notes: "It just needs the --verify-spec flag passed to go_vendor_license to make the update fail if the license expression changes".

I can take a look at the packit file next if that would be helpful.

[germag]

I can take a look at the packit file next if that would be helpful.

Yes, thanks.

What I did is to get the source, vendorize and "fix" the spec, in the .packit.yaml file we have:

actions:
  fix-spec-file:
    - "bash rpm/packit.sh"

and inside rpm/packint.sh:
I manually get the source and vendorize it:

# Generate source tarball from HEAD
RPM_SOURCE_FILE=$PACKAGE-$VERSION.tar.gz
git-archive-all -C "$(git rev-parse --show-toplevel)" --prefix="$PACKAGE-$RPM_VERSION/" "rpm/$RPM_SOURCE_FILE"

# Generate vendor dir
RPM_VENDOR_FILE=$PACKAGE-$VERSION-vendor.tar.gz
go mod vendor
tar -czf "rpm/$RPM_VENDOR_FILE" vendor/

and replace the source files:

# Use above generated tarballs as Sources in rpm spec
sed -i "s/^Source0:.*/Source0: $RPM_SOURCE_FILE/" $SPEC_FILE
sed -i "s/^Source1:.*/Source1: $RPM_VENDOR_FILE/" $SPEC_FILE

So, maybe these two steps are not required any more, I guess?

I'm also replacing the Version and Release with what git provides (commit and tag)

[germag]

sorry I forgot to ask why this file is required? (I'm not familiar with the go-vendor tool)

[buckaroogeek]

the go-vendor-tools macros process the license files during the rpm build process. The toml file provides configuration to that process. E.G. specify alternate license detector, set licenses for modules where the detector cannot find a license, exclude directories or files from license detection.

The toml file can also replace a module with a different version if needed. For example to resolve an urgent CVE.

See https://fedora.gitlab.io/sigs/go/go-vendor-tools/config/ for options.

[germag]

Ok, since packit is working again thanks to your changes, let's merge this and check if we need to change something in the packit script in a follow-up PR.

Thanks!

[buckaroogeek]

Just a note that packit integration for go-vendor-tools should be working soon with the following .packit.yaml file from docker-compose:

# See the documentation for more information:
# https://packit.dev/docs/configuration/

upstream_tag_template: v{version}
upstream_project_url: https://github.com/docker/compose
jobs:
  - job: pull_from_upstream
    trigger: release
    dist_git_branches:
      - rawhide
  - job: koji_build
    trigger: commit
    dist_git_branches:
      - rawhide
actions:
  post-modifications:
    # https://fedora.gitlab.io/sigs/go/go-vendor-tools/scenarios/#manual-update
    - |
      sh -xeuc "
        cd $PACKIT_DOWNSTREAM_REPO
        go_vendor_archive create --config go-vendor-tools.toml docker-compose.spec
        go_vendor_license \
          --config go-vendor-tools.toml \
          --path docker-compose.spec \
          report \
          --verify-spec
      "
create_sync_note: false