Upgrade reusable packaging workflow (#816)

This commit upgrades the pkg workflow to use the latest version of the
Ploutos reusable packaging workflow. See PR #816 for futher details.

.github/workflows/pkg.yml

@@ -14,21 +14,18 @@ on:
 
 jobs:
   package:
-    uses: NLnetLabs/ploutos/.github/workflows/pkg-rust.yml@v1
+    uses: NLnetLabs/ploutos/.github/workflows/pkg-rust.yml@v5
     secrets:
       DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }}
       DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
     with:
       docker_org: nlnetlabs
       docker_repo: routinator
+      docker_build_rules: pkg/rules/docker-images-to-build.yml
+      docker_sanity_check_command: --version
 
-      cross_build_rules_path: pkg/rules/cross-targets.yml
-      docker_build_rules_path: pkg/rules/docker-images-to-build.yml
-      package_build_rules_path: pkg/rules/packages-to-build.yml
-      package_test_rules_path: pkg/rules/packages-to-test.yml
+      package_build_rules: pkg/rules/packages-to-build.yml
       package_test_scripts_path: pkg/test-scripts/test-<package>.sh
 
-      deb_maintainer: The NLnet Labs RPKI Team <rpki@nlnetlabs.nl>
-      docker_sanity_check_command: --version
       rpm_scriptlets_path: pkg/rpm/scriptlets.toml
 

Cargo.toml

@@ -95,13 +95,6 @@ systemd-units = { unit-name = "routinator", unit-scripts = "pkg/common", enable
 
 [package.metadata.deb.variants.minimal]
 
-# Cross compilation variants:
-# Note: we have to specify dependencies manually because we don't run cargo-deb
-# on the target platform and so it cannot determine the dependencies correctly
-# for us.
-[package.metadata.deb.variants.minimal-cross]
-depends = "adduser, passwd, rsync"
-
 [package.metadata.generate-rpm]
 # "BSD" alone is the 3-clause license. Inheriting "license" from above causes rpmlint to
 # complain with "invalid-license".

pkg/common/routinator-minimal-cross.routinator.service

@@ -1 +0,0 @@
-routinator-minimal.routinator.service

pkg/rpm/scriptlets.toml

@@ -1,8 +1,6 @@
 post_install_script = '''
 #!/bin/bash -e
-# Script based on the RPM %systemd_post scriptlet. See:
-#   - https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
-#   - https://cgit.freedesktop.org/systemd/systemd/tree/src/core/macros.systemd.in
+#RPM_SYSTEMD_MACROS#
 
 if [ $EUID -ne 0 ]; then
     echo >&2 "ERROR: Routinator postinst script must be run as root"
@@ -30,32 +28,49 @@ if [ $1 -eq 1 ] ; then
     # Ensure that the home directory has the correct permissions
     chmod ${R_HOME_DIR_PERMS} ${R_HOME_DIR}
 
-    # Set the Routinator service to start now and on boot
+    # Run commands equivalent to what the RPM systemd macros would do
+    systemd_post routinator.service
+    systemd_triggers
+
+    # Force the new service to be activated immediately post-install. This goes against Fedora policy as Fedora says
+    # the distribution and system operator decide which services should be activated automatically by way of systemd
+    # preset files. E.g. the `systemd.preset` man page says:
+    #
+    #   It is not recommended to ship preset files within the respective software packages implementing the units, but
+    #   rather centralize them in a distribution or spin default policy, which can be amended by administrator policy,
+    #   see below.
+    #
+    #   If no preset files exist, preset operations will enable all units that are installed by default. If this is not
+    #   desired and all units shall rather be disabled, it is necessary to ship a preset file with a single, catchall
+    #   "disable *" line. (See example 1, below.)
+    #
+    #   From: https://www.freedesktop.org/software/systemd/man/systemd.preset.html#Description
+    #
+    # Fedora 36 for example has such a "catchall" "disable *" preset policy.
+    # See also: https://stackoverflow.com/a/45058741
     systemctl enable --now routinator.service
 fi
 '''
 
 pre_uninstall_script = '''
 #!/bin/bash -e
-# Script based on the RPM %systemd_preun scriptlet. See:
-#   - https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
-#   - https://cgit.freedesktop.org/systemd/systemd/tree/src/core/macros.systemd.in
+#RPM_SYSTEMD_MACROS#
 
 if [ $1 -eq 0 ] ; then
     # Package removal, not upgrade
-    systemctl --no-reload disable routinator.service > /dev/null 2>&1 || :
-    systemctl stop routinator.service > /dev/null 2>&1 || :
+    # Run commands equivalent to what the RPM systemd macros would do
+    systemd_preun routinator.service
+    systemd_triggers
 fi
 '''
 
 post_uninstall_script = '''
 #!/bin/bash -e
-# Script based on the RPM %systemd_postun scriptlet. See:
-#   - https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
-#   - https://cgit.freedesktop.org/systemd/systemd/tree/src/core/macros.systemd.in
+#RPM_SYSTEMD_MACROS#
 
-systemctl daemon-reload >/dev/null 2>&1 || :
 if [ $1 -ge 1 ] ; then
-    systemctl try-restart routinator.service >/dev/null 2>&1 || :
+    # Run commands equivalent to what the RPM systemd macros would do
+    systemd_postun_with_restart routinator.service
+    systemd_triggers
 fi
 '''

pkg/rules/cross-targets.yml

@@ -1,5 +0,0 @@
----
-# must be one of: https://github.com/cross-rs/cross#supported-targets
-- 'arm-unknown-linux-musleabihf'
-- 'armv7-unknown-linux-musleabihf'
-- 'aarch64-unknown-linux-musl'

pkg/rules/packages-to-build.yml

@@ -1,3 +1,5 @@
+# This matrix definition is used as both the package_build_rules and the package_test_rules Ploutos packaging
+# workflow inputs.
 ---
 pkg:
   - 'routinator'
@@ -46,3 +48,10 @@ include:
   - pkg: 'routinator'
     image: 'debian:buster'
     target: 'aarch64-unknown-linux-musl'
+
+# 'mode' is not used by the package building workflow job, but is used by the package testing workflow job.
+# Ploutos will not include this key when using this matrix definition to generate package building matrix
+# permutations but will use it when generating package testing permutations.
+mode:   
+  - 'fresh-install'
+  - 'upgrade-from-published'

pkg/rules/packages-to-test.yml

@@ -1,25 +0,0 @@
----
-pkg:
-  - 'routinator'
-image:
-  - "ubuntu:xenial"   # ubuntu/16.04
-  - "ubuntu:bionic"   # ubuntu/18.04
-  - "ubuntu:focal"    # ubuntu/20.04
-  - "ubuntu:jammy"    # ubuntu/22.04
-  # - "debian:stretch"  # debian/9 - LXC image is no longer available on images.linuxcontainers.org
-  - "debian:buster"   # debian/10
-  - "debian:bullseye" # debian/11
-  - "centos:7"
-  - "centos:8"
-mode:
-  - 'fresh-install'
-  - 'upgrade-from-published'
-target:
-  - 'x86_64'
-# if we later add a new O/S or variant we won't have yet ever published the package so can't do a test upgrade
-# over last published version. In that case add lines here like so to disable the upgrade from published test
-# for that O/S (remember to change debian:bullseye to the correct O/S name!):
-#
-# exclude:
-#   - image: 'debian:bullseye'
-#     mode: 'upgrade-from-published'