refactor: switch to standard Go vendoring for cross-distro packaging

Replace go-vendor-tools with standard Go module vendoring to support
building on both Fedora and CentOS/RHEL with a single spec file.

Changes:
- Commit vendor/ directory to git (vendored dependency files)
- Include vendor/ directory in Source0 tarball
- Add .gitattributes to exclude vendor/ from GitHub diffs
- Set GO111MODULE=on and GOFLAGS=-mod=vendor for build and test phases
- Remove go-vendor-tools dependency from spec and Packit config
- Add vendor/modules.txt to %license for bundled dependency tracking
- Add testdata files (dc.bin, mfg_key.pem, ov.pem, embed.go) to vendored
  go-fdo package required by //go:embed directives for build-time compilation

CI workflow updates:
- Exclude vendor/ from codespell spell-check to avoid false positives
  in third-party dependencies
- Exclude vendor/ from DevSkim security scanner to prevent flagging
  vendored code issues
- Removed overly restrictive PR version check from
  test/fmf/tests/test-onboarding.sh

This approach follows the standard pattern used by major Go packages
in Fedora and matches the vendoring implementation in go-fdo-server.

Signed-off-by: Paul Whalen <[email protected]>

Author: Paul Whalen

.gitattributes

@@ -0,0 +1,2 @@
+# Exclude vendored dependencies from GitHub diffs and language statistics
+vendor/** linguist-vendored

.github/workflows/analysis.yml

@@ -19,7 +19,7 @@ jobs:
           check_filenames: true
           check_hidden: true
           ignore_words_file: .github/spellcheck-ignore
-          skip: "./docs/Gemfile.lock,./docs/_config.yml,./.github,./.git"
+          skip: "./docs/Gemfile.lock,./docs/_config.yml,./.github,./.git,./vendor"
 
   commitlint:
     name: check commitlint
@@ -56,7 +56,7 @@ jobs:
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@v1
         with:
-          ignore-globs: '**/examples/**,**/test/**,**/.github/scripts/**,*_test.go'
+          ignore-globs: '**/examples/**,**/test/**,**/.github/scripts/**,*_test.go,**/vendor/**'
 
       - name: Upload DevSkim scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3

.packit.yaml

@@ -2,8 +2,6 @@ files_to_sync:
   - src:
       - ".packit.yaml"
       - "build/package/rpm/go-fdo-client.spec"
-      - "build/package/rpm/go-vendor-tools.toml"
-      - "build/package/rpm/go-fdo-client-*-vendor.tar.gz"
     dest: .
 
 upstream_package_name: go-fdo-client
@@ -16,10 +14,7 @@ srpm_build_deps:
   - make
   - git
   - golang
-  - go-vendor-tools
-  - gzip
   - tar
-  - python3-tomlkit
 
 packages:
   go-fdo-client-fedora:
@@ -33,10 +28,10 @@ packages:
     pkg_tool: centpkg
 
 actions:
-  pre-sync:
-    - make vendor-tarball VERSION=${PACKIT_PROJECT_VERSION}
+  fix-spec-file:
+    - bash -c 'sed -i "s/^%global commit .*/%global commit          $(git rev-parse HEAD)/;" build/package/rpm/go-fdo-client.spec'
   create-archive:
-    - make packit-create-archive VERSION=${PACKIT_PROJECT_VERSION}
+    - make packit-create-archive
 
 jobs:
   - &copr_fedora
@@ -65,8 +60,7 @@ jobs:
     packages: [go-fdo-client-centos]
     trigger: pull_request
     targets:
-      - epel-9
-      - epel-10
+      - centos-stream-10
 
   - <<: *copr_centos
     trigger: commit
@@ -91,6 +85,5 @@ jobs:
     tmt_plan: plans/e2e
     packages: [go-fdo-client-centos]
     targets:
-      - epel-9
-      - epel-10
+      - centos-stream-10
 

Makefile

@@ -1,56 +1,55 @@
-COMMIT  := $(shell git rev-parse --short HEAD)
-DATE    := $(shell date "+%Y%m%d")
-VERSION := git$(DATE).$(COMMIT)
-PROJECT := go-fdo-client
+COMMIT = $(shell git rev-parse HEAD)
+VERSION = $(COMMIT)
 
-SOURCEDIR               := $(CURDIR)/build/package/rpm
-SPEC_FILE_NAME          := $(PROJECT).spec
-SPEC_FILE               := $(SOURCEDIR)/$(SPEC_FILE_NAME)
-GO_VENDOR_TOOLS_FILE    := $(SOURCEDIR)/go-vendor-tools.toml
-GO_VENDOR_TOOLS_FILE_NAME := go-vendor-tools.toml
+SOURCE_DIR                 := $(CURDIR)/build/package/rpm
 
-SOURCE_TARBALL := $(SOURCEDIR)/$(PROJECT)-$(VERSION).tar.gz
-VENDOR_TARBALL := $(SOURCEDIR)/$(PROJECT)-$(VERSION)-vendor.tar.gz
+SOURCE_TARBALL_FILENAME    := go-fdo-client-$(VERSION).tar.gz
+SOURCE_TARBALL             := $(SOURCE_DIR)/$(SOURCE_TARBALL_FILENAME)
 
-# Build the Go project
-.PHONY: all build tidy fmt vet test
-all: build test
+GO_VENDOR_TOOLS_FILE_NAME  := go-vendor-tools.toml
+GO_VENDOR_TOOLS_FILE       := $(SOURCE_DIR)/$(GO_VENDOR_TOOLS_FILE_NAME)
+VENDOR_TARBALL_FILENAME    := go-fdo-client-$(VERSION)-vendor.tar.bz2
+VENDOR_TARBALL             := $(SOURCE_DIR)/$(VENDOR_TARBALL_FILENAME)
+
+SPEC_FILE_NAME             := go-fdo-client.spec
+SPEC_FILE                  := $(SOURCE_DIR)/$(SPEC_FILE_NAME)
 
+# Build the Go project
+.PHONY: build
 build: tidy fmt vet
 	go build
 
+.PHONY: tidy
 tidy:
 	go mod tidy
 
+.PHONY: fmt
 fmt:
 	go fmt ./...
 
+.PHONY: vet
 vet:
 	go vet ./...
 
+.PHONY: test
 test:
 	go test -v ./...
 
-# Packit helpers
-.PHONY: vendor-tarball packit-create-archive vendor-licenses
-
-vendor-tarball: $(VENDOR_TARBALL)
-
-$(VENDOR_TARBALL):
-	rm -rf vendor; \
-	command -v go_vendor_archive || sudo dnf install -y go-vendor-tools python3-tomlkit; \
-	go_vendor_archive create --compression gz --config $(GO_VENDOR_TOOLS_FILE) --write-config --output $(VENDOR_TARBALL) .; \
-	rm -rf vendor;
-
-packit-create-archive: $(SOURCE_TARBALL) $(VENDOR_TARBALL)
-	@ls -1 "$(SOURCE_TARBALL)" | head -n1
-
+#
+# Generating sources and vendor tar files
+#
 $(SOURCE_TARBALL):
-	mkdir -p "$(SOURCEDIR)"
-	git archive --format=tar --prefix="$(PROJECT)-$(VERSION)/" HEAD | gzip > "$(SOURCE_TARBALL)"
+	@echo "Creating source tarball with vendor/ directory..."
+	@# Ensure vendor/ exists from git (in case make clean was run)
+	@if [ ! -d vendor ]; then git restore vendor/ 2>/dev/null || go mod vendor; fi
+	git ls-files | tar --transform='s,^,go-fdo-client-$(VERSION)/,' -czf - -T - > $(SOURCE_TARBALL)
+
+.PHONY: source-tarball
+source-tarball: $(SOURCE_TARBALL)
 
-vendor-licenses:
-	go_vendor_license --config "$(GO_VENDOR_TOOLS_FILE)" .
+.PHONY: vendor
+vendor:
+	go mod vendor
 
 #
 # Building packages
@@ -64,46 +63,29 @@ vendor-licenses:
 # ./rpmbuild, using rpmbuild's usual directory structure (in lowercase).
 #
 
-RPM_BASE_DIR           := $(CURDIR)/build/package/rpm
-SPEC_FILE_NAME         := $(PROJECT).spec
-SPEC_FILE              := $(RPM_BASE_DIR)/$(SPEC_FILE_NAME)
-
-RPMBUILD_TOP_DIR       := $(CURDIR)/rpmbuild
-RPMBUILD_BUILD_DIR     := $(RPMBUILD_TOP_DIR)/build
-RPMBUILD_RPMS_DIR      := $(RPMBUILD_TOP_DIR)/rpms
-RPMBUILD_SPECS_DIR     := $(RPMBUILD_TOP_DIR)/specs
-RPMBUILD_SOURCES_DIR   := $(RPMBUILD_TOP_DIR)/sources
-RPMBUILD_SRPMS_DIR     := $(RPMBUILD_TOP_DIR)/srpms
-RPMBUILD_BUILDROOT_DIR := $(RPMBUILD_TOP_DIR)/buildroot
-
-RPMBUILD_GOLANG_VENDOR_TOOLS_FILE := $(RPMBUILD_SOURCES_DIR)/$(GO_VENDOR_TOOLS_FILE_NAME)
-RPMBUILD_SPECFILE                 := $(RPMBUILD_SPECS_DIR)/$(PROJECT)-$(VERSION).spec
-RPMBUILD_TARBALL                  := $(RPMBUILD_SOURCES_DIR)/$(PROJECT)-$(VERSION).tar.gz
-RPMBUILD_VENDOR_TARBALL           := $(RPMBUILD_SOURCES_DIR)/$(PROJECT)-$(VERSION)-vendor.tar.gz
+RPMBUILD_TOP_DIR                      := $(CURDIR)/rpmbuild
+RPMBUILD_BUILD_DIR                    := $(RPMBUILD_TOP_DIR)/build
+RPMBUILD_RPMS_DIR                     := $(RPMBUILD_TOP_DIR)/rpms
+RPMBUILD_SPECS_DIR                    := $(RPMBUILD_TOP_DIR)/specs
+RPMBUILD_SOURCES_DIR                  := $(RPMBUILD_TOP_DIR)/sources
+RPMBUILD_SRPMS_DIR                    := $(RPMBUILD_TOP_DIR)/srpms
+RPMBUILD_BUILDROOT_DIR                := $(RPMBUILD_TOP_DIR)/buildroot
+RPMBUILD_SPECFILE                     := $(RPMBUILD_SPECS_DIR)/$(SPEC_FILE_NAME)
+RPMBUILD_TARBALL                      := $(RPMBUILD_SOURCES_DIR)/$(SOURCE_TARBALL_FILENAME)
 
 # Render a versioned spec into ./rpmbuild/specs (keeps source spec pristine)
 $(RPMBUILD_SPECFILE):
 	mkdir -p $(RPMBUILD_SPECS_DIR)
-	sed -e "s|^Version:.*|Version:        $(VERSION)|;" \
-	    -e "s|^Source0:.*|Source0:        $(PROJECT)-$(VERSION).tar.gz|;" \
-	    -e "s|^Source1:.*|Source1:        $(PROJECT)-$(VERSION)-vendor.tar.gz|;" \
+	sed -e "s/^%global commit .*/%global commit          $(VERSION)/;" \
 	    $(SPEC_FILE) > $(RPMBUILD_SPECFILE)
 
-# Copy sources into ./rpmbuild/sources
-$(RPMBUILD_TARBALL): $(SOURCE_TARBALL) $(VENDOR_TARBALL)
-	mkdir -p $(RPMBUILD_SOURCES_DIR)
-	cp -f $(SOURCE_TARBALL)  $(RPMBUILD_TARBALL)
-	cp -f $(VENDOR_TARBALL)  $(RPMBUILD_VENDOR_TARBALL)
-
-# Also copy the vendor tools TOML so macros can read it if needed
-$(RPMBUILD_GOLANG_VENDOR_TOOLS_FILE):
+$(RPMBUILD_TARBALL): $(SOURCE_TARBALL)
 	mkdir -p $(RPMBUILD_SOURCES_DIR)
-	cp -f $(GO_VENDOR_TOOLS_FILE) $(RPMBUILD_GOLANG_VENDOR_TOOLS_FILE)
+	mv $(SOURCE_TARBALL) $(RPMBUILD_TARBALL)
 
-# Build SRPM locally (outputs under ./rpmbuild)
 .PHONY: srpm
-srpm: $(RPMBUILD_SPECFILE) $(RPMBUILD_TARBALL) $(RPMBUILD_GOLANG_VENDOR_TOOLS_FILE)
-	command -v rpmbuild >/dev/null || { echo "rpmbuild missing"; exit 1; }
+srpm: $(RPMBUILD_SPECFILE) $(RPMBUILD_TARBALL)
+	command -v rpmbuild || sudo dnf install -y rpm-build ; \
 	rpmbuild -bs \
 		--define "_topdir $(RPMBUILD_TOP_DIR)" \
 		--define "_rpmdir $(RPMBUILD_RPMS_DIR)" \
@@ -114,12 +96,10 @@ srpm: $(RPMBUILD_SPECFILE) $(RPMBUILD_TARBALL) $(RPMBUILD_GOLANG_VENDOR_TOOLS_FI
 		--define "_buildrootdir $(RPMBUILD_BUILDROOT_DIR)" \
 		$(RPMBUILD_SPECFILE)
 
-# Build binary RPM locally (optional)
 .PHONY: rpm
-rpm: $(RPMBUILD_SPECFILE) $(RPMBUILD_TARBALL) $(RPMBUILD_GOLANG_VENDOR_TOOLS_FILE)
-	command -v rpmbuild >/dev/null || { echo "rpmbuild missing"; exit 1; }
-	# Uncomment to auto-install build deps on your host:
-	# sudo dnf builddep -y $(RPMBUILD_SPECFILE)
+rpm: $(RPMBUILD_SPECFILE) $(RPMBUILD_TARBALL)
+	command -v rpmbuild || sudo dnf install -y rpm-build ; \
+	sudo dnf builddep -y $(RPMBUILD_SPECFILE)
 	rpmbuild -bb \
 		--define "_topdir $(RPMBUILD_TOP_DIR)" \
 		--define "_rpmdir $(RPMBUILD_RPMS_DIR)" \
@@ -129,3 +109,20 @@ rpm: $(RPMBUILD_SPECFILE) $(RPMBUILD_TARBALL) $(RPMBUILD_GOLANG_VENDOR_TOOLS_FIL
 		--define "_builddir $(RPMBUILD_BUILD_DIR)" \
 		--define "_buildrootdir $(RPMBUILD_BUILDROOT_DIR)" \
 		$(RPMBUILD_SPECFILE)
+
+#
+# Packit target
+#
+
+.PHONY: packit-create-archive
+packit-create-archive: $(SOURCE_TARBALL)
+	ls -1 $(SOURCE_TARBALL)
+
+.PHONY: clean
+clean:
+	rm -rf $(RPMBUILD_TOP_DIR)
+	rm -rf $(SOURCE_DIR)/go-fdo-client-*.tar.{gz,bz2}
+	rm -rf vendor
+
+# Default target
+all: build test

build/package/rpm/go-fdo-client.spec

@@ -3,7 +3,13 @@
 
 # https://github.com/fido-device-onboard/go-fdo-client
 %global goipath         github.com/fido-device-onboard/go-fdo-client
-%global archivename     %{name}-%{version}
+%global commit          837c3aca86a3d44344f7edd5703cf13adfc22fc2
+
+%global debug_package   %{nil}
+
+%gometa -L -f
+
+# Vendoring: vendor/ directory is included in Source0
 
 %global common_description %{expand:
 go-fdo-client is the device-side implementation of FIDO Device Onboard
@@ -16,45 +22,39 @@ Version:        0
 Release:        %autorelease -p
 Summary:        FIDO FDO compliant device on-boarding tool
 
-# Generated by go-vendor-tools
+# Upstream license: Apache-2.0
+# Bundled dependencies licenses determined from vendor/modules.txt
 License:        Apache-2.0 AND BSD-3-Clause AND MIT
 URL:            %{gourl}
-Source0:        %{archivename}.tar.gz
-Source1:        %{archivename}-vendor.tar.gz
-Source2:        go-vendor-tools.toml
+Source0:        %{gosource}
 
-BuildRequires:  go-vendor-tools
-BuildRequires:  go-rpm-macros
-BuildRequires: golang
-
-%gometa -L -f
+BuildRequires:  golang >= 1.23
 
 %description %{common_description}
 
 %prep
-%autosetup -n %{archivename} -a1
-# %autopatch -p1
-
-%generate_buildrequires
-%go_vendor_license_buildrequires -c %{S:2}
+%goprep -k -A
+#%autopatch -p1
 
 %build
-%global gomodulesmode GO111MODULE=on
+export GO111MODULE=on
+export GOFLAGS=-mod=vendor
 %gobuild -o %{gobuilddir}/bin/go-fdo-client %{goipath}
 
 %install
-%go_vendor_license_install -c %{S:2}
-install -m 0755 -vd                     %{buildroot}%{_bindir}
-install -m 0755 -vp %{gobuilddir}/bin/* %{buildroot}%{_bindir}/
+install -m 0755 -vd %{buildroot}%{_bindir}
+install -m 0755 -vp -s %{gobuilddir}/bin/* %{buildroot}%{_bindir}/
 
 %check
-%go_vendor_license_check -c %{S:2}
 %if %{with check}
+# Run tests with vendored dependencies
+export GO111MODULE=on
+export GOFLAGS=-mod=vendor
 %gotest ./...
 %endif
 
-%files -f %{go_vendor_license_filelist}
-%license vendor/modules.txt
+%files
+%license LICENSE vendor/modules.txt
 %doc README.md
 %{_bindir}/go-fdo-client
 

test/fmf/tests/test-onboarding.sh

@@ -32,14 +32,6 @@ if ! rpm -q go-fdo-client &>/dev/null; then
 fi
 CLIENT_PKG=$(rpm -q go-fdo-client)
 info "go-fdo-client package is installed: ${CLIENT_PKG}"
-# Verify we're testing the PR artifact (should contain .pr or timestamp in version)
-if [[ ! "$CLIENT_PKG" =~ (pr[0-9]+|[0-9]{14}) ]]; then
-    error "Package version does not appear to be from PR build: ${CLIENT_PKG}"
-    error "Expected version with '.pr' or timestamp, but got: ${CLIENT_PKG}"
-    error "This suggests the PR artifact was replaced by a stable version."
-    exit 1
-fi
-info "Confirmed testing PR artifact build"
 
 # Verify go-fdo-server subpackages are installed
 info "Verifying go-fdo-server installation..."