refactor: switch to standard Go vendoring for cross-distro packaging

Replace go-vendor-tools with standard Go module vendoring to support
building on both Fedora and CentOS/RHEL with a single spec file.

Changes:
- Commit vendor/ directory to git (998 vendored dependency files)
- Include vendor/ directory in Source0 tarball
- Set GO111MODULE=on and GOFLAGS=-mod=vendor for build and test phases
- Remove go-vendor-tools dependency from spec and Packit config
- Add vendor/modules.txt to %license for bundled dependency tracking
- Add testdata files (dc.bin, mfg_key.pem, ov.pem) to vendored go-fdo
  package required by //go:embed directives for build-time compilation

CI workflow updates:
- Exclude vendor/ from codespell spell-check to avoid false positives
  in third-party dependencies
- Exclude vendor/ from DevSkim security scanner to prevent flagging
  vendored code issues
- Disable Go dependency caching in setup-go action since vendored
  dependencies don't require go.sum

This approach follows the standard pattern used by major Go packages
in Fedora and ensures compatibility across distributions.

Signed-off-by: Paul Whalen <[email protected]>

Author: Paul Whalen

.github/workflows/analysis.yml

@@ -19,7 +19,7 @@ jobs:
           check_filenames: true
           check_hidden: true
           ignore_words_file: .github/spellcheck-ignore
-          skip: "./docs/Gemfile.lock,./docs/_config.yml,./.github,./.git"
+          skip: "./docs/Gemfile.lock,./docs/_config.yml,./.github,./.git,./vendor"
 
   commitlint:
     name: check commitlint
@@ -56,7 +56,7 @@ jobs:
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@v1
         with:
-          ignore-globs: '**/test/**,*_test.go,**/deployments/compose/**'
+          ignore-globs: '**/test/**,*_test.go,**/deployments/compose/**,**/vendor/**'
 
       - name: Upload DevSkim scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3

.github/workflows/ci.yml

@@ -19,6 +19,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: "1.25"
+          cache: false
 
       - name: Check out repository code
         uses: actions/checkout@v4
@@ -44,6 +45,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: "1.25"
+          cache: false
 
       - name: Check out repository code
         uses: actions/checkout@v4
@@ -73,6 +75,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: "1.25"
+          cache: false
 
       - name: Check out repository code
         uses: actions/checkout@v4
@@ -102,6 +105,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: "1.25"
+          cache: false
 
       - name: Check out repository code
         uses: actions/checkout@v4
@@ -131,6 +135,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: "1.25"
+          cache: false
 
       - name: Check out repository code
         uses: actions/checkout@v4
@@ -160,6 +165,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: "1.25"
+          cache: false
 
       - name: Check out repository code
         uses: actions/checkout@v4
@@ -189,6 +195,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: "1.25"
+          cache: false
 
       - name: Check out repository code
         uses: actions/checkout@v4

.packit.yaml

@@ -6,8 +6,6 @@ files_to_sync:
   - src:
       - ".packit.yaml"
       - "build/package/rpm/go-fdo-server.spec"
-      - "build/package/rpm/go-vendor-tools.toml"
-      - "build/package/rpm/go-fdo-server-*-vendor.tar.bz2"
     dest: .
 
 upstream_package_name: go-fdo-server
@@ -24,8 +22,6 @@ srpm_build_deps:
   - gcc
   - glibc-devel
   - golang
-  - go-vendor-tools
-  - python3-tomlkit
 
 packages:
   go-fdo-server-fedora:
@@ -126,14 +122,7 @@ jobs:
     packages: [go-fdo-server-centos]
     trigger: pull_request
     targets:
-      epel-9:
-        additional_repos:
-          - https://download.copr.fedorainfracloud.org/results/@go-sig/golang-rawhide/epel-9-$basearch/
-        additional_packages:
-          - golang
-      epel-10:
-        additional_repos:
-          - https://download.copr.fedorainfracloud.org/results/@go-sig/golang-rawhide/epel-10-$basearch/
+      centos-stream-10:
         additional_packages:
           - golang
 
@@ -151,5 +140,4 @@ jobs:
     tmt_plan: test/fmf/plans/e2e
     packages: [go-fdo-server-centos]
     targets:
-      - epel-9
-      - epel-10
+      - centos-stream-10

Makefile

@@ -35,7 +35,11 @@ SOURCE_DIR                 := $(CURDIR)/build/package/rpm
 SOURCE_TARBALL_FILENAME    := go-fdo-server-$(VERSION).tar.gz
 SOURCE_TARBALL             := $(SOURCE_DIR)/${SOURCE_TARBALL_FILENAME}
 $(SOURCE_TARBALL):
-	git archive --prefix=go-fdo-server-$(VERSION)/ --format=tar.gz HEAD > $(SOURCE_TARBALL)
+	@echo "Creating source tarball with vendor/ directory..."
+	rm -rf vendor; \
+	go mod vendor; \
+	git ls-files | tar --transform='s,^,go-fdo-server-$(VERSION)/,' -czf - -T - vendor/ > $(SOURCE_TARBALL); \
+	rm -rf vendor
 
 .PHONY: source-tarball
 source-tarball: $(SOURCE_TARBALL)
@@ -155,13 +159,14 @@ rpm: $(RPMBUILD_SPECFILE) $(RPMBUILD_TARBALL) $(RPMBUILD_GOLANG_VENDOR_TOOLS_FIL
 #
 
 .PHONY: packit-create-archive
-packit-create-archive: $(SOURCE_TARBALL) $(VENDOR_TARBALL)
+packit-create-archive: $(SOURCE_TARBALL)
 	ls -1 $(SOURCE_TARBALL)
 
 .PHONY: clean
 clean:
 	rm -rf $(RPMBUILD_TOP_DIR)
 	rm -rf $(SOURCE_DIR)/go-fdo-server-*.tar.{gz,bz2}
+	rm -rf vendor
 
 # Default target
 all: build test

build/package/rpm/go-fdo-server.spec

@@ -9,24 +9,24 @@
 
 %gometa -L -f
 
+# Vendoring: vendor/ directory is included in Source0
+
 Name:           go-fdo-server
 Version:        0
 Release:        %autorelease -p
 Summary:        A Go implementation of the FIDO Device Onboard Specification
 
-# Generated by go-vendor-tools
+# Upstream license: Apache-2.0
+# Bundled dependencies licenses determined from vendor/modules.txt
 License:        Apache-2.0 AND BSD-3-Clause AND MIT
 URL:            %{gourl}
 Source0:        %{gosource}
-# Generated by go-vendor-tools
-Source1:        %{archivename}-vendor.tar.bz2
-Source2:        go-vendor-tools.toml
-Source3:        go-fdo-server-group.conf
-Source4:        go-fdo-server-manufacturer-user.conf
-Source5:        go-fdo-server-rendezvous-user.conf
-Source6:        go-fdo-server-owner-user.conf
-
-BuildRequires:  go-vendor-tools
+Source1:        go-fdo-server-group.conf
+Source2:        go-fdo-server-manufacturer-user.conf
+Source3:        go-fdo-server-rendezvous-user.conf
+Source4:        go-fdo-server-owner-user.conf
+
+BuildRequires:  golang >= 1.25
 # Systemd units
 BuildRequires:  systemd-rpm-macros
 # Sysusers
@@ -39,28 +39,24 @@ binding of device credentials, allowing for automated and secure on-boarding of
 devices when they are first powered on in their final location.
 
 %prep
-%goprep -A
-%setup -q -T -D -a1 %{forgesetupargs}
+%goprep -k -A
 #%%autopatch -p1
 
-%generate_buildrequires
-%go_vendor_license_buildrequires -c %{S:2}
-
 %build
-%global gomodulesmode GO111MODULE=on
+export GO111MODULE=on
+export GOFLAGS=-mod=vendor
 %gobuild -o %{gobuilddir}/bin/go-fdo-server %{goipath}
 
 %install
-%go_vendor_license_install -c %{S:2}
 install -m 0755 -vd %{buildroot}%{_bindir}
 install -m 0755 -vp -s %{gobuilddir}/bin/* %{buildroot}%{_bindir}
 # Configuration dir
 install -m 0755 -vd %{buildroot}%{_sysconfdir}/%{name}
 # Sysusers
-install -m 0644 -vp -D %{SOURCE3} %{buildroot}/%{_sysusersdir}/go-fdo-server.conf
-install -m 0644 -vp -D %{SOURCE4} %{buildroot}/%{_sysusersdir}/go-fdo-server-manufacturer.conf
-install -m 0644 -vp -D %{SOURCE5} %{buildroot}/%{_sysusersdir}/go-fdo-server-rendezvous.conf
-install -m 0644 -vp -D %{SOURCE6} %{buildroot}/%{_sysusersdir}/go-fdo-server-owner.conf
+install -m 0644 -vp -D %{SOURCE1} %{buildroot}/%{_sysusersdir}/go-fdo-server.conf
+install -m 0644 -vp -D %{SOURCE2} %{buildroot}/%{_sysusersdir}/go-fdo-server-manufacturer.conf
+install -m 0644 -vp -D %{SOURCE3} %{buildroot}/%{_sysusersdir}/go-fdo-server-rendezvous.conf
+install -m 0644 -vp -D %{SOURCE4} %{buildroot}/%{_sysusersdir}/go-fdo-server-owner.conf
 # Sysconfig files
 install -m 0755 -vd %{buildroot}%{_sysconfdir}/sysconfig
 install -m 0644 -vp -D configs/sysconfig/* %{buildroot}%{_sysconfdir}/sysconfig/
@@ -72,12 +68,15 @@ install -m 0755 -vd %{buildroot}%{_datadir}/%{name}
 install -m 0755 -vp -D scripts/* %{buildroot}%{_datadir}/%{name}
 
 %check
-%go_vendor_license_check -c %{S:2}
 %if %{with check}
+# Run tests with vendored dependencies
+export GO111MODULE=on
+export GOFLAGS=-mod=vendor
 %gotest ./...
 %endif
-%files -f %{go_vendor_license_filelist}
-%license vendor/modules.txt
+
+%files
+%license LICENSE vendor/modules.txt
 %doc DOCKERFILE_USAGE.md FSIM_USAGE.md README.md SECURITY.md
 %{_bindir}/go-fdo-server
 %config(noreplace) %attr(770, root, go-fdo-server) %{_sysconfdir}/%{name}
@@ -90,7 +89,7 @@ install -m 0755 -vp -D scripts/* %{buildroot}%{_datadir}/%{name}
 %{_datadir}/%{name}/generate-owner-certs.sh
 
 %pre
-%sysusers_create_compat %{SOURCE3}
+%sysusers_create_compat %{SOURCE1}
 
 %package manufacturer
 Requires: go-fdo-server
@@ -110,7 +109,7 @@ preparing devices for the on-boarding process during the manufacturing phase.
 # Sysuser
 %{_sysusersdir}/go-fdo-server-manufacturer.conf
 %pre manufacturer
-%sysusers_create_compat %{SOURCE4}
+%sysusers_create_compat %{SOURCE2}
 
 %post manufacturer
 %systemd_post go-fdo-server-manufacturer.service
@@ -139,7 +138,7 @@ voucher.
 # Sysuser
 %{_sysusersdir}/go-fdo-server-rendezvous.conf
 %pre rendezvous
-%sysusers_create_compat %{SOURCE5}
+%sysusers_create_compat %{SOURCE3}
 
 %post rendezvous
 %systemd_post go-fdo-server-rendezvous.service
@@ -168,7 +167,7 @@ necessary credentials and configuration for operation.
 # Sysuser
 %{_sysusersdir}/go-fdo-server-owner.conf
 %pre owner
-%sysusers_create_compat %{SOURCE6}
+%sysusers_create_compat %{SOURCE4}
 
 %post owner
 %systemd_post go-fdo-server-owner.service