Wire COPR publish into the release pipeline (Phase 7)

Adds COPR (Fedora + EPEL) to the cargo-dist user_publish_jobs pipeline.
Same shape as the existing crates.io / Docker / .deb publish jobs.

Why the spec-file approach:

  copr-cli's only build entrypoint accepts SRPMs or spec files — it
  doesn't import prebuilt binary RPMs. So the binary-everywhere
  property we have for crates.io, GHCR, .deb, and AUR needed a thin
  spec whose %prep downloads the SLSA-attested upstream tarball
  cargo-dist already published, verifies it against the .sha256
  sidecar, and then %install just lays the binary into the buildroot.
  COPR's mock chroot does this on each Fedora + EPEL chroot in
  ~30 seconds — no Rust toolchain involved, single trust chain.

Why four secrets instead of one combined config blob:

  copr-cli only reads credentials from ~/.config/copr (no env-var
  fallback per copr/v3/helpers.py's config_from_file). The workflow
  has to assemble that file at runtime regardless. Splitting the four
  fields (login, username, token, copr_url) into separate repo secrets
  makes each one safe to paste as a single line (no multiline blob to
  get malformed) and lets the token be rotated without touching the
  other three.

Changes:

  * packaging/qn-bin.spec — the thin spec. ExclusiveArch: x86_64
    aarch64. Per-arch Source URL via ifarch, sha256 verification in
    %prep before %setup.

  * .github/workflows/publish-copr.yml — reusable workflow invoked
    by cargo-dist. Builds the SRPM from the spec (with QN_VERSION
    passed in from the dist manifest), assembles ~/.config/copr from
    the four COPR_* secrets, then dispatches via
    `copr-cli build --enable-net=on quicknode/qn <srpm>`.

    --enable-net=on is required because %prep curls the tarball;
    COPR's default mock has network disabled.

  * dist-workspace.toml — adds ./publish-copr to publish-jobs and
    grants `contents: read` via github-custom-job-permissions.

  * RELEASING.md — documents the COPR channel under CI publish
    channels and the four-secret provisioning flow.

  * release.yml — regenerated to include custom-publish-copr.

The job is gated by cargo-dist on `!is_prerelease`, same as the
others. Until all four COPR_* secrets are set on the repo, the job
will fail loudly at the "Configure copr-cli" step with a clear error
listing which fields are missing — the rest of the release continues
to succeed.

Earlier in this branch I went down a wrong path: a `release-build-copr-rpms`
Justfile recipe + [package.metadata.generate-rpm] block that produced
binary RPMs locally with cargo-generate-rpm. `copr-cli build` doesn't
accept binary RPMs, so that path was a dead-end. Reset and rewrote
before opening the PR for review.

Author: johnpmitsch

.github/workflows/publish-copr.yml

@@ -0,0 +1,112 @@
+name: Publish RPMs to COPR
+
+# Reusable workflow invoked by cargo-dist's release pipeline as a
+# user_publish_job (see dist-workspace.toml `publish-jobs`).
+#
+# Builds an SRPM from packaging/qn-bin.spec — a thin .spec whose %prep
+# downloads the SLSA-attested prebuilt binary cargo-dist publishes for
+# this release and verifies it against the .sha256 sidecar. No Rust
+# toolchain involved on COPR's side; the binary inside the resulting
+# RPM is bit-identical to the one in crates.io, Homebrew, GHCR, .deb,
+# and AUR.
+#
+# `copr-cli build --enable-net=on` is required because the spec's
+# %prep stage fetches the tarball over HTTPS from the GitHub Release.
+on:
+  workflow_call:
+    inputs:
+      plan:
+        description: dist-manifest JSON for this announcement
+        required: true
+        type: string
+
+# Reusable-workflow permissions must not exceed what the caller grants
+# in dist-workspace.toml's github-custom-job-permissions block. We only
+# need to read this repo to access the spec file.
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Extract release tag from plan
+        id: meta
+        env:
+          PLAN: ${{ inputs.plan }}
+        run: |
+          version=$(echo "$PLAN" | jq -r '.releases[0].app_version')
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+
+      - name: Install rpmbuild + copr-cli
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y rpm python3-pip python3-venv
+          python3 -m venv "$HOME/copr-venv"
+          "$HOME/copr-venv/bin/pip" install --quiet copr-cli rich
+          echo "$HOME/copr-venv/bin" >> "$GITHUB_PATH"
+
+      - name: Build SRPM
+        env:
+          QN_VERSION: ${{ steps.meta.outputs.version }}
+        run: |
+          # Set up the rpmbuild tree.
+          mkdir -p "$HOME/rpmbuild"/{SOURCES,SPECS,SRPMS}
+          cp packaging/qn-bin.spec "$HOME/rpmbuild/SPECS/qn-bin.spec"
+
+          # SRPM only has the spec — the sources are fetched by mock at
+          # %prep time (Source0/Source1 are URLs, not local files). We
+          # pass --nodeps so rpmbuild doesn't try to satisfy
+          # BuildRequires on the runner; COPR's mock handles that.
+          rpmbuild -bs "$HOME/rpmbuild/SPECS/qn-bin.spec" \
+            --define "_topdir $HOME/rpmbuild" \
+            --define "qn_version $QN_VERSION" \
+            --nodeps
+          ls -la "$HOME/rpmbuild/SRPMS/"
+
+      - name: Configure copr-cli
+        env:
+          # copr-cli doesn't read env vars — it requires a config file at
+          # ~/.config/copr in INI format. The four fields are provisioned
+          # as separate repo secrets so each can be pasted as a single
+          # line and rotated independently. The file is assembled here at
+          # runtime. Verbatim values come from
+          # https://copr.fedorainfracloud.org/api/.
+          COPR_LOGIN:    ${{ secrets.COPR_LOGIN }}
+          COPR_USERNAME: ${{ secrets.COPR_USERNAME }}
+          COPR_TOKEN:    ${{ secrets.COPR_TOKEN }}
+          COPR_URL:      ${{ secrets.COPR_URL }}
+        run: |
+          missing=()
+          [[ -z "$COPR_LOGIN" ]]    && missing+=(COPR_LOGIN)
+          [[ -z "$COPR_USERNAME" ]] && missing+=(COPR_USERNAME)
+          [[ -z "$COPR_TOKEN" ]]    && missing+=(COPR_TOKEN)
+          [[ -z "$COPR_URL" ]]      && missing+=(COPR_URL)
+          if (( ${#missing[@]} > 0 )); then
+            echo "Error: COPR secrets not set on this repo:" >&2
+            printf '  %s\n' "${missing[@]}" >&2
+            echo "Provision per RELEASING.md's COPR one-time-setup section." >&2
+            exit 1
+          fi
+          mkdir -p ~/.config
+          # Use printf rather than heredoc to avoid YAML-indentation
+          # leaking into the file (configparser treats indented lines
+          # as continuations and rejects them).
+          printf '[copr-cli]\nlogin = %s\nusername = %s\ntoken = %s\ncopr_url = %s\n' \
+            "$COPR_LOGIN" "$COPR_USERNAME" "$COPR_TOKEN" "$COPR_URL" \
+            > ~/.config/copr
+          chmod 600 ~/.config/copr
+
+      - name: copr-cli build
+        run: |
+          srpm=$(ls "$HOME/rpmbuild/SRPMS/"qn-${{ steps.meta.outputs.version }}-1*.src.rpm)
+          if [[ ! -f "$srpm" ]]; then
+            echo "Error: SRPM not found at expected path under SRPMS/" >&2
+            exit 1
+          fi
+          echo "Uploading $srpm to quicknode/qn..."
+          # --enable-net=on so COPR's mock chroot can curl the prebuilt
+          # tarball + sha256 sidecar from the GitHub Release in %prep.
+          copr-cli build quicknode/qn "$srpm" --enable-net=on

.github/workflows/release.yml

@@ -327,17 +327,31 @@ jobs:
     permissions:
       "contents": "write"
 
+  custom-publish-copr:
+    needs:
+      - plan
+      - host
+    if: ${{ !fromJson(needs.plan.outputs.val).announcement_is_prerelease || fromJson(needs.plan.outputs.val).publish_prereleases }}
+    uses: ./.github/workflows/publish-copr.yml
+    with:
+      plan: ${{ needs.plan.outputs.val }}
+    secrets: inherit
+    # publish jobs get escalated permissions
+    permissions:
+      "contents": "read"
+
   announce:
     needs:
       - plan
       - host
       - custom-publish-crates
       - custom-publish-docker
       - custom-publish-deb
+      - custom-publish-copr
     # use "always() && ..." to allow us to wait for all publish jobs while
     # still allowing individual publish jobs to skip themselves (for prereleases).
     # "host" however must run to completion, no skipping allowed!
-    if: ${{ always() && needs.host.result == 'success' && (needs.custom-publish-crates.result == 'skipped' || needs.custom-publish-crates.result == 'success') && (needs.custom-publish-docker.result == 'skipped' || needs.custom-publish-docker.result == 'success') && (needs.custom-publish-deb.result == 'skipped' || needs.custom-publish-deb.result == 'success') }}
+    if: ${{ always() && needs.host.result == 'success' && (needs.custom-publish-crates.result == 'skipped' || needs.custom-publish-crates.result == 'success') && (needs.custom-publish-docker.result == 'skipped' || needs.custom-publish-docker.result == 'success') && (needs.custom-publish-deb.result == 'skipped' || needs.custom-publish-deb.result == 'success') && (needs.custom-publish-copr.result == 'skipped' || needs.custom-publish-copr.result == 'success') }}
     runs-on: "ubuntu-22.04"
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

RELEASING.md

@@ -16,8 +16,9 @@ Three named recipes in the `Justfile`:
    - `custom-publish-crates` → publishes `quicknode-cli` to crates.io
    - `custom-publish-docker` → builds multi-arch image, pushes to `ghcr.io/quicknode/qn`
    - `custom-publish-deb` → packages `.deb` per arch, uploads to the GitHub Release as assets
+   - `custom-publish-copr` → builds an SRPM from `packaging/qn-bin.spec` (whose `%prep` downloads the SLSA-attested prebuilt binary), dispatches via `copr-cli build` to the `quicknode/qn` COPR project
 
-3. **Maintainer manual steps after CI succeeds.** Three channels still need a person to drive the publish because CI doesn't yet have the credentials it needs.
+3. **Maintainer manual steps after CI succeeds.** Two channels still need a person to drive the publish because CI doesn't yet have the credentials it needs.
 
 ## Manual steps after each release
 
@@ -98,6 +99,26 @@ The first push registers the package on the AUR. Subsequent pushes just update i
 
 After publishing: confirm via `https://aur.archlinux.org/packages/qn-bin` (the RPC at `/rpc/v5/info` can lag the package page by a few minutes — trust the web page, not the RPC, for fresh registrations).
 
+### COPR (`quicknode/qn`)
+
+Maintainer needs a Fedora account at <https://accounts.fedoraproject.org> and a COPR project `quicknode/qn` created at <https://copr.fedorainfracloud.org>. Project settings to set on creation:
+
+- **Chroots**: current Fedora releases + EPEL 9 (covers RHEL 9, Rocky 9, Alma 9). Skip EPEL 8 unless requested — its glibc is too old for our gnu binaries.
+- **Build settings**: enable internet access for builds (the `%prep` step in `packaging/qn-bin.spec` curls the prebuilt tarball from the GitHub Release; without net the build can't download it).
+
+CI auths to COPR via four repo secrets — `copr-cli` itself only reads credentials from a config file at `~/.config/copr` (no env-var fallback), so we provision the four fields separately and let the workflow assemble the file at build time. Generate the values at <https://copr.fedorainfracloud.org/api/>; the page shows a `[copr-cli]` config block with these four lines. Copy each field's value into its own secret:
+
+| Secret | Field from the COPR API page |
+|---|---|
+| `COPR_LOGIN`    | `login = …` |
+| `COPR_USERNAME` | `username = …` |
+| `COPR_TOKEN`    | `token = …` |
+| `COPR_URL`      | `copr_url = …` (almost always `https://copr.fedorainfracloud.org`) |
+
+Set each with `gh secret set COPR_LOGIN --repo quicknode/cli` etc., pasting just the value (no `login = ` prefix, no quotes). Splitting them this way also means the token can be rotated without re-pasting the other three.
+
+`packaging/qn-bin.spec` lives in this repo; it's a thin spec whose `%prep` downloads the SLSA-attested prebuilt linux-gnu tarball and verifies it against the `.sha256` sidecar, so COPR isn't rebuilding `qn` from Rust source — it's just packaging the upstream binary into an RPM per chroot. Same trust chain as everywhere else qn ships.
+
 ## Recovery: a publish channel failed
 
 If a single publish-* job in `release.yml` fails (e.g. crates.io rejected the publish because the token expired), the rest of the release is still good — the GitHub Release, attestations, and other channels remain published.

dist-workspace.toml

@@ -29,7 +29,7 @@ tap = "quicknode/homebrew-tap"
 # Override the Homebrew formula name so `brew install quicknode/tap/qn` works
 # (default would derive it from the package name `quicknode-cli`).
 formula = "qn"
-publish-jobs = ["./publish-crates", "./publish-docker", "./publish-deb"]
+publish-jobs = ["./publish-crates", "./publish-docker", "./publish-deb", "./publish-copr"]
 # Emit SLSA build attestations for every binary archive. Critical for a credential-handling tool.
 github-attestations = true
 
@@ -41,4 +41,4 @@ github-attestations = true
 # the calling job's permission grant so the called workflow can also
 # declare contents:read without exceeding the caller. publish-deb
 # needs contents: write so it can `gh release upload` the .deb files.
-github-custom-job-permissions = { "publish-crates" = { contents = "read" }, "publish-docker" = { contents = "read", packages = "write", "id-token" = "write" }, "publish-deb" = { contents = "write" } }
+github-custom-job-permissions = { "publish-crates" = { contents = "read" }, "publish-docker" = { contents = "read", packages = "write", "id-token" = "write" }, "publish-deb" = { contents = "write" }, "publish-copr" = { contents = "read" } }

packaging/qn-bin.spec

@@ -0,0 +1,79 @@
+# qn-bin: install the SLSA-attested binary cargo-dist ships, no rebuild.
+#
+# This spec is built on COPR's mock chroots. `%prep` downloads the per-arch
+# linux-gnu tarball from the GitHub Release and verifies it against the
+# .sha256 sidecar; `%install` lays the binary + docs into the buildroot.
+# No Rust toolchain involved on the COPR side — the binary inside the
+# resulting RPM is bit-identical to what ships in crates.io,
+# Homebrew, .deb, and the GHCR image.
+#
+# Built and uploaded by .github/workflows/publish-copr.yml on each release.
+# Requires --enable-net=on at build time (mock fetches the tarball).
+
+%global qn_version %{getenv:QN_VERSION}
+
+%if "%{qn_version}" == ""
+%{error: QN_VERSION must be set when building this spec (e.g. rpmbuild --define "qn_version 0.1.4")}
+%endif
+
+Name:    qn
+Version: %{qn_version}
+Release: 1%{?dist}
+Summary: Command-line interface for the Quicknode SDK
+License: MIT
+URL:     https://github.com/quicknode/cli
+
+# cargo-dist emits separate tarballs per Rust target triple. We map COPR's
+# arch tokens to those triples; the per-arch Source entry below picks the
+# right one at build time.
+%ifarch x86_64
+%global rust_target x86_64-unknown-linux-gnu
+%endif
+%ifarch aarch64
+%global rust_target aarch64-unknown-linux-gnu
+%endif
+
+Source0: https://github.com/quicknode/cli/releases/download/v%{version}/quicknode-cli-%{rust_target}.tar.xz
+Source1: https://github.com/quicknode/cli/releases/download/v%{version}/quicknode-cli-%{rust_target}.tar.xz.sha256
+
+ExclusiveArch: x86_64 aarch64
+BuildRequires: coreutils
+BuildRequires: tar
+BuildRequires: xz
+
+%description
+qn is a command-line interface for Quicknode, built around noun-verb
+commands that read naturally for both humans and agents. Manage endpoints,
+streams, webhooks, the KV store, teams, usage, and billing.
+
+This package installs the prebuilt binary cargo-dist publishes upstream —
+the same SLSA-attested artifact that ships in crates.io, Homebrew, the
+GHCR Docker image, the AUR qn-bin package, and Debian .deb files.
+
+%prep
+# Verify the tarball matches the sha256 sidecar from the release.
+# The sidecar's format is `<hex>  *<filename>`; rewrite the filename to
+# point at the local SOURCES path so `sha256sum -c` works.
+expected_hash=$(awk '{print $1}' < %{SOURCE1})
+actual_hash=$(sha256sum %{SOURCE0} | awk '{print $1}')
+if [ "$expected_hash" != "$actual_hash" ]; then
+  echo "Error: sha256 mismatch for %{SOURCE0}" >&2
+  echo "  expected: $expected_hash" >&2
+  echo "  actual:   $actual_hash" >&2
+  exit 1
+fi
+%setup -q -n quicknode-cli-%{rust_target}
+
+%install
+install -Dm755 qn         %{buildroot}%{_bindir}/qn
+install -Dm644 LICENSE    %{buildroot}%{_licensedir}/%{name}/LICENSE
+install -Dm644 README.md  %{buildroot}%{_docdir}/%{name}/README.md
+
+%files
+%{_bindir}/qn
+%license LICENSE
+%doc README.md
+
+%changelog
+* Thu Jun 11 2026 Quicknode <support@quicknode.com> - %{version}-1
+- Automated build from the GitHub Release upstream.