gh-nfpm 0.1.0__tar.gz

gh_nfpm-0.1.0/PKG-INFO

@@ -0,0 +1,192 @@
+Metadata-Version: 2.3
+Name: gh-nfpm
+Version: 0.1.0
+Summary: Package GitHub releases using nFPM
+Author: Fredrik Larsson
+Author-email: Fredrik Larsson <pypi@fredriklarsson.dev>
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Environment :: Console
+Classifier: Framework :: Pydantic :: 2
+Classifier: Operating System :: MacOS
+Classifier: Operating System :: Microsoft :: Windows
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Topic :: System :: Archiving :: Packaging
+Classifier: Typing :: Typed
+Classifier: Intended Audience :: System Administrators
+Requires-Dist: githubkit>=0.15.5,<0.16
+Requires-Dist: httpx>=0.28.1
+Requires-Dist: jsonschema>=4.26.0
+Requires-Dist: pydantic>2,<3
+Requires-Dist: pydantic-settings[yaml]>=2.14.1
+Requires-Dist: pyyaml>=6.0.3
+Requires-Dist: nfpm>=2.46.3 ; extra == 'nfpm'
+Requires-Python: >=3.12
+Provides-Extra: nfpm
+Description-Content-Type: text/markdown
+
+# gh-nfpm
+
+Easily package GitHub releases using [nFPM](https://nfpm.goreleaser.com/).
+
+Currently only supports building the latest GitHub release.
+
+tl;dr You specify a GitHub repository, a list of release assets, and the nFPM
+packaging configuration. gh-nfpm will download the matching assets from the
+latest GitHub release in the repository and build an nFPM package for each
+asset. You can build multiple package types for each asset.
+
+## Configuration
+
+The configuration is stored inside a YAML file called `gh-nfpm.yaml`.
+
+### Repository and assets
+
+The `repository` is specified with a string `organization/repository`, for
+example this repository would be `nossralf/gh-nfpm`.
+
+Asset matching supports literal matches or regular expressions. Currently only
+`tar.gz` and `zip` assets are supported as package sources.
+
+The shorthand format is literal matching, so:
+
+```yaml
+assets:
+  - release.zip
+  - release.tar.gz
+```
+
+would match release assets named exactly `release.zip` and `release.tar.gz`.
+
+Regular expressions can be used for cases where the release asset contains a
+version number:
+
+```yaml
+assets:
+  - match:
+      kind: regex
+      pattern: ".*-aarch64-unknown-linux-musl.tar.gz$"
+```
+
+This would match `my-tool-3.14.15-aarch64-unknown-linux-musl.tar.gz`.
+
+If the architecture cannot be deduced from the asset name, it can be specified
+as part of the asset configuration, for example with a literal match (which
+needs to use the verbose format when specifying an architecture):
+
+```yaml
+assets:
+  - arch: all
+    match:
+      kind: literal
+      pattern: architecture-independent-release.tar.gz
+```
+
+gh-nfpm will verify the digest of downloaded assets if one is present in the
+GitHub API response. It will abort if a digest doesn't match.
+
+### Packagers
+
+The `packagers` list specifies which nFPM packagers should be run for each
+asset. The supported values are `apk`, `archlinux`, `deb`, `ipk`, `msix`,
+`rpm`, and `srpm`.
+
+### Release cooldown
+
+Release cooldown is supported by setting `cooldown`, either as an integer
+representing seconds, or as an [ISO 8601
+duration](https://en.wikipedia.org/wiki/ISO_8601#Durations), for example `P1W`
+for one week, `P2D` for 2 days, or `PT12H` for 12 hours. The last _update_ of
+the GitHub release is used when evaluating the cooldown.
+
+### Other configuration options
+
+- `token` sets the GitHub token used to interact with GitHub. By default,
+  unauthenticated access is used. It can also be set via the environment
+  variable `GHNFPM_TOKEN` to avoid hard-coding credentials in the configuration
+  file.
+- `nfpm_executable` can be set to specify the path to nFPM. By default gh-nfpm
+  will assume that an `npfm` binary can be found via `$PATH`.
+
+## nFPM configuration
+
+The nFPM configuration is stored under a top-level key `nfpm` in the
+`gh-nfpm.yaml` configuration file. The complete nFPM configuration schema is
+supported and the content is validated with the nFPM JSON Schema.
+
+The `version` and `arch` fields can be left out of the nFPM configuration and
+will then be filled in based on the release name and architecture from the
+release assets. If you do specify the version or the architecture, the value
+you specify will always be used when building the package.
+
+### Source paths
+
+gh-nfpm will unpack the release assets by stripping off any leading directories
+that don't contain files inside the asset, to avoid situations where e.g.
+directories with version numbers would make static packaging configuration
+impossible.
+
+This means that if a release asset contains this directory structure:
+
+```
+.
+└── release
+    └── 0.13
+        ├── completions
+        │   └── tool.1
+        └── tool
+```
+
+gh-nfpm will strip the leading `release/0.13` and unpack the asset like this:
+
+```
+.
+├── completions
+│   └── tool.1
+└── tool
+```
+
+This enables specifying `tool` as the source path in nFPM's content
+specification, instead of `release/0.13/tool`.
+
+## Example
+
+This is how you would build Debian packages (both x86-64 and AArch64) for
+[uv](https://docs.astral.sh/uv/) with a 2 day release cooldown.
+
+```yaml
+repository: astral-sh/uv
+cooldown: P2D
+assets:
+  - uv-x86_64-unknown-linux-musl.tar.gz
+  - uv-aarch64-unknown-linux-musl.tar.gz
+packagers:
+  - deb
+
+nfpm:
+  name: uv
+  platform: linux
+  section: python
+  description: |-
+    An extremely fast Python package and project manager, written in Rust.
+  homepage: https://docs.astral.sh/uv/
+  maintainer: Mackenzie Maintainer <mackenzie@example.com>
+  license: MIT or Apache-2.0
+
+  contents:
+    - src: uv
+      dst: /usr/bin/uv
+    - src: uvx
+      dst: /usr/bin/uvx
+```
+
+## Usage
+
+Create a gh-nfpm.yaml file, then run `uvx gh-nfpm`. The built packages will be
+placed in the current directory.
+
+If you don't have nFPM installed, you can run `uvx 'gh-nfpm[npfm]'` and nFPM
+will be installed via the `nfpm`[Python
+package](https://pypi.org/project/nfpm/). Be aware that the `npfm` PyPI package
+is **not** provided by the nFPM team.

gh_nfpm-0.1.0/README.md

@@ -0,0 +1,164 @@
+# gh-nfpm
+
+Easily package GitHub releases using [nFPM](https://nfpm.goreleaser.com/).
+
+Currently only supports building the latest GitHub release.
+
+tl;dr You specify a GitHub repository, a list of release assets, and the nFPM
+packaging configuration. gh-nfpm will download the matching assets from the
+latest GitHub release in the repository and build an nFPM package for each
+asset. You can build multiple package types for each asset.
+
+## Configuration
+
+The configuration is stored inside a YAML file called `gh-nfpm.yaml`.
+
+### Repository and assets
+
+The `repository` is specified with a string `organization/repository`, for
+example this repository would be `nossralf/gh-nfpm`.
+
+Asset matching supports literal matches or regular expressions. Currently only
+`tar.gz` and `zip` assets are supported as package sources.
+
+The shorthand format is literal matching, so:
+
+```yaml
+assets:
+  - release.zip
+  - release.tar.gz
+```
+
+would match release assets named exactly `release.zip` and `release.tar.gz`.
+
+Regular expressions can be used for cases where the release asset contains a
+version number:
+
+```yaml
+assets:
+  - match:
+      kind: regex
+      pattern: ".*-aarch64-unknown-linux-musl.tar.gz$"
+```
+
+This would match `my-tool-3.14.15-aarch64-unknown-linux-musl.tar.gz`.
+
+If the architecture cannot be deduced from the asset name, it can be specified
+as part of the asset configuration, for example with a literal match (which
+needs to use the verbose format when specifying an architecture):
+
+```yaml
+assets:
+  - arch: all
+    match:
+      kind: literal
+      pattern: architecture-independent-release.tar.gz
+```
+
+gh-nfpm will verify the digest of downloaded assets if one is present in the
+GitHub API response. It will abort if a digest doesn't match.
+
+### Packagers
+
+The `packagers` list specifies which nFPM packagers should be run for each
+asset. The supported values are `apk`, `archlinux`, `deb`, `ipk`, `msix`,
+`rpm`, and `srpm`.
+
+### Release cooldown
+
+Release cooldown is supported by setting `cooldown`, either as an integer
+representing seconds, or as an [ISO 8601
+duration](https://en.wikipedia.org/wiki/ISO_8601#Durations), for example `P1W`
+for one week, `P2D` for 2 days, or `PT12H` for 12 hours. The last _update_ of
+the GitHub release is used when evaluating the cooldown.
+
+### Other configuration options
+
+- `token` sets the GitHub token used to interact with GitHub. By default,
+  unauthenticated access is used. It can also be set via the environment
+  variable `GHNFPM_TOKEN` to avoid hard-coding credentials in the configuration
+  file.
+- `nfpm_executable` can be set to specify the path to nFPM. By default gh-nfpm
+  will assume that an `npfm` binary can be found via `$PATH`.
+
+## nFPM configuration
+
+The nFPM configuration is stored under a top-level key `nfpm` in the
+`gh-nfpm.yaml` configuration file. The complete nFPM configuration schema is
+supported and the content is validated with the nFPM JSON Schema.
+
+The `version` and `arch` fields can be left out of the nFPM configuration and
+will then be filled in based on the release name and architecture from the
+release assets. If you do specify the version or the architecture, the value
+you specify will always be used when building the package.
+
+### Source paths
+
+gh-nfpm will unpack the release assets by stripping off any leading directories
+that don't contain files inside the asset, to avoid situations where e.g.
+directories with version numbers would make static packaging configuration
+impossible.
+
+This means that if a release asset contains this directory structure:
+
+```
+.
+└── release
+    └── 0.13
+        ├── completions
+        │   └── tool.1
+        └── tool
+```
+
+gh-nfpm will strip the leading `release/0.13` and unpack the asset like this:
+
+```
+.
+├── completions
+│   └── tool.1
+└── tool
+```
+
+This enables specifying `tool` as the source path in nFPM's content
+specification, instead of `release/0.13/tool`.
+
+## Example
+
+This is how you would build Debian packages (both x86-64 and AArch64) for
+[uv](https://docs.astral.sh/uv/) with a 2 day release cooldown.
+
+```yaml
+repository: astral-sh/uv
+cooldown: P2D
+assets:
+  - uv-x86_64-unknown-linux-musl.tar.gz
+  - uv-aarch64-unknown-linux-musl.tar.gz
+packagers:
+  - deb
+
+nfpm:
+  name: uv
+  platform: linux
+  section: python
+  description: |-
+    An extremely fast Python package and project manager, written in Rust.
+  homepage: https://docs.astral.sh/uv/
+  maintainer: Mackenzie Maintainer <mackenzie@example.com>
+  license: MIT or Apache-2.0
+
+  contents:
+    - src: uv
+      dst: /usr/bin/uv
+    - src: uvx
+      dst: /usr/bin/uvx
+```
+
+## Usage
+
+Create a gh-nfpm.yaml file, then run `uvx gh-nfpm`. The built packages will be
+placed in the current directory.
+
+If you don't have nFPM installed, you can run `uvx 'gh-nfpm[npfm]'` and nFPM
+will be installed via the `nfpm`[Python
+package](https://pypi.org/project/nfpm/). Be aware that the `npfm` PyPI package
+is **not** provided by the nFPM team.

gh_nfpm-0.1.0/pyproject.toml

@@ -0,0 +1,59 @@
+[project]
+name = "gh-nfpm"
+version = "0.1.0"
+description = "Package GitHub releases using nFPM"
+readme = "README.md"
+authors = [
+    { name = "Fredrik Larsson", email = "pypi@fredriklarsson.dev" }
+]
+requires-python = ">=3.12"
+classifiers = [
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: 3.13",
+  "Programming Language :: Python :: 3.14",
+  "Environment :: Console",
+  "Framework :: Pydantic :: 2",
+  "Operating System :: MacOS",
+  "Operating System :: Microsoft :: Windows",
+  "Operating System :: POSIX :: Linux",
+  "Topic :: System :: Archiving :: Packaging",
+  "Typing :: Typed",
+  "Intended Audience :: System Administrators",
+]
+
+dependencies = [
+    "githubkit>=0.15.5,<0.16",
+    "httpx>=0.28.1",
+    "jsonschema>=4.26.0",
+    "pydantic>2,<3",
+    "pydantic-settings[yaml]>=2.14.1",
+    "pyyaml>=6.0.3",
+]
+
+[project.optional-dependencies]
+nfpm = [
+    "nfpm>=2.46.3",
+]
+
+[dependency-groups]
+dev = [
+    "pytest>=9.1.0",
+    "pytest-cov>=7.1.0",
+    "pytest-mock>=3.15.1",
+]
+
+[project.scripts]
+gh-nfpm = "gh_nfpm.cli:main"
+
+[build-system]
+requires = ["uv_build>=0.11.19,<0.12.0"]
+build-backend = "uv_build"
+
+[tool.bumpversion]
+allow_dirty = false
+commit = true
+message = "Version {new_version}"
+sign_tags = false
+tag = true
+tag_message = "Version {new_version}"
+tag_name = "v{new_version}"

gh_nfpm-0.1.0/src/gh_nfpm/archive.py

@@ -0,0 +1,76 @@
+import os
+import stat
+import tarfile
+from abc import ABC, abstractmethod
+from pathlib import Path, PurePosixPath
+from typing import Any
+from zipfile import ZipFile, ZipInfo
+
+
+class Archive(ABC):
+    @abstractmethod
+    def files(self) -> list[str]: ...
+
+    @abstractmethod
+    def _open_member(self, name: str) -> Any: ...
+
+    @abstractmethod
+    def close(self): ...
+
+    def _extract_member(self, name: str, dest: Path):
+        with self._open_member(name) as src:
+            dest.write_bytes(src.read())
+
+    def extract(self, dest: Path):
+        files = self.files()
+        if not files:
+            return
+        paths = [PurePosixPath(f) for f in files]
+        if len(paths) == 1:
+            prefix = paths[0].parent
+        else:
+            prefix = PurePosixPath(os.path.commonpath(paths))
+        for f, p in zip(files, paths):
+            target_file = dest.joinpath(p.relative_to(prefix) if prefix.parts else p)
+
+            if not target_file.resolve().is_relative_to(dest.resolve()):
+                raise ValueError(
+                    f"Archive member {f} would be written outside destination directory."
+                )
+
+            target_file.parent.mkdir(parents=True, exist_ok=True)
+            self._extract_member(f, dest=target_file)
+
+    def __enter__(self):
+        return self
+
+    def __exit__(self):
+        self.close()
+
+
+class ZipArchive(Archive):
+    def __init__(self, zip_file: Path):
+        self._zf = ZipFile(zip_file)
+
+    def files(self) -> list[str]:
+        return [i.filename for i in self._zf.infolist() if not i.is_dir()]
+
+    def _open_member(self, name: str):
+        return self._zf.open(name)
+
+    def close(self):
+        self._zf.close()
+
+
+class TarArchive(Archive):
+    def __init__(self, tar_file: Path):
+        self._tar = tarfile.open(tar_file)
+
+    def files(self) -> list[str]:
+        return [m.name for m in self._tar.getmembers() if m.isfile()]
+
+    def _open_member(self, name: str):
+        return self._tar.extractfile(name)
+
+    def close(self):
+        self._tar.close()

gh_nfpm-0.1.0/src/gh_nfpm/cli.py

@@ -0,0 +1,159 @@
+import copy
+import hashlib
+import itertools
+import shutil
+import sys
+import tarfile
+import zipfile
+from collections.abc import Iterable
+from contextlib import contextmanager
+from datetime import datetime, timezone
+from pathlib import Path
+from tempfile import TemporaryDirectory
+from typing import Generator, Protocol, Self
+
+import jsonschema
+import yaml
+from githubkit import GitHub, UnauthAuthStrategy
+from githubkit.versions.latest.models import Release
+from httpx import Client
+
+from .archive import Archive, TarArchive, ZipArchive
+from .config import Arch, Config, ConfigAsset, PackageSource
+from .nfpm import Nfpm
+
+
+class NullHasher:
+    def update(self, _: bytes) -> None:
+        pass
+
+    def digest(self) -> bytes:
+        raise NotImplementedError()
+
+    def hexdigest(self) -> str:
+        raise NotImplementedError()
+
+    def copy(self) -> Self:
+        return type(self)()
+
+
+@contextmanager
+def temporary_directory(
+    suffix=None, prefix=None, dir=None, ignore_cleanup_errors=False, *, delete=True
+) -> Generator[Path, None, None]:
+    with TemporaryDirectory(
+        suffix, prefix, dir, ignore_cleanup_errors, delete=delete
+    ) as dir:
+        yield Path(dir)
+
+
+def get_package_sources(
+    requested_assets: Iterable[ConfigAsset], release: Release
+) -> Iterable[PackageSource]:
+    package_sources = []
+    for release_asset, requested_asset in itertools.product(
+        release.assets, requested_assets
+    ):
+        if requested_asset.match.matches(release_asset.name):
+            if requested_asset.arch is None:
+                arch = Arch.guess_from_filename(release_asset.name)
+            else:
+                arch = requested_asset.arch
+            package_sources.append(PackageSource(asset=release_asset, arch=arch))
+
+    return package_sources
+
+
+def download_package_source(
+    client: Client, source: PackageSource, dest: Path
+) -> Archive:
+    if source.asset.digest is not None:
+        alg, *_ = source.asset.digest.partition(":")
+        hasher = hashlib.new(alg)
+    else:
+        hasher = NullHasher()
+
+    output_file = dest.joinpath(source.arch).with_suffix(".tar.gz")
+
+    with (
+        client.stream(
+            "GET", source.asset.browser_download_url, follow_redirects=True
+        ) as stream,
+        output_file.open("wb") as out,
+    ):
+        for chunk in stream.iter_bytes():
+            out.write(chunk)
+            hasher.update(chunk)
+
+    if source.asset.digest is not None:
+        *_, expected_digest = source.asset.digest.partition(":")
+        actual_digest = hasher.hexdigest()
+        if actual_digest != expected_digest:
+            output_file.unlink()
+            raise ValueError(
+                f"Digest mismatch: expected {expected_digest}, got {actual_digest}"
+            )
+
+    if zipfile.is_zipfile(output_file):
+        return ZipArchive(output_file)
+    elif tarfile.is_tarfile(output_file):
+        return TarArchive(output_file)
+    raise ValueError(f"Unsupported file type for '{source.asset.name}'")
+
+
+def bail(message: str):
+    print(f"Error: {message}", file=sys.stderr)
+    sys.exit(1)
+
+
+def main() -> None:
+    config = Config()  # type: ignore[call-arg]
+    project, _, repository = config.repository.partition("/")
+
+    nfpm = Nfpm(executable=config.nfpm_executable)
+
+    if not nfpm.available:
+        bail("Can't find nFPM")
+
+    print(f"Using nFPM version {nfpm.version}")
+
+    gh = GitHub(
+        config.token.get_secret_value()
+        if config.token is not None
+        else UnauthAuthStrategy()
+    )
+
+    latest_release: Release = gh.rest.repos.get_latest_release(
+        project, repository
+    ).parsed_data
+
+    if config.cooldown is not None:
+        release_changed = (
+            latest_release.updated_at
+            if latest_release.updated_at
+            else latest_release.created_at
+        )
+        now = datetime.now(timezone.utc)
+        if (now - config.cooldown) < release_changed:
+            bail("Release newer than configured cooldown allows.")
+
+    sources = get_package_sources(config.assets, latest_release)
+
+    with temporary_directory() as downloads:
+        for source in sources:
+            asset = download_package_source(Client(), source, dest=downloads)
+
+            nfpm_config = copy.deepcopy(config.nfpm)
+            nfpm_config["version"] = nfpm_config.get("version", latest_release.name)
+            nfpm_config["arch"] = nfpm_config.get("arch", str(source.arch))
+
+            jsonschema.validate(nfpm_config, nfpm.jsonschema)
+
+            with temporary_directory() as build_dir:
+                asset.extract(build_dir)
+                build_dir.joinpath("nfpm.yaml").write_text(
+                    yaml.dump(nfpm_config, sort_keys=False)
+                )
+                for packager in config.packagers:
+                    package = nfpm.package(packager, build_dir)
+                    shutil.move(package, Path.cwd().joinpath(package.name))

gh_nfpm-0.1.0/src/gh_nfpm/config.py

@@ -0,0 +1,134 @@
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+from datetime import timedelta
+from enum import StrEnum
+from typing import Annotated, Any, Literal, Self, cast
+
+from githubkit.versions.latest.models import ReleaseAsset
+from pydantic import (
+    AfterValidator,
+    BaseModel,
+    Field,
+    ModelWrapValidatorHandler,
+    SecretStr,
+    StringConstraints,
+    model_validator,
+)
+from pydantic_settings import (
+    BaseSettings,
+    PydanticBaseSettingsSource,
+    SettingsConfigDict,
+    YamlConfigSettingsSource,
+)
+
+
+class Packager(StrEnum):
+    APK = "apk"
+    ARCHLINUX = "archlinux"
+    DEB = "deb"
+    IPK = "ipk"
+    MSIX = "msix"
+    RPM = "rpm"
+    SRPM = "srpm"
+
+    @property
+    def extension(self) -> str:
+        match self:
+            case Packager.ARCHLINUX:
+                return "pkg.tar.zst"
+            case Packager.SRPM:
+                return "src.rpm"
+            case _:
+                return str(self)
+
+
+class Arch(StrEnum):
+    ARM64 = "arm64"
+    AMD64 = "amd64"
+    ALL = "all"
+
+    @classmethod
+    def guess_from_filename(cls, filename: str) -> Self:
+        if any(a in filename for a in ("amd64", "x86_64")):
+            return cast(Self, cls.AMD64)
+        elif any(a in filename for a in ("arm64", "aarch64")):
+            return cast(Self, cls.ARM64)
+        else:
+            raise ValueError(f"Can't guess architecture from filename '{filename}'")
+
+
+@dataclass
+class PackageSource:
+    asset: ReleaseAsset
+    arch: Arch
+
+
+StrippedStr = Annotated[str, StringConstraints(strip_whitespace=True)]
+
+
+class LiteralMatch(BaseModel):
+    kind: Literal["literal"] = "literal"
+    pattern: str
+
+    def matches(self, string: str) -> bool:
+        return string == self.pattern
+
+
+class RegexMatch(BaseModel):
+    kind: Literal["regex"] = "regex"
+    pattern: str
+
+    def matches(self, string: str) -> bool:
+        return re.match(self.pattern, string) is not None
+
+
+Match = Annotated[
+    LiteralMatch | RegexMatch,
+    Field(discriminator="kind"),
+]
+
+
+class ConfigAsset(BaseModel):
+    match: Match
+    arch: Arch | None = None
+
+    @model_validator(mode="wrap")
+    @classmethod
+    def _coerce_str(cls, value: Any, handler: ModelWrapValidatorHandler[Self]) -> Self:
+        if isinstance(value, str):
+            return cls(match=LiteralMatch(pattern=value))
+        return handler(value)
+
+
+Cooldown = Annotated[timedelta, AfterValidator(lambda v: abs(v))]
+
+
+class Config(BaseSettings):
+    model_config = SettingsConfigDict(
+        yaml_file="gh-nfpm.yaml", env_prefix="GHNFPM_", env_nested_delimiter="_"
+    )
+
+    repository: StrippedStr
+    assets: list[ConfigAsset]
+    nfpm: dict[Any, Any]
+    packagers: set[Packager]
+    token: SecretStr | None = None
+    cooldown: Cooldown | None = None
+    nfpm_executable: str = "nfpm"
+
+    @classmethod
+    def settings_customise_sources(
+        cls,
+        settings_cls: type[BaseSettings],
+        init_settings: PydanticBaseSettingsSource,
+        env_settings: PydanticBaseSettingsSource,
+        dotenv_settings: PydanticBaseSettingsSource,
+        file_secret_settings: PydanticBaseSettingsSource,
+    ) -> tuple[PydanticBaseSettingsSource, ...]:
+        return (
+            init_settings,
+            env_settings,
+            YamlConfigSettingsSource(settings_cls),
+        )

gh_nfpm-0.1.0/src/gh_nfpm/nfpm.py

@@ -0,0 +1,53 @@
+import json
+import subprocess
+from dataclasses import dataclass
+from functools import cached_property
+from pathlib import Path
+from typing import Any
+
+from .config import Packager
+
+
+@dataclass
+class Nfpm:
+    executable: Path | str = "nfpm"
+
+    @cached_property
+    def available(self) -> bool:
+        try:
+            subprocess.run([self.executable, "--version"], capture_output=True)
+        except FileNotFoundError:
+            return False
+        return True
+
+    @cached_property
+    def version(self) -> str:
+        nfpm = subprocess.run([self.executable, "--version"], capture_output=True)
+        stdout = nfpm.stdout.decode("utf-8").splitlines()
+        for line in stdout:
+            if line.startswith("GitVersion:"):
+                _, _, version = line.partition(":")
+                return version.strip()
+        return "Unknown"
+
+    @cached_property
+    def jsonschema(self) -> dict[Any, Any]:
+        nfpm = subprocess.run([self.executable, "jsonschema"], capture_output=True)
+        jsonschema = nfpm.stdout.decode("utf-8")
+        return json.loads(jsonschema)
+
+    def package(self, packager: Packager, dir: Path) -> Path:
+        nfpm = subprocess.run(
+            [self.executable, "package", "-p", str(packager)],
+            cwd=dir,
+            capture_output=True,
+        )
+        stdout = nfpm.stdout.decode("utf-8").splitlines()
+        for line in stdout:
+            if line.startswith("created package:"):
+                *_, package = line.partition(":")
+                return dir.joinpath(package.strip())
+        # Fall back to looking for the package based on the file extension if
+        # we are unable to read the name from nFPM's stdout.
+        package, *_ = list(dir.glob(f"*.{packager.extension}"))
+        return package