diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile
new file mode 100644
index 0000000..bde808d
--- /dev/null
+++ b/ci/Jenkinsfile
@@ -0,0 +1,78 @@
+pipeline {
+    agent none
+
+    stages {
+        stage('SSHCA CLI') {
+            matrix {
+                axes {
+                    axis {
+                        name 'ARCH'
+                        values 'amd64', 'arm64'
+                    }
+                }
+
+                stages {
+                    stage('CLI') {
+                        agent {
+                            kubernetes {
+                                yamlFile 'ci/podTemplate.yaml'
+                                yamlMergeStrategy merge()
+                                defaultContainer 'fedora'
+                                nodeSelector "kubernetes.io/arch=${ARCH}"
+                            }
+                        }
+                        environment {
+                            GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
+                        }
+                        stages {
+                            stage('Prepare') {
+                                steps {
+                                    sh '. ci/prepare.sh'
+                                }
+                            }
+
+                            stage('Build') {
+                                steps {
+                                    sh '. ci/build.sh'
+                                    script {
+                                        if (env.BRANCH_NAME == 'master') {
+                                            withCredentials([
+                                                file(
+                                                    credentialsId: 'rpm-gpg-key',
+                                                    variable: 'RPM_GPG_PRIVATE_KEY',
+                                                ),
+                                                file(
+                                                    credentialsId: 'rpm-gpg-key-passphrase',
+                                                    variable: 'RPM_GPG_KEY_PASSPHRASE',
+                                                ),
+                                            ]) {
+                                                sh '. ci/sign-rpms.sh'
+                                            }
+                                        }
+                                    }
+                                }
+                                post {
+                                    success {
+                                        archiveArtifacts '*.rpm'
+                                    }
+                                }
+                            }
+
+                            stage('Publish') {
+                                when {
+                                    branch 'master'
+                                }
+                                steps {
+                                    sshagent(['jenkins-repohost']) {
+                                        sh '. ci/publish.sh'
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+
+            }
+        }
+    }
+}
diff --git a/ci/build.sh b/ci/build.sh
new file mode 100644
index 0000000..d1280a5
--- /dev/null
+++ b/ci/build.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+make rpm
diff --git a/ci/podTemplate.yaml b/ci/podTemplate.yaml
new file mode 100644
index 0000000..1c4502e
--- /dev/null
+++ b/ci/podTemplate.yaml
@@ -0,0 +1,17 @@
+spec:
+  containers:
+  - name: fedora
+    image: registry.fedoraproject.org/fedora:38
+    command:
+    - cat
+    stdin: true
+    tty: true
+    volumeMounts:
+    - mountPath: /etc/ssh/ssh_known_hosts
+      name: ssh-known-hosts
+      subPath: ssh_known_hosts
+  hostUsers: false
+  volumes:
+  - name: ssh-known-hosts
+    configMap:
+      name: ssh-known-hosts
diff --git a/ci/prepare.sh b/ci/prepare.sh
new file mode 100644
index 0000000..ca80d7e
--- /dev/null
+++ b/ci/prepare.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+dnf install -y \
+	--setopt install_weak_deps=0 \
+	cargo \
+	cargo-rpm-macros \
+	make \
+	openssh-clients \
+	openssl-devel \
+	rpm-build \
+	rpm-sign \
+	rsync \
+	rust \
+	systemd-rpm-macros \
+	tar \
+	--
+
+install -m u=rwx,go= -d "${GNUPGHOME}"
+cat > "${GNUPGHOME}"/gpg-agent.conf <<EOF
+allow-loopback-pinentry
+EOF
diff --git a/ci/publish.sh b/ci/publish.sh
new file mode 100644
index 0000000..42bb7f6
--- /dev/null
+++ b/ci/publish.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+ARCH="$(uname -m)"
+REPO_HOST=jenkins@files.pyrocufflink.blue
+REPO_PATH=/srv/www/repohost/repos/dch/fedora/$(rpm --eval %fedora)
+
+ssh-add -l
+ssh-add -L
+
+case "${ARCH}" in
+x86_64)
+    # only include the SRPM once
+    include='*.rpm'
+    ;;
+*)
+    include="*.${ARCH}.rpm"
+    ;;
+esac
+
+rsync -rtiO \
+    --chmod=ugo=rwX \
+    --include "${include}" \
+    --exclude '*' \
+    ./ \
+    "${REPO_HOST}:${REPO_PATH}/"
diff --git a/ci/sign-rpms.sh b/ci/sign-rpms.sh
new file mode 100644
index 0000000..cd228df
--- /dev/null
+++ b/ci/sign-rpms.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+gpg2 --pinentry-mode loopback --passphrase-fd 0 \
+    --import "${RPM_GPG_PRIVATE_KEY}" \
+    < "${RPM_GPG_KEY_PASSPHRASE}"
+
+rpmsign --addsign \
+    -D '_gpg_name jenkins@pyrocufflink.net' \
+    -D '_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase-fd 3' \
+    *.rpm \
+    3< "${RPM_GPG_KEY_PASSPHRASE}"
+