diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile
new file mode 100644
index 0000000..4683d30
--- /dev/null
+++ b/ci/Jenkinsfile
@@ -0,0 +1,84 @@
+pipeline {
+    agent none
+
+    stages {
+        stage('RPM') {
+            matrix {
+                axes {
+                    axis {
+                        name 'ARCH'
+                        values 'amd64', 'arm64'
+                    }
+                    axis {
+                        name 'FEDORA'
+                        values '41', '42'
+                    }
+                }
+
+                agent {
+                    kubernetes {
+                        yamlFile 'ci/podTemplate.yaml'
+                        yamlMergeStrategy merge()
+                        defaultContainer 'build'
+                        nodeSelector "kubernetes.io/arch=${ARCH}"
+                        containerTemplate {
+                            name 'build'
+                            image "registry.fedoraproject.org/fedora:${FEDORA}"
+                        }
+                    }
+                }
+
+                environment {
+                    GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
+                }
+
+                stages {
+                    stage('Prepare') {
+                        steps {
+                            sh '. ci/prepare.sh'
+                        }
+                    }
+
+                    stage('Build') {
+                        steps {
+                            sh '. ci/build.sh'
+                            script {
+                                if (env.BRANCH_NAME == 'master') {
+                                    withCredentials([
+                                        file(
+                                            credentialsId: 'rpm-gpg-key',
+                                            variable: 'RPM_GPG_PRIVATE_KEY',
+                                        ),
+                                        file(
+                                            credentialsId: 'rpm-gpg-key-passphrase',
+                                            variable: 'RPM_GPG_KEY_PASSPHRASE',
+                                        ),
+                                    ]) {
+                                        sh '. ci/sign-rpms.sh'
+                                    }
+                                }
+                            }
+                        }
+                        post {
+                            success {
+                                archiveArtifacts "f${FEDORA}/**/*.rpm"
+                            }
+                        }
+                    }
+
+                    stage('Publish') {
+                        when {
+                            branch 'master'
+                        }
+                        steps {
+                            sshagent(['jenkins-repohost']) {
+                                sh '. ci/publish.sh'
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+    }
+}
diff --git a/ci/build.sh b/ci/build.sh
new file mode 100644
index 0000000..39b53c2
--- /dev/null
+++ b/ci/build.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+install -o 1000 -g 1000 -d f${FEDORA}
+
+setpriv --reuid 1000 --regid 1000 --keep-groups \
+make O=f${FEDORA} srpm rpm
diff --git a/ci/podTemplate.yaml b/ci/podTemplate.yaml
new file mode 100644
index 0000000..c01dd64
--- /dev/null
+++ b/ci/podTemplate.yaml
@@ -0,0 +1,19 @@
+spec:
+  containers:
+  - name: build
+    command: &sleep
+    - /bin/sh
+    - -c
+    - |
+      trap 'kill $!' TERM
+      sleep infinity &
+      wait
+    volumeMounts:
+    - mountPath: /etc/ssh/ssh_known_hosts
+      name: ssh-known-hosts
+      subPath: ssh_known_hosts
+  hostUsers: false
+  volumes:
+  - name: ssh-known-hosts
+    configMap:
+      name: ssh-known-hosts
diff --git a/ci/prepare.sh b/ci/prepare.sh
new file mode 100644
index 0000000..335ae2c
--- /dev/null
+++ b/ci/prepare.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+xargs dnf install -y <<EOF
+git-core
+make
+openssh-clients
+rpm-build
+rpm-sign
+rsync
+systemd-rpm-macros
+EOF
diff --git a/ci/publish.sh b/ci/publish.sh
new file mode 100644
index 0000000..31cb2bd
--- /dev/null
+++ b/ci/publish.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+ARCH="$(uname -m)"
+REPO_HOST=jenkins@files.pyrocufflink.blue
+REPO_PATH=/srv/www/repohost/repos/dch/fedora/$(rpm --eval %fedora)
+
+ssh-add -l
+ssh-add -L
+
+mkdir -p "${WORKSPACE_TMP}/sync"
+cd "${WORKSPACE_TMP}/sync"
+ln "${WORKSPACE}/f${FEDORA}"/*.rpm .
+ln "${WORKSPACE}/f${FEDORA}/${ARCH}"/*.rpm .
+
+case "${ARCH}" in
+x86_64)
+    # only include the SRPM once
+    include='*.rpm'
+    ;;
+*)
+    include="*.${ARCH}.rpm"
+    ;;
+esac
+
+rsync -rtiO \
+    --chmod=ugo=rwX \
+    --include "${include}" \
+    --exclude '*' \
+    ./ \
+    "${REPO_HOST}:${REPO_PATH}/"
diff --git a/ci/sign-rpms.sh b/ci/sign-rpms.sh
new file mode 100644
index 0000000..d83c1b9
--- /dev/null
+++ b/ci/sign-rpms.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+gpg2 --pinentry-mode loopback --passphrase-fd 0 \
+    --import "${RPM_GPG_PRIVATE_KEY}" \
+    < "${RPM_GPG_KEY_PASSPHRASE}"
+
+rpmsign --addsign \
+    -D '_gpg_name jenkins@pyrocufflink.net' \
+    -D '_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase-fd 3' \
+    f${FEDORA}/$(uname -m)/*.rpm \
+    3< "${RPM_GPG_KEY_PASSPHRASE}"