wip: Use Jenkins build number as RPM release

> `bad key options: missing start quote`

Makefile

@@ -17,7 +17,7 @@ define rpmbuild
 		-D '_sourcedir %_topdir' \
 		-D '_specdir %_topdir' \
 		-D '_srcrpmdir %_topdir' \
-
+		$(RPMBUILD_ARGS)
 endef
 
 rpm: $(O)/$(ARCH)/$(RPM)

ci/Jenkinsfile

@@ -0,0 +1,84 @@
+pipeline {
+    agent none
+
+    stages {
+        stage('RPM') {
+            matrix {
+                axes {
+                    axis {
+                        name 'ARCH'
+                        values 'amd64', 'arm64'
+                    }
+                    axis {
+                        name 'FEDORA'
+                        values '41', '42'
+                    }
+                }
+
+                agent {
+                    kubernetes {
+                        yamlFile 'ci/podTemplate.yaml'
+                        yamlMergeStrategy merge()
+                        defaultContainer 'build'
+                        nodeSelector "kubernetes.io/arch=${ARCH}"
+                        containerTemplate {
+                            name 'build'
+                            image "registry.fedoraproject.org/fedora:${FEDORA}"
+                        }
+                    }
+                }
+
+                environment {
+                    GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
+                }
+
+                stages {
+                    stage('Prepare') {
+                        steps {
+                            sh '. ci/prepare.sh'
+                        }
+                    }
+
+                    stage('Build') {
+                        steps {
+                            sh '. ci/build.sh'
+                            script {
+                                if (env.BRANCH_NAME == 'master') {
+                                    withCredentials([
+                                        file(
+                                            credentialsId: 'rpm-gpg-key',
+                                            variable: 'RPM_GPG_PRIVATE_KEY',
+                                        ),
+                                        file(
+                                            credentialsId: 'rpm-gpg-key-passphrase',
+                                            variable: 'RPM_GPG_KEY_PASSPHRASE',
+                                        ),
+                                    ]) {
+                                        sh '. ci/sign-rpms.sh'
+                                    }
+                                }
+                            }
+                        }
+                        post {
+                            success {
+                                archiveArtifacts "f${FEDORA}/**/*.rpm"
+                            }
+                        }
+                    }
+
+                    stage('Publish') {
+                        when {
+                            branch 'master'
+                        }
+                        steps {
+                            sshagent(['jenkins-repohost']) {
+                                sh '. ci/publish.sh'
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+    }
+}

ci/build.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+install -o 1000 -g 1000 -d f${FEDORA}
+
+setpriv --reuid 1000 --regid 1000 --keep-groups \
+make O=f${FEDORA} RPMBUILD_ARGS="-D '_rpmautospec_release_number ${BUILD_NUMBER}'" srpm rpm

ci/podTemplate.yaml

@@ -0,0 +1,19 @@
+spec:
+  containers:
+  - name: build
+    command: &sleep
+    - /bin/sh
+    - -c
+    - |
+      trap 'kill $!' TERM
+      sleep infinity &
+      wait
+    volumeMounts:
+    - mountPath: /etc/ssh/ssh_known_hosts
+      name: ssh-known-hosts
+      subPath: ssh_known_hosts
+  hostUsers: false
+  volumes:
+  - name: ssh-known-hosts
+    configMap:
+      name: ssh-known-hosts

ci/prepare.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+xargs dnf install -y <<EOF
+git-core
+make
+openssh-clients
+rpm-build
+rpm-sign
+rpmautospec
+rsync
+systemd-rpm-macros
+EOF
+
+install -m u=rwx,go= -d "${GNUPGHOME}"
+cat > "${GNUPGHOME}"/gpg-agent.conf <<EOF
+allow-loopback-pinentry
+EOF

ci/publish.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+ARCH="$(uname -m)"
+REPO_HOST=jenkins@files.pyrocufflink.blue
+REPO_PATH=/srv/www/repohost/repos/dch/fedora/$(rpm --eval %fedora)
+
+ssh-add -l
+ssh-add -L
+
+mkdir -p "${WORKSPACE_TMP}/sync"
+cd "${WORKSPACE_TMP}/sync"
+ln "${WORKSPACE}/f${FEDORA}"/*.rpm .
+ln "${WORKSPACE}/f${FEDORA}/${ARCH}"/*.rpm .
+
+case "${ARCH}" in
+x86_64)
+    # only include the SRPM once
+    include='*.rpm'
+    ;;
+*)
+    include="*.${ARCH}.rpm"
+    ;;
+esac
+
+rsync -rtiO \
+    --chmod=ugo=rwX \
+    --include "${include}" \
+    --exclude '*' \
+    ./ \
+    "${REPO_HOST}:${REPO_PATH}/"

ci/sign-rpms.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+gpg2 --pinentry-mode loopback --passphrase-fd 0 \
+    --import "${RPM_GPG_PRIVATE_KEY}" \
+    < "${RPM_GPG_KEY_PASSPHRASE}"
+
+rpmsign --addsign \
+    -D '_gpg_name jenkins@pyrocufflink.net' \
+    -D '_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase-fd 3' \
+    f${FEDORA}/$(uname -m)/*.rpm \
+    3< "${RPM_GPG_KEY_PASSPHRASE}"

dch-autoprovision.spec

@@ -60,7 +60,7 @@ mkdir -p "${RPM_BUILD_ROOT}%{_presetdir}"
 
 %posttrans
 if [ $1 -eq 1 ]; then
-    printf 'expiry-time=%s,restrict,pty %s\n' \
+    printf 'expiry-time="%s",restrict,pty %s\n' \
         "$(date -d +1hour +%Y%m%d%H%M)" \
         "$(cat %{dch_datadir}/host-provisioner.key)" \
         >> /root/.ssh/authorized_keys

notify-online.sh

@@ -9,5 +9,15 @@ if [ -r "${fw_cfg}" ]; then
     set -- "$@" -F branch="$(cat "${fw_cfg}")"
 fi
 
+set -- "$(cat /proc/cmdline)"
+while [ $# -gt 0 ]; do
+    case "$1" in
+    dch.cfg-branch=*)
+        set -- "$@" -F branch="${1#*=}"
+        ;;
+    esac
+    shift
+done
+
 cat /etc/ssh/ssh_host_*_key.pub \
     | curl -fsS https://webhooks.pyrocufflink.blue/host/online "$@"