From 3e19a0956ead27b287891f98e15f9511b2b8836c Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 3 Jun 2024 08:31:18 -0500 Subject: [PATCH] ci: Build/sign RPMs for multiple Fedora versions * Use `matrix` to generate pipelines for multiple Fedora versions * Sign RPM packages using the Jenkins GPG key * Publish RPM files to *dch* repository on *files.pyrocufflink.blue* instead of Gitea (the latter cannot handle multiple releases of the same package) --- ci/Jenkinsfile | 101 +++++++++++++++++++++++++++++++------------- ci/build.sh | 3 ++ ci/podTemplate.yaml | 19 ++++++--- ci/prepare.sh | 19 +++++++++ ci/publish.sh | 25 +++++++++++ ci/sign-rpms.sh | 12 ++++++ 6 files changed, 144 insertions(+), 35 deletions(-) create mode 100644 ci/build.sh create mode 100644 ci/prepare.sh create mode 100644 ci/publish.sh create mode 100644 ci/sign-rpms.sh diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile index 65bf903..e0ab9ec 100644 --- a/ci/Jenkinsfile +++ b/ci/Jenkinsfile @@ -1,40 +1,81 @@ -// vim: set sw=4 ts=4 sts=4 et : - pipeline { - agent { - kubernetes { - yamlFile 'ci/podTemplate.yaml' - defaultContainer 'build' - } - } + agent none stages { - stage('Build') { - steps { - sh 'make rpm' - } - } + stage('RPM') { + matrix { + axes { + axis { + name 'FEDORA' + values '39', '40' + } + } - stage('Publish') { - when { - branch 'main' - } - steps { - withCredentials([usernamePassword( - credentialsId: 'jenkins-packages', - usernameVariable: 'GITEA_USERNAME', - passwordVariable: 'GITEA_PASSWORD', - )]) { - sh 'make publish' + stages { + stage('Build RPM') { + agent { + kubernetes { + yamlFile 'ci/podTemplate.yaml' + yamlMergeStrategy merge() + defaultContainer 'fedora' + containerTemplate { + name 'fedora' + image "registry.fedoraproject.org/fedora:${FEDORA}" + } + } + } + environment { + GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg" + } + stages { + stage('Prepare') { + steps { + sh '. ci/prepare.sh' + } + } + + stage('Build') { + steps { + sh '. ci/build.sh' + script { + if (env.BRANCH_NAME == 'main') { + withCredentials([ + file( + credentialsId: 'rpm-gpg-key', + variable: 'RPM_GPG_PRIVATE_KEY', + ), + file( + credentialsId: 'rpm-gpg-key-passphrase', + variable: 'RPM_GPG_KEY_PASSPHRASE', + ), + ]) { + sh '. ci/sign-rpms.sh' + } + } + } + } + post { + success { + archiveArtifacts '*.rpm' + } + } + } + + stage('Publish') { + when { + branch 'master' + } + steps { + sshagent(['jenkins-repohost']) { + sh '. ci/publish.sh' + } + } + } + } + } } } } - } - post { - success { - archiveArtifacts '*.rpm' - } } - } diff --git a/ci/build.sh b/ci/build.sh new file mode 100644 index 0000000..d1280a5 --- /dev/null +++ b/ci/build.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +make rpm diff --git a/ci/podTemplate.yaml b/ci/podTemplate.yaml index a5e560e..f8e190b 100644 --- a/ci/podTemplate.yaml +++ b/ci/podTemplate.yaml @@ -1,7 +1,16 @@ spec: containers: - - name: build - image: git.pyrocufflink.net/containerimages/build/selinux:main - imagePullPolicy: Always - securityPolicy: - runAsNonRoot: true + - name: fedora + command: + - cat + stdin: true + tty: true + volumeMounts: + - mountPath: /etc/ssh/ssh_known_hosts + name: ssh-known-hosts + subPath: ssh_known_hosts + hostUsers: false + volumes: + - name: ssh-known-hosts + configMap: + name: ssh-known-hosts diff --git a/ci/prepare.sh b/ci/prepare.sh new file mode 100644 index 0000000..c06b2ca --- /dev/null +++ b/ci/prepare.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +dnf install -y \ + --setopt install_weak_deps=0 \ + make \ + openssh-clients \ + openssl-devel \ + rpm-build \ + rpm-sign \ + rsync \ + selinux-policy-devel \ + tar \ + xz \ + -- + +install -m u=rwx,go= -d "${GNUPGHOME}" +cat > "${GNUPGHOME}"/gpg-agent.conf <