diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile index 65bf903..762e87e 100644 --- a/ci/Jenkinsfile +++ b/ci/Jenkinsfile @@ -1,40 +1,86 @@ -// vim: set sw=4 ts=4 sts=4 et : - pipeline { - agent { - kubernetes { - yamlFile 'ci/podTemplate.yaml' - defaultContainer 'build' - } - } + agent none stages { - stage('Build') { - steps { - sh 'make rpm' - } - } + stage('RPM') { + matrix { + axes { + axis { + name 'ARCH' + values 'amd64', 'arm64' + } + axis { + name 'FEDORA' + values '39', '40' + } + } - stage('Publish') { - when { - branch 'main' - } - steps { - withCredentials([usernamePassword( - credentialsId: 'jenkins-packages', - usernameVariable: 'GITEA_USERNAME', - passwordVariable: 'GITEA_PASSWORD', - )]) { - sh 'make publish' + stages { + stage('Build RPM') { + agent { + kubernetes { + yamlFile 'ci/podTemplate.yaml' + yamlMergeStrategy merge() + defaultContainer 'fedora' + nodeSelector "kubernetes.io/arch=${ARCH}" + containerTemplate { + name 'fedora' + image "registry.fedoraproject.org/fedora:${FEDORA}" + } + } + } + environment { + GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg" + } + stages { + stage('Prepare') { + steps { + sh '. ci/prepare.sh' + } + } + + stage('Build') { + steps { + sh '. ci/build.sh' + script { + if (env.BRANCH_NAME == 'master') { + withCredentials([ + file( + credentialsId: 'rpm-gpg-key', + variable: 'RPM_GPG_PRIVATE_KEY', + ), + file( + credentialsId: 'rpm-gpg-key-passphrase', + variable: 'RPM_GPG_KEY_PASSPHRASE', + ), + ]) { + sh '. ci/sign-rpms.sh' + } + } + } + } + post { + success { + archiveArtifacts '*.rpm' + } + } + } + + stage('Publish') { + when { + branch 'master' + } + steps { + sshagent(['jenkins-repohost']) { + sh '. ci/publish.sh' + } + } + } + } + } } } } - } - post { - success { - archiveArtifacts '*.rpm' - } } - } diff --git a/ci/build.sh b/ci/build.sh new file mode 100644 index 0000000..d1280a5 --- /dev/null +++ b/ci/build.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +make rpm diff --git a/ci/podTemplate.yaml b/ci/podTemplate.yaml index a5e560e..f8e190b 100644 --- a/ci/podTemplate.yaml +++ b/ci/podTemplate.yaml @@ -1,7 +1,16 @@ spec: containers: - - name: build - image: git.pyrocufflink.net/containerimages/build/selinux:main - imagePullPolicy: Always - securityPolicy: - runAsNonRoot: true + - name: fedora + command: + - cat + stdin: true + tty: true + volumeMounts: + - mountPath: /etc/ssh/ssh_known_hosts + name: ssh-known-hosts + subPath: ssh_known_hosts + hostUsers: false + volumes: + - name: ssh-known-hosts + configMap: + name: ssh-known-hosts diff --git a/ci/prepare.sh b/ci/prepare.sh new file mode 100644 index 0000000..c06b2ca --- /dev/null +++ b/ci/prepare.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +dnf install -y \ + --setopt install_weak_deps=0 \ + make \ + openssh-clients \ + openssl-devel \ + rpm-build \ + rpm-sign \ + rsync \ + selinux-policy-devel \ + tar \ + xz \ + -- + +install -m u=rwx,go= -d "${GNUPGHOME}" +cat > "${GNUPGHOME}"/gpg-agent.conf <