Include kernel version in release tag

This will allow `dnf` to automatically upgrade the package when a new build is published for a new kernel release.
ci: Fetch sources from local mirror
2025-11-16 09:30:18 -06:00 · 2025-11-16 09:30:18 -06:00 · 2025-11-16 09:30:12 -06:00 · 2025-11-16 09:29:52 -06:00 · 2025-11-16 09:26:45 -06:00 · 2025-11-16 09:26:41 -06:00
7 changed files with 218 additions and 3 deletions
--- a/ci/Jenkinsfile
+++ b/ci/Jenkinsfile
@@ -0,0 +1,98 @@
+pipeline {
+    agent none
+
+    stages {
+        stage('RPM') {
+            matrix {
+                axes {
+                    axis {
+                        name 'FEDORA'
+                        values '41', '42'
+                    }
+                }
+
+                agent {
+                    kubernetes {
+                        yamlFile 'ci/podTemplate.yaml'
+                        yamlMergeStrategy merge()
+                        defaultContainer 'fedora'
+                        containerTemplate {
+                            name 'fedora'
+                            image "registry.fedoraproject.org/fedora:${FEDORA}"
+                        }
+                    }
+                }
+
+                stages {
+                    stage('Prepare') {
+                        steps {
+                            sh '. ci/prepare.sh'
+                        }
+                    }
+
+                    stage('Build') {
+                        steps {
+                            withCredentials([file(
+                                credentialsId: 'kmod-signing-cert',
+                                variable: 'SIGNING_KEY',
+                            )]) {
+                                sh '. ci/build.sh'
+                            }
+                        }
+                    }
+
+                    stage('Sign') {
+                        when {
+                            branch 'main'
+                        }
+                        environment {
+                            GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
+                        }
+                        steps {
+                            withCredentials([
+                                file(
+                                    credentialsId: 'rpm-gpg-key',
+                                    variable: 'RPM_GPG_PRIVATE_KEY',
+                                ),
+                                file(
+                                    credentialsId: 'rpm-gpg-key-passphrase',
+                                    variable: 'RPM_GPG_KEY_PASSPHRASE',
+                                ),
+                            ]) {
+                                sh '. ci/sign.sh'
+                            }
+                        }
+                    }
+
+                    stage('Archive') {
+                        steps {
+                            archiveArtifacts '*.rpm'
+                        }
+                    }
+
+                    stage('Publish') {
+                        when {
+                            branch 'main'
+                        }
+                        steps {
+                            sshagent(['jenkins-repohost']) {
+                                sh '. ci/publish.sh'
+                            }
+                        }
+                    }
+
+                }
+            }
+        }
+    }
+
+    post {
+        failure {
+            emailext(
+                to: 'gyrfalcon@ebonfire.com',
+                subject: '$DEFAULT_SUBJECT',
+                body: '$DEFAULT_CONTENT',
+            )
+        }
+    }
+}
--- a/ci/build.sh
+++ b/ci/build.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+if [ $(id -u) -eq 0 ]; then
+    kver=$(rpm -q --qf %{VERSION}-%{RELEASE}.%{ARCH} kernel-devel)
+    ln -s "${SIGNING_KEY}" /usr/src/kernels/${kver}/certs/signing_key.x509
+    ln -s "${SIGNING_KEY}" /usr/src/kernels/${kver}/certs/signing_key.pem
+
+    exec setpriv --clear-groups --reuid 1000 --regid 1000 --inh-caps=-all \
+        sh -ex ci/build.sh
+fi
+
+git_rev=$(
+    sed -nr '/^%global git_revision_full/s/.* ([a-z0-9]{40})$/\1/p' \
+        gasket-driver.spec
+)
+curl -fL \
+    -o gasket-driver-${git_rev}.tar.gz \
+    https://git.pyrocufflink.net/dustin/gasket-driver/archive/${git_rev}.tar.gz
+
+# We're downloading the archive from our local mirror of upstream's repository,
+# just in case it goes away or becomes unavailable.  Unfortunately, Gitea
+# creates a slightly different archive layout than GitHub, so we need to fix it
+# up before passing it to `rpmbuild`.
+rm -rf src
+mkdir src
+tar -xzf gasket-driver-${git_rev}.tar.gz -C src
+mv src/gasket-driver src/gasket-driver-${git_rev}
+tar -cf gasket-driver-${git_rev}.tar.gz -C src gasket-driver-${git_rev}
+
+rpmbuild \
+    -D "_topdir ${PWD}" \
+    -D '_sourcedir %{_topdir}' \
+    -ba gasket-driver.spec
+
+ln RPMS/*/*.rpm SRPMS/*.rpm .
--- a/ci/podTemplate.yaml
+++ b/ci/podTemplate.yaml
@@ -0,0 +1,24 @@
+spec:
+  containers:
+  - name: fedora
+    command:
+    - cat
+    stdin: true
+    tty: true
+    resources:
+      requests:
+        cpu: 1500m
+    securityContext:
+      runAsUser: 0
+      runAsGroup: 0
+    volumeMounts:
+    - mountPath: /etc/ssh/ssh_known_hosts
+      name: ssh-known-hosts
+      subPath: ssh_known_hosts
+  hostUsers: false
+  nodeSelector:
+    du5t1n.me/jenkins:
+  volumes:
+  - name: ssh-known-hosts
+    configMap:
+      name: ssh-known-hosts
--- a/ci/prepare.sh
+++ b/ci/prepare.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+xargs dnf install -y --setopt install_weak_deps=0 <<EOF
+kernel-devel
+openssh-clients
+rpm-build
+rpm-sign
+rsync
+util-linux
+EOF
--- a/ci/publish.sh
+++ b/ci/publish.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+ARCH="$(uname -m)"
+REPO_HOST=jenkins@files.pyrocufflink.blue
+REPO_PATH=/srv/www/repohost/repos/dch/fedora/$(rpm --eval %fedora)
+
+case "${ARCH}" in
+x86_64)
+    # only include the SRPM once
+    include='*.rpm'
+    ;;
+*)
+    include="*.${ARCH}.rpm"
+    ;;
+esac
+
+rsync -rtiO \
+    --chmod=ugo=rwX \
+    --include "${include}" \
+    --exclude '*' \
+    ./ \
+    "${REPO_HOST}:${REPO_PATH}/"
--- a/ci/sign.sh
+++ b/ci/sign.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+if [ $(id -u) -eq 0 ]; then
+    exec setpriv --clear-groups --reuid 1000 --regid 1000 --inh-caps=-all \
+        sh -ex ci/sign.sh
+fi
+
+install -m u=rwx,go= -d "${GNUPGHOME}"
+cat > "${GNUPGHOME}"/gpg-agent.conf <<EOF
+allow-loopback-pinentry
+EOF
+
+gpg2 --pinentry-mode loopback --passphrase-fd 0 \
+    --import "${RPM_GPG_PRIVATE_KEY}" \
+    < "${RPM_GPG_KEY_PASSPHRASE}"
+
+rpmsign --addsign \
+    -D '_gpg_name jenkins@pyrocufflink.net' \
+    -D '_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase-fd 3' \
+    *.rpm \
+    3< "${RPM_GPG_KEY_PASSPHRASE}"
--- a/gasket-driver.spec
+++ b/gasket-driver.spec
@@ -1,13 +1,15 @@
 %global git_revision 5815ee3
 %global git_revision_full 5815ee3908a46a415aac616ac7b9aedcb98a504c

-%global kernel_ver %(rpm -q --qf %{VERSION}-%{RELEASE} kernel-devel)
+%global kernel_version %(rpm -q --qf %{VERSION} kernel-devel)
+%global kernel_release %(rpm -q --qf %{RELEASE} kernel-devel)
+%global kernel_ver %{kernel_version}-%{kernel_release}

 %define _debugsource_template %{nil}

 Name:           gasket-driver
 Version:        0.0.git%{git_revision}
-Release:        1
+Release:        2.k%{kernel_version}%{?dist}
 Summary:        The Coral Gasket Driver allows usage of the Coral EdgeTPU on Linux systems

 License:        GPL-2.0
@@ -17,7 +19,7 @@ Patch0:         0001-core-Omit-no_llseek-reference.patch
 Patch1:         0002-Update-gasket_page_table.c-Fix-MODULE_IMPORT_NS.patch

 BuildRequires:  kernel-devel
-Requires:       kernel-core == %{kernel_ver}
+Requires:       kernel-core == %{kernel_version}
 Requires(post): kmod

 %description
@@ -47,5 +49,8 @@ depmod -a %{kernel_ver}.%{_arch}


 %changelog
+* Sun Nov 16 2025 Dustin C. Hatch <dustin@hatch.name> [0.0.git5815ee3-2]
+- Include kernel version in release tag
+
 * Wed Aug 06 2025 Dustin C. Hatch <dustin@hatch.name> [0.0.git5815ee3-1]
 - Initial package
Author	SHA1	Message	Date
Dustin C. Hatch	1a3a502213	Include kernel version in release tag All checks were successful RPMs/gasket-driver/pipeline/head This commit looks good Details This will allow `dnf` to automatically upgrade the package when a new build is published for a new kernel release.	2025-11-16 09:30:18 -06:00
Dustin C. Hatch	5a6e882d45	ci: Fetch sources from local mirror I've created a mirror of the _gasket-driver_ Git repository, to ensure it remains available, even if Google decides to remove it or GitHub is temporarily unavailable.	2025-11-16 09:30:18 -06:00
Dustin C. Hatch	663a2976ad	ci: Publish RPMs to dch Yum repo	2025-11-16 09:30:12 -06:00
Dustin C. Hatch	7f673e3b5a	ci: Sign RPMs	2025-11-16 09:29:52 -06:00
Dustin C. Hatch	2b7954bb52	ci: Sign the kernel modules It turns out, everything is already in place to enable kernel module signing. All that's necessary is to provide a certificate and private key at the correct path; if those are present, the modules files will be signed during `modules_install`.	2025-11-16 09:26:45 -06:00
Dustin C. Hatch	cdc38a9f5a	ci: Begin Jenkins pipeline	2025-11-16 09:26:41 -06:00