dustin
/
sshca-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ci: Import ci pipeline from original repo
dustin/sshca-cli/pipeline/head This commit looks good Details 

When this repository was split from the original *dustin/sshca*
repository, the CI pipeline was not imported.  It wouldn't have mattered
if it had been, since it wouldn't have worked, anyway, given the path
changes.
dev/auto-reload
Dustin 2023-11-13 19:43:50 -06:00
parent 8d146cdb62
commit 041788e818
6 changed files with 156 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
ci/Jenkinsfile vendored Normal file
View File

@ -0,0 +1,78 @@
pipeline {
agent none
stages {
stage('SSHCA CLI') {
matrix {
axes {
axis {
name 'ARCH'
values 'amd64', 'arm64'
}
}
stages {
stage('CLI') {
agent {
kubernetes {
yamlFile 'ci/podTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'fedora'
nodeSelector "kubernetes.io/arch=${ARCH}"
}
}
environment {
GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
}
stages {
stage('Prepare') {
steps {
sh '. ci/prepare.sh'
}
}
stage('Build') {
steps {
sh '. ci/build.sh'
script {
if (env.BRANCH_NAME == 'master') {
withCredentials([
file(
credentialsId: 'rpm-gpg-key',
variable: 'RPM_GPG_PRIVATE_KEY',
),
file(
credentialsId: 'rpm-gpg-key-passphrase',
variable: 'RPM_GPG_KEY_PASSPHRASE',
),
]) {
sh '. ci/sign-rpms.sh'
}
}
}
}
post {
success {
archiveArtifacts '*.rpm'
}
}
}
stage('Publish') {
when {
branch 'master'
}
steps {
sshagent(['jenkins-repohost']) {
sh '. ci/publish.sh'
}
}
}
}
}
}
}
}
}
}

3
ci/build.sh Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
make rpm

17
ci/podTemplate.yaml Normal file
View File

@ -0,0 +1,17 @@
spec:
containers:
- name: fedora
image: registry.fedoraproject.org/fedora:38
command:
- cat
stdin: true
tty: true
volumeMounts:
- mountPath: /etc/ssh/ssh_known_hosts
name: ssh-known-hosts
subPath: ssh_known_hosts
hostUsers: false
volumes:
- name: ssh-known-hosts
configMap:
name: ssh-known-hosts

21
ci/prepare.sh Normal file
View File

@ -0,0 +1,21 @@
#!/bin/sh
dnf install -y \
--setopt install_weak_deps=0 \
cargo \
cargo-rpm-macros \
make \
openssh-clients \
openssl-devel \
rpm-build \
rpm-sign \
rsync \
rust \
systemd-rpm-macros \
tar \
--
install -m u=rwx,go= -d "${GNUPGHOME}"
cat > "${GNUPGHOME}"/gpg-agent.conf <<EOF
allow-loopback-pinentry
EOF

25
ci/publish.sh Normal file
View File

@ -0,0 +1,25 @@
#!/bin/sh
ARCH="$(uname -m)"
REPO_HOST=jenkins@files.pyrocufflink.blue
REPO_PATH=/srv/www/repohost/repos/dch/fedora/$(rpm --eval %fedora)
ssh-add -l
ssh-add -L
case "${ARCH}" in
x86_64)
# only include the SRPM once
include='*.rpm'
;;
*)
include="*.${ARCH}.rpm"
;;
esac
rsync -rtiO \
--chmod=ugo=rwX \
--include "${include}" \
--exclude '*' \
./ \
"${REPO_HOST}:${REPO_PATH}/"

12
ci/sign-rpms.sh Normal file
View File

@ -0,0 +1,12 @@
#!/bin/sh
gpg2 --pinentry-mode loopback --passphrase-fd 0 \
--import "${RPM_GPG_PRIVATE_KEY}" \
< "${RPM_GPG_KEY_PASSPHRASE}"
rpmsign --addsign \
-D '_gpg_name jenkins@pyrocufflink.net' \
-D '_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase-fd 3' \
*.rpm \
3< "${RPM_GPG_KEY_PASSPHRASE}"