diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile new file mode 100644 index 0000000..dadef3d --- /dev/null +++ b/ci/Jenkinsfile @@ -0,0 +1,48 @@ +pipeline { + agent none + + stages { + stage('SSHCA') { + stages { + stage('Server') { + agent { + kubernetes { + yamlFile 'ci/podTemplate.yaml' + yamlMergeStrategy merge() + defaultContainer 'buildah' + } + } + stages { + stage('Build') { + steps { + sh '. ci/build.sh' + } + } + + stage('Publish') { + steps { + withEnv([ + "REGISTRY_AUTH_FILE=${env.WORKSPACE_TMP}/auth.json" + ]) { + withCredentials([usernamePassword( + credentialsId: 'jenkins-packages', + usernameVariable: 'BUILDAH_USERNAME', + passwordVariable: 'BUILDAH_PASSWORD', + )]) { + sh """ + buildah login \ + --username \${BUILDAH_USERNAME} \ + --password \${BUILDAH_PASSWORD} \ + git.pyrocufflink.net + """ + } + sh '. ci/publish.sh' + } + } + } + } + } + } + } + } +} diff --git a/ci/build.sh b/ci/build.sh new file mode 100644 index 0000000..1788b5a --- /dev/null +++ b/ci/build.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +. ci/common.sh + +buildah build -t "${IMAGE_NAME}:${TAG}" server diff --git a/ci/common.sh b/ci/common.sh new file mode 100644 index 0000000..060e8cb --- /dev/null +++ b/ci/common.sh @@ -0,0 +1,13 @@ +escape_name() { + echo "$1" \ + | tr A-Z a-z \ + | sed -e 's/[^a-zA-Z0-9._-]/-/g' -e 's/^[.-]/_/' +} + +REGISTRY_URL=git.pyrocufflink.net +NAMESPACE=containerimages +NAME="${JOB_NAME#*/}" +NAME=$(escape_name "${NAME%/*}") +TAG=$(escape_name "${BRANCH_NAME}") + +IMAGE_NAME="${REGISTRY_URL}/${NAMESPACE}/${NAME}" diff --git a/ci/podTemplate.yaml b/ci/podTemplate.yaml new file mode 100644 index 0000000..5da469f --- /dev/null +++ b/ci/podTemplate.yaml @@ -0,0 +1,19 @@ +spec: + containers: + - name: buildah + image: quay.io/containers/buildah:v1 + command: + - cat + stdin: true + tty: true + securityContext: + capabilities: + add: + - SYS_ADMIN + - MKNOD + - SYS_CHROOT + - SETFCAP + resources: + limits: + github.com/fuse: 1 + hostUsers: false diff --git a/ci/publish.sh b/ci/publish.sh new file mode 100644 index 0000000..a54b0db --- /dev/null +++ b/ci/publish.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +. ci/common.sh + +buildah push "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${TAG}-${BUILD_NUMBER}" +buildah push "${IMAGE_NAME}:${TAG}" +case "${BRANCH_NAME}" in +master|main) + buildah push "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:latest" + ;; +esac diff --git a/ci/sign-rpms.sh b/ci/sign-rpms.sh new file mode 100644 index 0000000..6d9ac18 --- /dev/null +++ b/ci/sign-rpms.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +gpg2 --pinentry-mode loopback --passphrase-fd 0 \ + --import "${RPM_GPG_PRIVATE_KEY}" \ + < "${RPM_GPG_KEY_PASSPHRASE}" + +rpmsign --addsign \ + -D '_gpg_name jenkins@pyrocufflink.net' \ + -D '_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase-fd 3' \ + cli/*.rpm \ + 3< "${RPM_GPG_KEY_PASSPHRASE}" +