ci: Import ci pipeline from original repo

When this repository was split from the original *dustin/sshca*
repository, the CI pipeline was not imported.  It wouldn't have mattered
if it had been, since it wouldn't have worked, anyway, given the path
changes.

ci/Jenkinsfile

@@ -0,0 +1,48 @@
+pipeline {
+    agent none
+
+    stages {
+        stage('SSHCA') {
+            stages {
+                stage('Server') {
+                    agent {
+                        kubernetes {
+                            yamlFile 'ci/podTemplate.yaml'
+                            yamlMergeStrategy merge()
+                            defaultContainer 'buildah'
+                        }
+                    }
+                    stages {
+                        stage('Build') {
+                            steps {
+                                sh '. ci/build.sh'
+                            }
+                        }
+
+                        stage('Publish') {
+                            steps {
+                                withEnv([
+                                    "REGISTRY_AUTH_FILE=${env.WORKSPACE_TMP}/auth.json"
+                                ]) {
+                                    withCredentials([usernamePassword(
+                                        credentialsId: 'jenkins-packages',
+                                        usernameVariable: 'BUILDAH_USERNAME',
+                                        passwordVariable: 'BUILDAH_PASSWORD',
+                                    )]) {
+                                        sh """
+                                            buildah login \
+                                            --username \${BUILDAH_USERNAME} \
+                                            --password \${BUILDAH_PASSWORD} \
+                                            git.pyrocufflink.net
+                                        """
+                                    }
+                                    sh '. ci/publish.sh'
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+}

ci/build.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+. ci/common.sh
+
+buildah build -t "${IMAGE_NAME}:${TAG}" server

ci/common.sh

@@ -0,0 +1,13 @@
+escape_name() {
+    echo "$1" \
+        | tr A-Z a-z \
+        | sed -e 's/[^a-zA-Z0-9._-]/-/g' -e 's/^[.-]/_/'
+}
+
+REGISTRY_URL=git.pyrocufflink.net
+NAMESPACE=containerimages
+NAME="${JOB_NAME#*/}"
+NAME=$(escape_name "${NAME%/*}")
+TAG=$(escape_name "${BRANCH_NAME}")
+
+IMAGE_NAME="${REGISTRY_URL}/${NAMESPACE}/${NAME}"

ci/podTemplate.yaml

@@ -0,0 +1,19 @@
+spec:
+  containers:
+  - name: buildah
+    image: quay.io/containers/buildah:v1
+    command:
+    - cat
+    stdin: true
+    tty: true
+    securityContext:
+      capabilities:
+        add:
+        - SYS_ADMIN
+        - MKNOD
+        - SYS_CHROOT
+        - SETFCAP
+    resources:
+      limits:
+        github.com/fuse: 1
+  hostUsers: false

ci/publish.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+. ci/common.sh
+
+buildah push "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${TAG}-${BUILD_NUMBER}"
+buildah push "${IMAGE_NAME}:${TAG}"
+case "${BRANCH_NAME}" in
+master|main)
+    buildah push "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:latest"
+    ;;
+esac

ci/sign-rpms.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+gpg2 --pinentry-mode loopback --passphrase-fd 0 \
+    --import "${RPM_GPG_PRIVATE_KEY}" \
+    < "${RPM_GPG_KEY_PASSPHRASE}"
+
+rpmsign --addsign \
+    -D '_gpg_name jenkins@pyrocufflink.net' \
+    -D '_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase-fd 3' \
+    cli/*.rpm \
+    3< "${RPM_GPG_KEY_PASSPHRASE}"
+