infra
/
dch-selinux
1
0
Fork 0
Code Packages

ci: Build/sign RPMs for multiple Fedora versions
infra/dch-selinux/pipeline/head This commit looks good Details 

* Use `matrix` to generate pipelines for multiple Fedora versions
* Sign RPM packages using the Jenkins GPG key
* Publish RPM files to *dch* repository on *files.pyrocufflink.blue*
  instead of Gitea (the latter cannot handle multiple releases of the
  same package)
main
Dustin 2024-06-03 08:31:18 -05:00
parent ed07fe930e
commit 5a0e5de56a
6 changed files with 144 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
ci/Jenkinsfile vendored
View File

@ -1,17 +1,63 @@
// vim: set sw=4 ts=4 sts=4 et :
pipeline { pipeline {
agent { agent none
kubernetes {
yamlFile 'ci/podTemplate.yaml' stages {
defaultContainer 'build' stage('RPM') {
matrix {
axes {
axis {
name 'FEDORA'
values '39', '40'
} }
} }
stages { stages {
stage('Build RPM') {
agent {
kubernetes {
yamlFile 'ci/podTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'fedora'
containerTemplate {
name 'fedora'
image "registry.fedoraproject.org/fedora:${FEDORA}"
}
}
}
environment {
GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
}
stages {
stage('Prepare') {
steps {
sh '. ci/prepare.sh'
}
}
stage('Build') { stage('Build') {
steps { steps {
sh 'make rpm' sh '. ci/build.sh'
script {
if (env.BRANCH_NAME == 'main') {
withCredentials([
file(
credentialsId: 'rpm-gpg-key',
variable: 'RPM_GPG_PRIVATE_KEY',
),
file(
credentialsId: 'rpm-gpg-key-passphrase',
variable: 'RPM_GPG_KEY_PASSPHRASE',
),
]) {
sh '. ci/sign-rpms.sh'
}
}
}
}
post {
success {
archiveArtifacts '*.rpm'
}
} }
} }
@ -20,21 +66,16 @@ pipeline {
branch 'main' branch 'main'
} }
steps { steps {
withCredentials([usernamePassword( sshagent(['jenkins-repohost']) {
credentialsId: 'jenkins-packages', sh '. ci/publish.sh'
usernameVariable: 'GITEA_USERNAME', }
passwordVariable: 'GITEA_PASSWORD', }
)]) { }
sh 'make publish' }
} }
} }
} }
} }
post {
success {
archiveArtifacts '*.rpm'
} }
}
} }

3
ci/build.sh Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
make rpm

19
ci/podTemplate.yaml
View File

@ -1,7 +1,16 @@
spec: spec:
containers: containers:
- name: build - name: fedora
image: git.pyrocufflink.net/containerimages/build/selinux:main command:
imagePullPolicy: Always - cat
securityPolicy: stdin: true
runAsNonRoot: true tty: true
volumeMounts:
- mountPath: /etc/ssh/ssh_known_hosts
name: ssh-known-hosts
subPath: ssh_known_hosts
hostUsers: false
volumes:
- name: ssh-known-hosts
configMap:
name: ssh-known-hosts

19
ci/prepare.sh Normal file
View File

@ -0,0 +1,19 @@
#!/bin/sh
dnf install -y \
--setopt install_weak_deps=0 \
make \
openssh-clients \
openssl-devel \
rpm-build \
rpm-sign \
rsync \
selinux-policy-devel \
tar \
xz \
--
install -m u=rwx,go= -d "${GNUPGHOME}"
cat > "${GNUPGHOME}"/gpg-agent.conf <<EOF
allow-loopback-pinentry
EOF

25
ci/publish.sh Normal file
View File

@ -0,0 +1,25 @@
#!/bin/sh
ARCH="$(uname -m)"
REPO_HOST=jenkins@files.pyrocufflink.blue
REPO_PATH=/srv/www/repohost/repos/dch/fedora/$(rpm --eval %fedora)
ssh-add -l
ssh-add -L
case "${ARCH}" in
x86_64)
# only include the SRPM once
include='*.rpm'
;;
*)
include="*.${ARCH}.rpm"
;;
esac
rsync -rtiO \
--chmod=ugo=rwX \
--include "${include}" \
--exclude '*' \
./ \
"${REPO_HOST}:${REPO_PATH}/"

12
ci/sign-rpms.sh Normal file
View File

@ -0,0 +1,12 @@
#!/bin/sh
gpg2 --pinentry-mode loopback --passphrase-fd 0 \
--import "${RPM_GPG_PRIVATE_KEY}" \
< "${RPM_GPG_KEY_PASSPHRASE}"
rpmsign --addsign \
-D '_gpg_name jenkins@pyrocufflink.net' \
-D '_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase-fd 3' \
*.rpm \
3< "${RPM_GPG_KEY_PASSPHRASE}"