ci: Begin Jenkins pipeline

Gitea 1.20 introduced RPM package repository support.  We can use this
feature to publish the *dch-selinux* RPM, instead of manually creating
the repository and publishing it to the file server.  This will
ultimately enable Jenkins to publish the package as well.

.gitignore

@@ -1,2 +1,7 @@
+BUILD/
+BUILDROOT/
+repo/
 tmp/
 *.pp
+*.rpm
+*.tar.xz

Makefile

@@ -1,5 +1,84 @@
-NAME ?= targetd
+NAME ?= targeted
+REPO ?= repo
 
-.PHONY: all
+RPMBUILDFLAGS = \
-all:
+	-D "_topdir ${PWD}" \
+	-D "_srcrpmdir ${PWD}" \
+	-D "_sourcedir ${PWD}" \
+	-D "_specdir ${PWD}" \
+	-D "_rpmdir ${PWD}"
+
+ARCH = noarch
+VERSION = $(shell rpm -q --qf '%{VERSION}' --specfile dch-selinux.spec)
+RELEASE = $(shell rpm -q --qf '%{RELEASE}' --specfile dch-selinux.spec)
+TAR = dch-selinux-$(VERSION).tar.xz
+SPEC = dch-selinux.spec
+RPM = dch-selinux-$(VERSION)-$(RELEASE).$(ARCH).rpm
+SRPM = dch-selinux-$(VERSION)-$(RELEASE).src.rpm
+
+GITEA_URL = https://git.pyrocufflink.net
+GITEA_ORG = infra
+
+define buildpp
 	$(MAKE) NAME=$(NAME) -f /usr/share/selinux/devel/Makefile
+endef
+
+.PHONY: \
+	clean \
+	default \
+	dist \
+	mockbuild \
+	pp \
+	publish \
+	repo \
+	rpm \
+	srpm
+
+default: pp
+
+dch-samba.pp: dch-samba.fc dch-samba.if dch-samba.te
+	$(call buildpp)
+
+$(TAR): \
+		$(wildcard *.fc) \
+		$(wildcard *.if) \
+		$(wildcard *.te)
+	tar -cJf $@ --transform 's/^/dch-selinux-$(VERSION)\//' $^
+
+$(RPM): $(SPEC) $(TAR)
+	rpmbuild $(RPMBUILDFLAGS) -bb -v $<
+	mv $(ARCH)/$@ $@
+	rmdir $(ARCH)
+
+$(SRPM): $(SPEC) $(TAR)
+	rpmbuild $(RPMBUILDFLAGS) -bs -v $<
+
+dist: $(TAR)
+
+clean:
+	rm -f *.pp *.rpm *.srpm *.tar.xz
+	rm -rf BUILD BUILDROOT
+	rm -rf repo
+	rm -rf tmp
+
+mockbuild: $(SRPM)
+ifeq ($(MOCKTARGET),)
+	$(error MOCKTARGET is required, e.g. make MOCKTARGET=fedora-37-x86_64 mockbuild)
+endif
+	mock -r '$(MOCKTARGET)' $(SRPM)
+	cp -a /var/lib/mock/$(MOCKTARGET)/result/*.noarch.rpm .
+
+publish: $(RPM)
+ifeq ($(GITEA_USERNAME),)
+	$(error GITEA_USERNAME and GITEA_PASSWORD are required)
+endif
+	curl -f \
+		'$(GITEA_URL)/api/packages/$(GITEA_ORG)/rpm/upload' \
+		-u '$(GITEA_USERNAME):$(GITEA_PASSWORD)' \
+		-T $<
+
+rpm: $(RPM)
+
+srpm: $(SRPM)
+
+pp: dch-samba.pp

ci/Jenkinsfile

@@ -0,0 +1,37 @@
+// vim: set sw=4 ts=4 sts=4 et :
+
+pipeline {
+    agent {
+        kubernetes {
+            yamlFile 'ci/podTemplate.yaml'
+            defaultContainer 'build'
+        }
+    }
+
+    stages {
+        stage('Build') {
+            steps {
+                sh 'make rpm'
+            }
+        }
+
+        stage('Publish') {
+            steps {
+                withCredentials([usernamePassword(
+                    credentialsId: 'jenkins-packages',
+                    usernameVariable: 'GITEA_USERNAME',
+                    passwordVariable: 'GITEA_PASSWORD',
+                )]) {
+                    sh 'make publish'
+                }
+            }
+        }
+    }
+
+    post {
+        success {
+            archiveArtifacts '*.rpm'
+        }
+    }
+
+}

ci/podTemplate.yaml

@@ -0,0 +1,7 @@
+spec:
+  containers:
+  - name: build
+    image: git.pyrocufflink.net/containerimages/build/selinux:main
+    imagePullPolicy: Always
+    securityPolicy:
+      runAsNonRoot: true

dch-selinux.spec

@@ -0,0 +1,65 @@
+%global selinux_variants mls targeted
+
+Name:           dch-selinux
+Version:        1.0.0
+Release:        1%{?dist}
+Summary:        Dustin's custom SELinux policy modules
+
+License:        GPLv2+
+URL:            https://git.pyrocufflink.net/dustin/dch-selinux
+Source0:        %{name}-%{version}.tar.xz
+
+BuildArch:      noarch
+
+BuildRequires:  checkpolicy
+BuildRequires:  hardlink
+BuildRequires:  selinux-policy-devel
+
+Requires:       selinux-policy >= %{_selinux_policy_version}
+
+Requires(post):   policycoreutils, selinux-policy-base
+Requires(postun): policycoreutils
+
+%description
+This is a collection of SELinux policy modules that fix or augment the default
+SELinux policy for Fedora/RHEL.
+
+
+%prep
+%setup
+
+%build
+for v in %{selinux_variants}; do
+    make NAME=$v -f %{_datarootdir}/selinux/devel/Makefile
+    mv dch-samba.pp dch-samba.pp.$v
+    make NAME=$v -f %{_datarootdir}/selinux/devel/Makefile clean
+done
+
+%install
+for v in %{selinux_variants}; do
+    install -d %{buildroot}%{_datadir}/selinux/$v
+    install -p -m 644 dch-samba.pp.$v \
+        %{buildroot}%{_datadir}/selinux/$v/dch-samba.pp
+done
+hardlink -cv %{buildroot}%{_datadir}/selinux
+
+
+%post
+for v in %{selinux_variants}; do
+    /usr/sbin/semodule -s $v \
+        -i %{_datadir}/selinux/$v/dch-samba.pp >&- 2>&- || :
+done
+
+
+%postun
+for v in %{selinux_variants}; do
+    /usr/sbin/semodule -s $v -r dch-samba.pp >&- 2>&- || :
+done
+
+
+%files
+%{_datadir}/selinux/*/*.pp
+
+%changelog
+* Mon Dec 19 2022 Dustin C. Hatch <dustin@hatch.name> 1.0.0-1
+- New spec for dch-selinux