Add buildomat jobs for select images

It's useful to have some images that have gone through a
`permslip sign`. Do so in a very limited fashion.

Author: labbott

.github/buildomat/build-one.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+set -o nounset
+
+name=$1
+toml=$2
+image=$3
+
+cargo xtask dist $toml
+cp target/$name/dist/$image/build-$name-image-$image.zip /work/
+touch /work/this_is_not_signed.txt

.github/buildomat/force-git-over-https.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+#
+# The token authentication mechanism that affords us access to other private
+# repositories requires that we use HTTPS URLs for GitHub, rather than SSH.
+#
+override_urls=(
+    'git://github.com/'
+    '[email protected]:'
+    'ssh://github.com/'
+    'ssh://[email protected]/'
+    'git+ssh://[email protected]/'
+)
+for (( i = 0; i < ${#override_urls[@]}; i++ )); do
+	git config --add --global url.https://github.com/.insteadOf \
+	    "${override_urls[$i]}"
+done
+
+#
+# Require that cargo use the git CLI instead of the built-in support.  This
+# achieves two things: first, SSH URLs should be transformed on fetch without
+# requiring Cargo.toml rewriting, which is especially difficult in transitive
+# dependencies; second, Cargo does not seem willing on its own to look in
+# ~/.netrc and find the temporary token that buildomat generates for our job,
+# so we must use git which uses curl.
+#
+export CARGO_NET_GIT_FETCH_WITH_CLI=true

.github/buildomat/jobs/gimlet-c-lab.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build gimlet-c-lab"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh gimlet-c-lab app/gimlet/rev-c-lab.toml default

.github/buildomat/jobs/gimlet-c.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build gimlet-c"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh gimlet-c app/gimlet/rev-c.toml default

.github/buildomat/jobs/gimlet-d-lab.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build gimlet-d-lab"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh gimlet-d-lab app/gimlet/rev-d-lab.toml default

.github/buildomat/jobs/gimlet-d.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build gimlet-d"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh gimlet-d app/gimlet/rev-d.toml default

.github/buildomat/jobs/gimlet-e-lab.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build gimlet-e-lab"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh gimlet-e-lab app/gimlet/rev-e-lab.toml default

.github/buildomat/jobs/gimlet-e.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build gimlet-e"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh gimlet-e app/gimlet/rev-e.toml default

.github/buildomat/jobs/gimlet-f-lab.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build gimlet-f-lab"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh gimlet-f-lab app/gimlet/rev-f-lab.toml default

.github/buildomat/jobs/gimlet-f.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build gimlet-f"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh gimlet-f app/gimlet/rev-f.toml default

.github/buildomat/jobs/psc-b.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build psc-b"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh psc-b app/psc/rev-b.toml default

.github/buildomat/jobs/psc-c.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build psc-c"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh psc-c app/psc/rev-c.toml default

.github/buildomat/jobs/rot.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+#:
+#: name = "build rot"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#: ]
+#: access_repos = [
+#:	"oxidecomputer/permission-slip",
+#: ]
+#:
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+_cleanup () {
+	kill $(jobs -p)
+}
+
+trap _cleanup SIGINT SIGTERM EXIT
+
+source .github/buildomat/force-git-over-https.sh
+source .github/buildomat/permslip-setup.sh
+
+
+cargo xtask dist app/oxide-rot-1/app-dev.toml
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 \
+	sign "UNTRUSTED bart" \
+	target/oxide-rot-1-selfsigned/dist/a/build-oxide-rot-1-selfsigned-image-a.zip \
+	--version 0.0.0-ci > /work/build-oxide-rot-1-selfsigned-image-a.zip
+
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 \
+	sign "UNTRUSTED bart" \
+	target/oxide-rot-1-selfsigned/dist/b/build-oxide-rot-1-selfsigned-image-b.zip \
+	--version 0.0.0-ci > /work/build-oxide-rot-1-selfsigned-image-b.zip

.github/buildomat/jobs/sidecar-b-lab.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build sidecar-b-lab"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh sidecar-b-lab app/sidecar/rev-b-lab.toml default

.github/buildomat/jobs/sidecar-b.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build sidecar-b"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh sidecar-b app/sidecar/rev-b.toml default

.github/buildomat/jobs/sidecar-c-lab.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build sidecar-c-lab"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh sidecar-c-lab app/sidecar/rev-c-lab.toml default

.github/buildomat/jobs/sidecar-c.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build sidecar-c"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh sidecar-c app/sidecar/rev-c.toml default

.github/buildomat/jobs/sidecar-d-lab.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build sidecar-d-lab"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh sidecar-d-lab app/sidecar/rev-d-lab.toml default

.github/buildomat/jobs/sidecar-d.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#:
+#: name = "build sidecar-d"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#:  "=/work/this_is_not_signed.txt",
+#: ]
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+exec .github/buildomat/build-one.sh sidecar-d app/sidecar/rev-d.toml default