Add buildomat jobs for select images

It's useful to have some images that have gone through a
`permslip sign`. Do so in a very limited fashion.

.github/buildomat/force-git-over-https.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+#
+# The token authentication mechanism that affords us access to other private
+# repositories requires that we use HTTPS URLs for GitHub, rather than SSH.
+#
+override_urls=(
+    'git://github.com/'
+    '[email protected]:'
+    'ssh://github.com/'
+    'ssh://[email protected]/'
+    'git+ssh://[email protected]/'
+)
+for (( i = 0; i < ${#override_urls[@]}; i++ )); do
+	git config --add --global url.https://github.com/.insteadOf \
+	    "${override_urls[$i]}"
+done
+
+#
+# Require that cargo use the git CLI instead of the built-in support.  This
+# achieves two things: first, SSH URLs should be transformed on fetch without
+# requiring Cargo.toml rewriting, which is especially difficult in transitive
+# dependencies; second, Cargo does not seem willing on its own to look in
+# ~/.netrc and find the temporary token that buildomat generates for our job,
+# so we must use git which uses curl.
+#
+export CARGO_NET_GIT_FETCH_WITH_CLI=true

.github/buildomat/jobs/rot.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+#:
+#: name = "build rot"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#: ]
+#: access_repos = [
+#:	"oxidecomputer/permission-slip",
+#:	"oxidecomputer/dogbuild",
+#: ]
+#:
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+_cleanup () {
+	kill $(jobs -p)
+}
+
+trap _cleanup SIGINT SIGTERM EXIT
+
+source .github/buildomat/force-git-over-https.sh
+source .github/buildomat/permslip-setup.sh
+
+
+cargo xtask dist app/oxide-rot-1/app-dev.toml
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 \
+	sign "UNTRUSTED bart" \
+	target/oxide-rot-1-selfsigned/dist/a/build-oxide-rot-1-selfsigned-image-a.zip \
+	--version 0.0.0-ci > /work/build-oxide-rot-1-selfsigned-image-a.zip
+
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 \
+	sign "UNTRUSTED bart" \
+	target/oxide-rot-1-selfsigned/dist/b/build-oxide-rot-1-selfsigned-image-b.zip \
+	--version 0.0.0-ci > /work/build-oxide-rot-1-selfsigned-image-b.zip

.github/buildomat/jobs/sp.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+#:
+#: name = "build sp"
+#: variety = "basic"
+#: target = "ubuntu-22.04"
+#: rust_toolchain = true
+#: output_rules = [
+#:  "=/work/*.zip",
+#: ]
+#: access_repos = [
+#:	"oxidecomputer/permission-slip",
+#:	"oxidecomputer/dogbuild",
+#: ]
+#:
+
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+_cleanup () {
+        kill $(jobs -p)
+}
+
+trap _cleanup SIGINT SIGTERM EXIT
+
+source .github/buildomat/force-git-over-https.sh
+source .github/buildomat/permslip-setup.sh
+
+
+while read -r line; do
+	name=`echo $line | cut -d ' ' -f 1`
+	toml=`echo $line | cut -d ' ' -f 2`
+	cargo xtask dist $toml
+	$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED SP" \
+			target/$name/dist/default/build-$name-image-default.zip \
+			--version 0.0.0-ci > /work/$name.zip
+done < .github/buildomat/sp_build_list

.github/buildomat/permslip-setup.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+
+set -ex
+
+sudo apt-get update
+sudo apt-get install -y postgresql gcc pkgconf openssl libssl-dev
+
+sudo -u postgres createuser yourname
+sudo -u postgres createdb permslip
+sudo -u postgres psql << EOF
+\x
+alter user yourname with encrypted password 'password';
+EOF
+
+sudo -u postgres psql << EOF
+\x
+grant all privileges on database permslip to yourname;
+EOF
+sudo -u postgres psql -d permslip << EOF
+grant all on schema public to yourname;
+EOF
+
+export PERMSLIP_DIR=/work/permslip
+BART_KEY=$(pwd)/support/fake_certs/fake_private_key.pem
+
+mkdir -p $PERMSLIP_DIR
+git clone https://github.com/oxidecomputer/permission-slip.git -b ssh_key_fix $PERMSLIP_DIR
+pushd $PERMSLIP_DIR
+cargo build --release
+export POSTGRES_HOST=localhost
+export POSTGRES_PORT=5432
+export POSTGRES_USER=yourname
+export POSTGRES_PASSWORD=password
+
+ssh-keygen -t ecdsa -b 256 -f /tmp/id_p256 -N '' -C ''
+eval "$(ssh-agent -s)"
+ssh-add /tmp/id_p256
+PERMSLIP_SSH_KEY=$(ssh-keygen -lf /tmp/id_p256.pub | cut -d ' ' -f 2)
+export PERMSLIP_SSH_KEY
+
+$PERMSLIP_DIR/target/release/permslip-server import-ssh-key /tmp/id_p256.pub
+$PERMSLIP_DIR/target/release/permslip-server import-private-key "UNTRUSTED bart" rsa "$BART_KEY"
+$PERMSLIP_DIR/target/release/permslip-server start-server &
+
+sleep 5
+
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 list-keys
+
+# Gimlet
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED gimlet" rsa
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED gimlet" > gimlet.csr
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED gimlet" --kind csr gimlet.csr > gimlet.cert
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED gimlet" --kind hubris --cert gimlet.cert --root gimlet.cert
+
+# sidecar
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED sidecar" rsa
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED sidecar" > sidecar.csr
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED sidecar" --kind csr sidecar.csr > sidecar.cert
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED sidecar" --kind hubris --cert sidecar.cert --root sidecar.cert
+
+# psc
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED psc" rsa
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED psc" > psc.csr
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED psc" --kind csr psc.csr > psc.cert
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED psc" --kind hubris --cert psc.cert --root psc.cert
+
+# SP
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED SP" rsa
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED SP" > SP.csr
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED SP" --kind csr SP.csr > SP.cert
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED SP" --kind hubris --cert SP.cert --root SP.cert
+
+# Bart
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED bart" > bart.csr
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED bart" --kind csr bart.csr > bart.cert
+$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED bart" --kind hubris --cert bart.cert --root bart.cert
+
+popd

.github/buildomat/sp_build_list

@@ -0,0 +1,18 @@
+gimlet-b app/gimlet/rev-b.toml
+gimlet-c app/gimlet/rev-c.toml
+gimlet-d app/gimlet/rev-d.toml
+gimlet-e app/gimlet/rev-e.toml
+gimlet-f app/gimlet/rev-f.toml
+gimlet-b-lab app/gimlet/rev-b-lab.toml
+gimlet-c-lab app/gimlet/rev-c-lab.toml
+gimlet-d-lab app/gimlet/rev-d-lab.toml
+gimlet-e-lab app/gimlet/rev-e-lab.toml
+gimlet-f-lab app/gimlet/rev-f-lab.toml
+psc-b app/psc/rev-b.toml
+psc-c app/psc/rev-c.toml
+sidecar-b app/sidecar/rev-b.toml
+sidecar-c app/sidecar/rev-c.toml
+sidecar-d app/sidecar/rev-d.toml
+sidecar-b-lab app/sidecar/rev-b-lab.toml
+sidecar-c-lab app/sidecar/rev-c-lab.toml
+sidecar-d-lab app/sidecar/rev-d-lab.toml