ci_tests.fmf plan update for gating testing

Resolves: #RHEL-146227

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -0,0 +1,3 @@
+/clevis-pin-trustee-0.0.1.tar.gz
+/clevis-pin-trustee-0.0.1-vendor.tar.gz
+/clevis-pin-trustee-0.0.1-vendor.tar.zstd

ci_tests.fmf

@@ -0,0 +1,11 @@
+/e2e_internal:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/clevis-pin-trustee-plans.git
+      name: /generic/e2e_ci_internal
+
+/rpmverify:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/clevis-pin-trustee-plans.git
+      name: /generic/rpmverify

clevis-pin-trustee.spec

@@ -0,0 +1,81 @@
+%if 0%{?rhel} || 0%{?epel}
+# RHEL/EPEL: Use bundled deps as it doesn't ship Rust libraries
+%global bundled_rust_deps 1
+%else
+# Fedora: Could use system Rust libraries, but we use vendored for simplicity
+%global bundled_rust_deps 1
+%endif
+
+# GitHub tag doesn't use tilde, map it here
+%global upstream_version 0.1.0
+
+Name:           clevis-pin-trustee
+Version:        %{upstream_version}
+Release:        1%{?dist}
+Summary:        Clevis PIN for Trustee attestation
+
+License:        MIT
+URL:            https://github.com/latchset/%{name}
+Source0:        https://github.com/latchset/%{name}/archive/refs/tags/v%{upstream_version}.tar.gz#/%{name}-%{upstream_version}.tar.gz
+# The vendor tarball is created using cargo-vendor-filterer to remove Windows
+# related files (https://github.com/cgwalters/cargo-vendor-filterer)
+#   tar xzf %%{name}-%%{version}.tar.gz
+#   cd %%{name}-%%{version}
+#   cargo vendor-filterer --platform x86_64-unknown-linux-gnu \
+#       --platform powerpc64le-unknown-linux-gnu \
+#       --platform aarch64-unknown-linux-gnu \
+#       --platform i686-unknown-linux-gnu \
+#       --platform s390x-unknown-linux-gnu
+#       --prefix=vendor --format=tar.zstd
+#   Rename the vendor.tar.zstd tarball to clevis-pin-trustee-%%{version}-vendor.tar.zstd
+Source1:        %{name}-%{version}-vendor.tar.zstd
+
+%if 0%{?bundled_rust_deps}
+BuildRequires:  rust-toolset
+BuildRequires:  rust-packaging
+%else
+BuildRequires:  rust-packaging >= 25
+%endif
+BuildRequires:  openssl-devel
+
+# Runtime dependencies
+Requires:       clevis
+Requires:       jose
+
+%description
+clevis-pin-trustee is a Clevis PIN that implements encryption and decryption
+operations using remote attestation via a Trustee server. It enables automated
+unlocking of LUKS-encrypted volumes in confidential computing environments by
+fetching encryption keys from Trustee servers after successful attestation.
+
+%prep
+%autosetup -n %{name}-%{upstream_version} %{?bundled_rust_deps:-a1}
+
+%if 0%{?bundled_rust_deps}
+%cargo_prep -v vendor
+%endif
+
+%build
+%cargo_build
+
+%install
+# Install the binary from the workspace
+install -D -m 0755 target/release/clevis-pin-trustee %{buildroot}%{_bindir}/clevis-pin-trustee
+
+# Install Clevis wrapper scripts
+install -D -m 0755 clevis-encrypt-trustee %{buildroot}%{_bindir}/clevis-encrypt-trustee
+install -D -m 0755 clevis-decrypt-trustee %{buildroot}%{_bindir}/clevis-decrypt-trustee
+
+%check
+%cargo_test
+
+%files
+%{_bindir}/%{name}
+%{_bindir}/clevis-encrypt-trustee
+%{_bindir}/clevis-decrypt-trustee
+
+%changelog
+* Wed Feb 2 2026 Sergio Arroutbi <sarroutb@redhat.com> - 0.1.0-1
+- Align to 0.1.0 upstream version
+* Thu Jan 22 2026 Sergio Arroutbi <sarroutb@redhat.com> - 0.0.1-1
+- Initial beta package for RHEL9

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

sources

@@ -0,0 +1,2 @@
+SHA512 (clevis-pin-trustee-0.1.0-vendor.tar.zstd) = 785516176bed60782983ea5f36b4f24c4e15192c73ad5740ab996cdd4428ac7006c9c1200811458cb8c67455ba3dd23c7cd1fdb5f9758d2701c5580a0ff3aa36
+SHA512 (clevis-pin-trustee-0.1.0.tar.gz) = 88177e06b2cd64f1e870fdf325ef9747a0382195d215f33868db0e379b7560a1008528e4b348d396c9dc2c4ef6c1b2e69417eb6151fbeefdb68c8e1056ee31cd