Skip to content

Merge pull request #2336 from freedomofpress/dependabot/pip/safety-3.… #454

Merge pull request #2336 from freedomofpress/dependabot/pip/safety-3.…

Merge pull request #2336 from freedomofpress/dependabot/pip/safety-3.… #454

Workflow file for this run

name: Nightlies
on:
schedule:
- cron: "0 6 * * *"
push:
branches:
- main
# Only allow one job to run at a time because we're pushing to git repos;
# the string value doesn't matter, just that it's a fixed string.
concurrency:
group: "just-one-please"
defaults:
run:
shell: bash
jobs:
build-debs:
strategy:
fail-fast: false
matrix:
debian_version:
- bookworm
runs-on: ubuntu-latest
outputs:
artifact_id: ${{ steps.upload.outputs.artifact-id }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/checkout@v4
with:
persist-credentials: false
repository: "freedomofpress/securedrop-builder"
path: "securedrop-builder"
lfs: true
- name: Build packages
run: |
git config --global --add safe.directory '*'
NIGHTLY=1 DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder \
./scripts/build-debs.sh
- uses: actions/upload-artifact@v4
id: upload
with:
name: build-${{ matrix.debian_version }}
path: build
if-no-files-found: error
commit-and-push:
runs-on: ubuntu-latest
container: debian:bookworm
needs:
- build-debs
steps:
- name: Install dependencies
run: |
apt-get update && apt-get install --yes git git-lfs
- uses: actions/download-artifact@v4
with:
pattern: "*${{ matrix.debian_version }}"
- uses: actions/checkout@v4
with:
# We need to store credentials here
persist-credentials: true
repository: "freedomofpress/securedrop-apt-test"
path: "securedrop-apt-test"
lfs: true
token: ${{ secrets.PUSH_TOKEN }}
- uses: actions/checkout@v4
with:
# We need to store credentials here
persist-credentials: true
repository: "freedomofpress/build-logs"
path: "build-logs"
token: ${{ secrets.PUSH_TOKEN }}
- name: Commit and push
run: |
git config --global user.email "[email protected]"
git config --global user.name "sdcibot"
# First publish buildinfo files
cd build-logs
mkdir -p "buildinfo/$(date +%Y)"
cp -v ../build-*/*.buildinfo "buildinfo/$(date +%Y)"
git add .
git diff-index --quiet HEAD || git commit -m "Publishing buildinfo files for workstation nightlies"
git push origin main
# Now the packages themselves
cd ../securedrop-apt-test
cp -v ../build-bookworm/*.deb workstation/bookworm-nightlies/
git add .
git diff-index --quiet HEAD || git commit -m "Automated SecureDrop workstation build"
git push origin main