From 35e743f936b05c44cc88258ea19b599f48057ddf Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Mon, 5 Feb 2024 11:19:21 -0500 Subject: [PATCH] Build and push nightly packages As part of our monorepo consolidation, we're moving the nightly package building from the securedrop-builder repository to here. The overall process is the same, we build the packages for bullseye and bookworm, then push buildinfo files and then push debs. Some changes: * nightlies will not be pushed if the bookworm job fails. This is largely to simplify the configuration and also because we're going to move to bookworm pretty soon. * Authentication will be done via a GitHub token, which will be configured by infra. * Running `clean-old-packages` will happen via the securedrop-apt-test repository itself instead of during nightly builds. Fixes #1776. --- .github/workflows/nightlies.yml | 79 +++++++++++++++++++++++++++++++++ scripts/build-debs.sh | 1 + scripts/fixup-changelog.sh | 13 +++++- 3 files changed, 91 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/nightlies.yml diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml new file mode 100644 index 000000000..a9d2fba86 --- /dev/null +++ b/.github/workflows/nightlies.yml @@ -0,0 +1,79 @@ +name: Nightlies +on: + schedule: + - cron: "0 6 * * *" + +defaults: + run: + shell: bash + +jobs: + build-debs: + strategy: + matrix: + debian_version: + - bullseye + - bookworm + runs-on: ubuntu-latest + outputs: + artifact_id: ${{ steps.upload.outputs.artifact-id }} + steps: + - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + with: + repository: "freedomofpress/securedrop-builder" + path: "securedrop-builder" + lfs: true + - name: Build packages + run: | + git config --global --add safe.directory '*' + NIGHTLY=1 DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder \ + ./scripts/build-debs.sh + - uses: actions/upload-artifact@v4 + id: upload + with: + name: build-${{ matrix.debian_version }} + path: build + if-no-files-found: error + + commit-and-push: + runs-on: ubuntu-latest + container: debian:bookworm + needs: + - build-debs + steps: + - name: Install dependencies + run: | + apt-get update && apt-get install --yes git git-lfs + - uses: actions/download-artifact@v4 + with: + pattern: "*${{ matrix.debian_version }}" + - uses: actions/checkout@v4 + with: + repository: "freedomofpress/securedrop-apt-test" + path: "securedrop-apt-test" + lfs: true + token: ${{ secrets.PUSH_TOKEN }} + - uses: actions/checkout@v4 + with: + repository: "freedomofpress/build-logs" + path: "build-logs" + token: ${{ secrets.PUSH_TOKEN }} + - name: Commit and push + run: | + git config --global user.email "securedrop@freedom.press" + git config --global user.name "sdcibot" + # First publish buildinfo files + cd build-logs + mkdir -p "buildinfo/$(date +%Y)" + cp -v ../build-*/*.buildinfo "buildinfo/$(date +%Y)" + git add . + git diff-index --quiet HEAD || git commit -m "Publishing buildinfo files for workstation nightlies" + git push origin main + # Now the packages themselves + cd ../securedrop-apt-test + cp -v ../build-bullseye/*.deb workstation/bullseye-nightlies/ + cp -v ../build-bookworm/*.deb workstation/bookworm-nightlies/ + git add . + git diff-index --quiet HEAD || git commit -m "Automated SecureDrop workstation build" + git push origin main diff --git a/scripts/build-debs.sh b/scripts/build-debs.sh index 574cf288b..1986146de 100755 --- a/scripts/build-debs.sh +++ b/scripts/build-debs.sh @@ -38,5 +38,6 @@ $OCI_BIN pull debian:${DEBIAN_VERSION} $OCI_BIN run --rm $OCI_RUN_ARGUMENTS \ -v "${BUILDER}:/builder:Z" \ + --env NIGHTLY="${NIGHTLY:-}" \ --entrypoint "/src/scripts/build-debs-real.sh" \ debian:${DEBIAN_VERSION} diff --git a/scripts/fixup-changelog.sh b/scripts/fixup-changelog.sh index 97d70b54b..df7c182be 100755 --- a/scripts/fixup-changelog.sh +++ b/scripts/fixup-changelog.sh @@ -10,5 +10,14 @@ if [[ "$VERSION_CODENAME" == "" ]]; then VERSION_CODENAME=$(echo $PRETTY_NAME | awk '{split($0, a, "[ /]"); print a[4]}') fi -version=$(dpkg-parsechangelog -S Version) -sed -i "0,/${version}/ s//${version}+${VERSION_CODENAME}/" debian/changelog +VERSION=$(dpkg-parsechangelog -S Version) + +NIGHTLY="${NIGHTLY:-}" +if [[ ! -z $NIGHTLY ]]; then + NEW_VERSION="${VERSION}.dev$(date +%Y%m%d%H%M%S)" +else + NEW_VERSION=$VERSION +fi + +# Ideally we'd use `dch` here but then we'd to install all of devscripts +sed -i "0,/${VERSION}/ s//${NEW_VERSION}+${VERSION_CODENAME}/" debian/changelog