almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Switch from CircleCI runners to Github actions.

Browse source 
As part of this change, the dev (build) and end-user test images names
changed from `dangerzone.rocks/*` to `ghcr.io`.

A new `--sync` option is provided in the `env.py` command, in order to
retrieve the images from the registry, or build and upload otherwise.
This commit is contained in:
Alexis Métaireau 2024-09-06 17:38:23 +02:00
parent 3e434d08d1
commit 025e5dda51
No known key found for this signature in database
GPG key ID: C65C7A89A8FFC56E
5 changed files with 421 additions and 718 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

628
.circleci/config.yml
View file

@ -1,628 +0,0 @@
version: 2.1
aliases:
- &install-podman
name: Install Podman in Ubuntu Focal
command: ./install/linux/install-podman-ubuntu-focal.sh
- &install-dependencies-deb
name: Install dependencies (deb)
command: |
export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true
apt-get update
apt build-dep -y .
- &install-dependencies-rpm
name: Install dependencies (rpm)
command: |
dnf install -y rpm-build python3 python3-devel python3-poetry-core pipx
pipx install poetry
- &build-deb
name: Build the .deb package
command: |
./install/linux/build-deb.py
ls -lh deb_dist/
- &build-rpm
name: Build the .rpm package
command: |
PATH=/root/.local/bin:$PATH ./install/linux/build-rpm.py
ls -lh dist/
- &build-rpm-qubes
name: Build the Qubes .rpm package
command: |
PATH=/root/.local/bin:$PATH ./install/linux/build-rpm.py --qubes
ls -lh dist/
- &calculate-cache-key
name: Caculating container cache key
command: |
mkdir -p /caches/
cd dangerzone/conversion/
cat common.py doc_to_pixels.py pixels_to_pdf.py | sha1sum | cut -d' ' -f1 > /caches/cache-id.txt
cd ../../
- &restore-cache
key: v1-{{ checksum "Dockerfile" }}-{{ checksum "/caches/cache-id.txt" }}
paths:
- /caches/container.tar.gz
- /caches/image-id.txt
- &copy-image
name: Copy container image into package
command: |
cp /caches/container.tar.gz share/
cp /caches/image-id.txt share/
jobs:
run-lint:
docker:
- image: debian:bookworm
resource_class: small
steps:
- checkout
- run:
name: Install dev. dependencies
# Install only the necessary packages to run our linters.
#
# We run poetry with --no-ansi, to sidestep a Poetry bug that
# currently exists in 1.3. See:
# https://github.com/freedomofpress/dangerzone/issues/292#issuecomment-1351368122
command: |
apt-get update
apt-get install -y git make python3 python3-poetry --no-install-recommends
poetry install --no-ansi --only lint,test
- run:
name: Run linters to enforce code style
command: poetry run make lint
- run:
name: Check that the QA script is up to date with the docs
command: ./dev_scripts/qa.py --check-refs
build-container-image:
machine:
image: ubuntu-2004:202111-01
steps:
- checkout
- run: *install-podman
- run:
name: Prepare cache directory
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
# setup_remote_docker
- run:
name: Build Dangerzone image
command: |
if [ -f "/caches/container.tar.gz" ]; then
echo "Already cached, skipping"
else
sudo pip3 install poetry
python3 ./install/common/build-image.py
fi
- run:
name: Save Dangerzone image and image-id.txt to cache
command: |
if [ -f "/caches/container.tar.gz" ]; then
echo "Already cached, skipping"
else
mkdir -p /caches
podman save -o /caches/container.tar dangerzone.rocks/dangerzone
gzip -f /caches/container.tar
podman image ls dangerzone.rocks/dangerzone | grep "dangerzone.rocks/dangerzone" | tr -s ' ' | cut -d' ' -f3 > /caches/image-id.txt
fi
- run: *calculate-cache-key
- save_cache:
key: v1-{{ checksum "Dockerfile" }}-{{ checksum "/caches/cache-id.txt" }}
paths:
- /caches/container.tar.gz
- /caches/image-id.txt
convert-test-docs:
machine:
image: ubuntu-2004:202111-01
steps:
- checkout
- run: *install-podman
- run:
name: Install poetry dependencies
command: |
sudo pip3 install poetry
# This flag is important, due to an open upstream Poetry issue:
# https://github.com/python-poetry/poetry/issues/7184
poetry install --no-ansi
- run:
name: Install test dependencies
command: |
sudo apt-get install -y libqt5gui5 libxcb-cursor0 --no-install-recommends
- run:
name: Prepare cache directory
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run:
name: run automated tests
command: |
poetry run make test
ci-ubuntu-noble:
machine:
image: ubuntu-2004:202111-01
steps:
- checkout
- run: *install-podman
- run:
name: Prepare cache directory
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run:
name: Prepare Dangerzone environment
command: |
./dev_scripts/env.py --distro ubuntu --version 24.04 build-dev
- run:
name: Run CI tests
command: |
./dev_scripts/env.py --distro ubuntu --version 24.04 run --dev \
bash -c 'cd dangerzone; poetry run make test'
ci-ubuntu-mantic:
machine:
image: ubuntu-2004:202111-01
steps:
- checkout
- run: *install-podman
- run:
name: Prepare cache directory
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run:
name: Prepare Dangerzone environment
command: |
./dev_scripts/env.py --distro ubuntu --version 23.10 build-dev
- run:
name: Run CI tests
command: |
./dev_scripts/env.py --distro ubuntu --version 23.10 run --dev \
bash -c 'cd dangerzone; poetry run make test'
ci-ubuntu-jammy:
machine:
image: ubuntu-2004:202111-01
steps:
- checkout
- run: *install-podman
- run:
name: Prepare cache directory
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run:
name: Prepare Dangerzone environment
command: |
./dev_scripts/env.py --distro ubuntu --version 22.04 build-dev
- run:
name: Run CI tests
command: |
./dev_scripts/env.py --distro ubuntu --version 22.04 run --dev \
bash -c 'cd dangerzone; poetry run make test'
ci-ubuntu-focal:
machine:
image: ubuntu-2004:202111-01
steps:
- checkout
- run: *install-podman
- run:
name: Prepare cache directory
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run:
name: Prepare Dangerzone environment
command: |
./dev_scripts/env.py --distro ubuntu --version 20.04 build-dev
- run:
name: Run CI tests
command: |
./dev_scripts/env.py --distro ubuntu --version 20.04 run --dev \
bash -c 'cd dangerzone; poetry run make test'
ci-fedora-40:
machine:
image: ubuntu-2204:current
steps:
- checkout
- run: *install-podman
- run:
name: Configure Podman for Ubuntu 22.04
command: |
# This config circumvents the following issues:
# * https://github.com/containers/podman/issues/6368
# * https://github.com/containers/podman/issues/10987
mkdir -p ~/.config/containers
cat > ~/.config/containers/containers.conf \<<EOF
[engine]
cgroup_manager="cgroupfs"
events_logger="file"
EOF
- run:
name: Prepare cache directory
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run:
name: Prepare Dangerzone environment
command: |
./dev_scripts/env.py --distro fedora --version 40 build-dev
- run:
name: Run CI tests
command: |
./dev_scripts/env.py --distro fedora --version 40 run --dev \
bash -c 'cd dangerzone; poetry run make test'
ci-fedora-39:
machine:
image: ubuntu-2004:202111-01
steps:
- checkout
- run: *install-podman
- run:
name: Prepare cache directory
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run:
name: Prepare Dangerzone environment
command: |
./dev_scripts/env.py --distro fedora --version 39 build-dev
- run:
name: Run CI tests
command: |
./dev_scripts/env.py --distro fedora --version 39 run --dev \
bash -c 'cd dangerzone; poetry run make test'
ci-debian-trixie:
machine:
image: ubuntu-2204:current
steps:
- checkout
- run: *install-podman
- run:
name: Configure Podman for Ubuntu 22.04
command: |
# This config circumvents the following issues:
# * https://github.com/containers/podman/issues/6368
# * https://github.com/containers/podman/issues/10987
mkdir -p ~/.config/containers
cat > ~/.config/containers/containers.conf \<<EOF
[engine]
cgroup_manager="cgroupfs"
events_logger="file"
EOF
- run:
name: Prepare cache directory
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run:
name: Prepare Dangerzone environment
command: |
./dev_scripts/env.py --distro debian --version trixie build-dev
- run:
name: Run CI tests
command: |
./dev_scripts/env.py --distro debian --version trixie run --dev \
bash -c 'cd dangerzone; poetry run make test'
ci-debian-bookworm:
machine:
image: ubuntu-2004:202111-01
steps:
- checkout
- run: *install-podman
- run:
name: Prepare cache directory
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run:
name: Prepare Dangerzone environment
command: |
./dev_scripts/env.py --distro debian --version bookworm build-dev
- run:
name: Run CI tests
command: |
./dev_scripts/env.py --distro debian --version bookworm run --dev \
bash -c 'cd dangerzone; poetry run make test'
# NOTE: Making CI tests work in Debian Bullseye requires some tip-toeing
# around certain Podman issues, as you'll see below. Read the following for
# more details:
#
# https://github.com/freedomofpress/dangerzone/issues/388
ci-debian-bullseye:
machine:
image: ubuntu-2204:2023.04.2
steps:
- checkout
- run: *install-podman
- run:
name: Configure Podman for Ubuntu 22.04
command: |
# This config circumvents the following issues:
# * https://github.com/containers/podman/issues/6368
# * https://github.com/containers/podman/issues/10987
mkdir -p ~/.config/containers
cat > ~/.config/containers/containers.conf \<<EOF
[engine]
cgroup_manager="cgroupfs"
events_logger="file"
EOF
- run:
name: Prepare cache directory
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run:
name: Prepare Dangerzone environment
command: |
./dev_scripts/env.py --distro debian --version bullseye build-dev
- run:
name: Configure Podman for Debian Bullseye
command: |
# Copy the Podman config into the container image we created for the
# Dangerzone environment.
cp ~/.config/containers/containers.conf containers.conf
cat > Dockerfile.bullseye \<<EOF
FROM dangerzone.rocks/build/debian:bullseye-backports
RUN mkdir -p /home/user/.config/containers
COPY containers.conf /home/user/.config/containers/
EOF
# Create a new image from the Dangerzone environment and re-tag it.
podman build -t dangerzone.rocks/build/debian:bullseye-backports \
-f Dockerfile.bullseye .
- run:
name: Run CI tests
command: |
./dev_scripts/env.py --distro debian --version bullseye run --dev \
bash -c 'cd dangerzone; poetry run make test'
build-ubuntu-noble:
docker:
- image: ubuntu:24.04
resource_class: medium+
steps:
- checkout
- run: *install-dependencies-deb
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-deb
build-ubuntu-mantic:
docker:
- image: ubuntu:23.10
resource_class: medium+
steps:
- checkout
- run: *install-dependencies-deb
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-deb
build-ubuntu-jammy:
docker:
- image: ubuntu:22.04
resource_class: medium+
steps:
- checkout
- run: *install-dependencies-deb
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-deb
build-ubuntu-focal:
docker:
- image: ubuntu:20.04
resource_class: medium+
steps:
- checkout
- run: *install-dependencies-deb
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-deb
build-debian-trixie:
docker:
- image: debian:trixie
resource_class: medium+
steps:
- checkout
- run: *install-dependencies-deb
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-deb
build-debian-bookworm:
docker:
- image: debian:bookworm
resource_class: medium+
steps:
- checkout
- run: *install-dependencies-deb
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-deb
build-debian-bullseye:
docker:
- image: debian:bullseye
resource_class: medium+
steps:
- checkout
- run: *install-dependencies-deb
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-deb
build-fedora-40:
docker:
- image: fedora:40
resource_class: medium+
steps:
- run: *install-dependencies-rpm
- checkout
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-rpm
- run: *build-rpm-qubes
build-fedora-39:
docker:
- image: fedora:39
resource_class: medium+
steps:
- run: *install-dependencies-rpm
- checkout
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-rpm
- run: *build-rpm-qubes
workflows:
version: 2
build:
jobs:
- run-lint
- build-container-image
- convert-test-docs:
requires:
- build-container-image
- ci-ubuntu-noble:
requires:
- build-container-image
- ci-ubuntu-mantic:
requires:
- build-container-image
- ci-ubuntu-jammy:
requires:
- build-container-image
- ci-ubuntu-focal:
requires:
- build-container-image
- ci-debian-trixie:
requires:
- build-container-image
- ci-debian-bookworm:
requires:
- build-container-image
- ci-debian-bullseye:
requires:
- build-container-image
- ci-fedora-40:
requires:
- build-container-image
- ci-fedora-39:
requires:
- build-container-image
- build-ubuntu-noble:
requires:
- build-container-image
- build-ubuntu-mantic:
requires:
- build-container-image
- build-ubuntu-jammy:
requires:
- build-container-image
- build-ubuntu-focal:
requires:
- build-container-image
- build-debian-bullseye:
requires:
- build-container-image
- build-debian-trixie:
requires:
- build-container-image
- build-debian-bookworm:
requires:
- build-container-image
- build-fedora-40:
requires:
- build-container-image
- build-fedora-39:
requires:
- build-container-image

96
.github/workflows/build.yml vendored Normal file
View file

@ -0,0 +1,96 @@
name: Build dev environments
on:
push:
schedule:
- cron: "0 0 * * *" # Run every day at 00:00 UTC.
permissions:
packages: write
env:
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
# Each day, build and publish to ghcr.io:
#
# - the dangerzone/dangerzone container image
# - the dangerzone/build/{debian,ubuntu,fedora}:version
# dev environments used to run the tests
#
# End-user environments are not published to the GHCR because
# they need .rpm or .deb files to be built, which is what we
# want to test.
jobs:
build-dev-environment:
name: "Build dev-env (${{ matrix.distro }}-${{ matrix.version }})"
runs-on: ubuntu-latest
strategy:
matrix:
include:
- distro: ubuntu
version: "20.04"
- distro: ubuntu
version: "22.04"
- distro: ubuntu
version: "23.10"
- distro: ubuntu
version: "24.04"
- distro: debian
version: bullseye
- distro: debian
version: bookworm
- distro: debian
version: trixie
- distro: fedora
version: "39"
- distro: fedora
version: "40"
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Login to GHCR
run: |
echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
- name: Build dev environment
run: |
./dev_scripts/env.py --distro ${{ matrix.distro }} \
--version ${{ matrix.version }} \
build-dev --sync
build-container-image:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Get current date
id: date
run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
- name: Cache container image
id: cache-container-image
uses: actions/cache@v4
with:
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
path: |
share/container.tar.gz
share/image-id.txt
- name: Build and push Dangerzone image
if: ${{ steps.cache-container-image.outputs.cache-hit != 'true' }}
run: |
sudo apt-get install -y python3-poetry
python3 ./install/common/build-image.py
echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
gunzip -c share/container.tar.gz | podman load
podman push \
dangerzone.rocks/dangerzone \
${{ env.IMAGE_REGISTRY }}/dangerzone/dangerzone

283
.github/workflows/ci.yml vendored
View file

@ -4,10 +4,70 @@ on:
pull_request: pull_request:
branches: [main] branches: [main]
schedule: schedule:
- cron: "0 0 * * *" # Run every day at 00:00 UTC. - cron: "2 0 * * *" # Run every day at 02:00 UTC.
workflow_dispatch: workflow_dispatch:
permissions:
packages: write
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
# This is required for running GUI tests on Github Actions
DISPLAY: ":99.0"
QT_SELECT: "qt6"
# Disable multiple concurrent runs on the same branch
# When a new CI build is triggered, it will cancel the
# other in-progress ones (for the same branch)
concurrency:
group: ${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs: jobs:
run-lint:
runs-on: ubuntu-latest
container:
image: debian:bookworm
steps:
- uses: actions/checkout@v4
- name: Install dev. dependencies
run: |-
apt-get update
apt-get install -y git make python3 python3-poetry --no-install-recommends
poetry install --only lint,test
- name: Run linters to enforce code style
run: poetry run make lint
- name: Check that the QA script is up to date with the docs
run: "./dev_scripts/qa.py --check-refs"
# This is already built daily by the "build.yml" file
# But we also want to include this in the checks that run on each push.
build-container-image:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Get current date
id: date
run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
- name: Cache container image
id: cache-container-image
uses: actions/cache@v4
with:
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
path: |-
share/container.tar.gz
share/image-id.txt
- name: Build Dangerzone container image
if: ${{ steps.cache-container-image.outputs.cache-hit != 'true' }}
run: |
sudo apt-get install -y python3-poetry
python3 ./install/common/build-image.py
windows: windows:
runs-on: windows-latest runs-on: windows-latest
env: env:
@ -44,11 +104,26 @@ jobs:
run: poetry run make test run: poetry run make test
build-deb: build-deb:
name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
runs-on: ubuntu-latest runs-on: ubuntu-latest
env: needs: build-container-image
target: debian-bookworm strategy:
distro: debian matrix:
version: bookworm include:
- distro: ubuntu
version: "20.04"
- distro: ubuntu
version: "22.04"
- distro: ubuntu
version: "23.10"
- distro: ubuntu
version: "24.04"
- distro: debian
version: bullseye
- distro: debian
version: bookworm
- distro: debian
version: trixie
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
@ -57,56 +132,65 @@ jobs:
with: with:
python-version: "3.10" python-version: "3.10"
- name: Build dev environment - name: Login to GHCR
run: | run: |
./dev_scripts/env.py --distro ${{ env.distro }} \ echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
--version ${{ env.version }} \
build-dev
- name: Install container build dependencies - name: Get the dev environment
run: sudo apt install pipx && pipx install poetry run: |
./dev_scripts/env.py \
--distro ${{ matrix.distro }} \
--version ${{ matrix.version }} \
build-dev --sync
- name: Build Dangerzone image - name: Get current date
run: python3 ./install/common/build-image.py id: date
run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
- name: Restore container cache
uses: actions/cache/restore@v4
with:
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
path: |-
share/container.tar.gz
share/image-id.txt
fail-on-cache-miss: true
- name: Build Dangerzone .deb - name: Build Dangerzone .deb
run: | run: |
./dev_scripts/env.py --distro ${{ env.distro }} \ ./dev_scripts/env.py --distro ${{ matrix.distro }} \
--version ${{ env.version }} \ --version ${{ matrix.version }} \
run --dev --no-gui ./dangerzone/install/linux/build-deb.py run --dev --no-gui ./dangerzone/install/linux/build-deb.py
- name: Upload Dangerzone .deb - name: Upload Dangerzone .deb
if: matrix.distro == 'debian' && matrix.version == 'bookworm'
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v4
with: with:
name: dangerzone.deb name: dangerzone.deb
path: "deb_dist/dangerzone_*_*.deb" path: "deb_dist/dangerzone_*_*.deb"
if-no-files-found: error
compression-level: 0
install-deb: install-deb:
name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: build-deb needs: build-deb
strategy: strategy:
matrix: matrix:
include: include:
- target: ubuntu-20.04 - distro: ubuntu
distro: ubuntu
version: "20.04" version: "20.04"
- target: ubuntu-22.04 - distro: ubuntu
distro: ubuntu
version: "22.04" version: "22.04"
- target: ubuntu-23.10 - distro: ubuntu
distro: ubuntu
version: "23.10" version: "23.10"
- target: ubuntu-24.04 - distro: ubuntu
distro: ubuntu
version: "24.04" version: "24.04"
- target: debian-bullseye - distro: debian
distro: debian
version: bullseye version: bullseye
- target: debian-bookworm - distro: debian
distro: debian
version: bookworm version: bookworm
- target: debian-trixie - distro: debian
distro: debian
version: trixie version: trixie
steps: steps:
@ -123,36 +207,12 @@ jobs:
name: dangerzone.deb name: dangerzone.deb
path: "deb_dist/" path: "deb_dist/"
- name: Create end-user environment on (${{ matrix.target }}) - name: Build end-user environment
run: | run: |
./dev_scripts/env.py --distro ${{ matrix.distro }} \ ./dev_scripts/env.py --distro ${{ matrix.distro }} \
--version ${{ matrix.version }} \ --version ${{ matrix.version }} \
build build
- name: Configure Podman for Debian Bullseye specifically
if: matrix.target == 'debian-bullseye'
run: |
# Create a Podman config specifically for Bullseye (see #388).
mkdir bullseye_fix
cd bullseye_fix
cat > containers.conf <<EOF
[engine]
cgroup_manager="cgroupfs"
events_logger="file"
EOF
# Copy the Podman config into the container image we created for the
# Dangerzone environment.
cat > Dockerfile.bullseye <<EOF
FROM dangerzone.rocks/debian:bullseye-backports
RUN mkdir -p /home/user/.config/containers
COPY containers.conf /home/user/.config/containers/
EOF
# Create a new image from the Dangerzone environment and re-tag it.
podman build -t dangerzone.rocks/debian:bullseye-backports \
-f Dockerfile.bullseye .
- name: Run a test command - name: Run a test command
run: | run: |
./dev_scripts/env.py --distro ${{ matrix.distro }} \ ./dev_scripts/env.py --distro ${{ matrix.distro }} \
@ -166,31 +226,44 @@ jobs:
run dangerzone --help run dangerzone --help
build-install-rpm: build-install-rpm:
name: "Build and install a Dangerzone RPM on Fedora ${{matrix.version}}" name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: build-container-image
strategy: strategy:
matrix: matrix:
include: distro: ["fedora"]
- version: "39" version: ["39", "40"]
- version: "40"
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Build dev environment - name: Login to GHCR
run: | run: |
./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \ echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
build-dev
- name: Build Dangerzone image - name: Get the dev environment
run: | run: |
./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \ ./dev_scripts/env.py \
run --dev --no-gui \ --distro ${{ matrix.distro }} \
bash -c 'cd /home/user/dangerzone && python3 ./install/common/build-image.py' --version ${{ matrix.version }} \
build-dev --sync
- name: Get current date
id: date
run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
- name: Restore container image
uses: actions/cache/restore@v4
with:
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
path: |-
share/container.tar.gz
share/image-id.txt
fail-on-cache-miss: true
- name: Build Dangerzone .rpm - name: Build Dangerzone .rpm
run: | run: |
./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \ ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
run --dev --no-gui ./dangerzone/install/linux/build-rpm.py run --dev --no-gui ./dangerzone/install/linux/build-rpm.py
# Reclaim some space in this step, now that the dev environment is no # Reclaim some space in this step, now that the dev environment is no
@ -201,15 +274,87 @@ jobs:
- name: Build end-user environment - name: Build end-user environment
run: | run: |
./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \ ./dev_scripts/env.py --distro ${{ matrix.distro }} \
--version ${{ matrix.version }} \
build --download-pyside6 build --download-pyside6
- name: Run a test command - name: Run a test command
run: | run: |
./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \ ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
run dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf run dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf
- name: Check that the Dangerzone GUI imports work - name: Check that the Dangerzone GUI imports work
run: | run: |
./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \ ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
run dangerzone --help run dangerzone --help
run-tests:
name: "run tests (${{ matrix.distro }} ${{ matrix.version }})"
runs-on: ubuntu-latest
needs: build-container-image
strategy:
matrix:
include:
- distro: ubuntu
version: "20.04"
- distro: ubuntu
version: "22.04"
- distro: ubuntu
version: "23.10"
- distro: ubuntu
version: "24.04"
- distro: debian
version: bullseye
- distro: debian
version: bookworm
- distro: debian
version: trixie
- distro: fedora
version: "39"
- distro: fedora
version: "40"
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Login to GHCR
run: |
echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
- name: Get current date
id: date
run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
- name: Get the dev environment
run: |
./dev_scripts/env.py \
--distro ${{ matrix.distro }} \
--version ${{ matrix.version }} \
build-dev --sync
- name: Restore container image
uses: actions/cache/restore@v4
with:
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
path: |-
share/container.tar.gz
share/image-id.txt
fail-on-cache-miss: true
- name: Setup xvfb (Linux)
run: |
# Stuff copied wildly from several stackoverflow posts
sudo apt-get install -y xvfb libxkbcommon-x11-0 libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-randr0 libxcb-render-util0 libxcb-xinerama0 libxcb-xinput0 libxcb-xfixes0 libxcb-shape0 libglib2.0-0 libgl1-mesa-dev '^libxcb.*-dev' libx11-xcb-dev libglu1-mesa-dev libxrender-dev libxi-dev libxkbcommon-dev libxkbcommon-x11-dev
# start xvfb in the background
sudo /usr/bin/Xvfb $DISPLAY -screen 0 1280x1024x24 &
- name: Run CI tests
run: |-
./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} run --dev \
bash -c 'cd dangerzone; poetry run make test'

3
dev_scripts/containers.conf Normal file
View file

@ -0,0 +1,3 @@
[engine]
cgroup_manager="cgroupfs"
events_logger="file"

129
dev_scripts/env.py
View file

@ -1,6 +1,7 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
import argparse import argparse
import hashlib
import os import os
import pathlib import pathlib
import platform import platform
@ -8,6 +9,7 @@ import shutil
import subprocess import subprocess
import sys import sys
import urllib.request import urllib.request
from datetime import date
DEFAULT_GUI = True DEFAULT_GUI = True
DEFAULT_USER = "user" DEFAULT_USER = "user"
@ -56,8 +58,13 @@ will download it from:
# FIXME: Maybe create an enum for these values. # FIXME: Maybe create an enum for these values.
DISTROS = ["debian", "fedora", "ubuntu"] DISTROS = ["debian", "fedora", "ubuntu"]
CONTAINER_RUNTIMES = ["podman", "docker"] CONTAINER_RUNTIMES = ["podman", "docker"]
IMAGE_NAME_BUILD_DEV_FMT = "dangerzone.rocks/build/{distro}:{version}" IMAGES_REGISTRY = "ghcr.io/freedomofpress/"
IMAGE_NAME_BUILD_FMT = "dangerzone.rocks/{distro}:{version}" IMAGE_NAME_BUILD_DEV_FMT = (
IMAGES_REGISTRY + "v2/dangerzone/build-dev/{distro}-{version}:{date}-{hash}"
)
IMAGE_NAME_BUILD_ENDUSER_FMT = (
IMAGES_REGISTRY + "v2/dangerzone/end-user/{distro}-{version}:{date}-{hash}"
)
EPILOG = """\ EPILOG = """\
Examples: Examples:
@ -306,14 +313,45 @@ def distro_build(distro, version):
return distro_root(distro, version) / "build" return distro_root(distro, version) / "build"
def image_name_build(distro, version): def get_current_date():
return date.today().strftime("%Y-%m-%d")
def get_build_dir_sources(distro, version):
"""Return the files needed to build an image."""
sources = [
git_root() / "pyproject.toml",
git_root() / "poetry.lock",
git_root() / "dev_scripts" / "storage.conf",
git_root() / "dev_scripts" / "containers.conf",
]
if distro == "ubuntu" and version in ("22.04", "jammy"):
sources.extend(
[
git_root() / "dev_scripts" / "apt-tools-prod.pref",
git_root() / "dev_scripts" / "apt-tools-prod.sources",
]
)
return sources
def image_name_build_dev(distro, version):
"""Get the container image for the dev variant of a Dangerzone environment.""" """Get the container image for the dev variant of a Dangerzone environment."""
return IMAGE_NAME_BUILD_DEV_FMT.format(distro=distro, version=version) hash = hash_files(get_build_dir_sources(distro, version))
return IMAGE_NAME_BUILD_DEV_FMT.format(
distro=distro, version=version, hash=hash, date=get_current_date()
)
def image_name_install(distro, version): def image_name_build_enduser(distro, version):
"""Get the container image for the Dangerzone environment.""" """Get the container image for the Dangerzone end-user environment."""
return IMAGE_NAME_BUILD_FMT.format(distro=distro, version=version)
hash = hash_files(get_files_in("install/linux", "debian"))
return IMAGE_NAME_BUILD_ENDUSER_FMT.format(
distro=distro, version=version, hash=hash, date=get_current_date()
)
def dz_version(): def dz_version():
@ -322,6 +360,25 @@ def dz_version():
return f.read().strip() return f.read().strip()
def hash_files(file_paths: list[pathlib.Path]) -> str:
"""Returns the hash value of a list of files using the sha256 hashing algorithm."""
hash_obj = hashlib.new("sha256")
for path in file_paths:
with open(path, "rb") as file:
file_data = file.read()
hash_obj.update(file_data)
return hash_obj.hexdigest()
def get_files_in(*folders: list[str]) -> list[pathlib.Path]:
"""Return the list of all files present in the given folders"""
files = []
for folder in folders:
files.extend([p for p in (git_root() / folder).glob("**") if p.is_file()])
return files
class PySide6Manager: class PySide6Manager:
"""Provision PySide6 RPMs in our Dangerzone environments. """Provision PySide6 RPMs in our Dangerzone environments.
@ -553,13 +610,13 @@ class Env:
run_cmd += [ run_cmd += [
"--hostname", "--hostname",
"dangerzone-dev", "dangerzone-dev",
image_name_build(self.distro, self.version), image_name_build_dev(self.distro, self.version),
] ]
else: else:
run_cmd += [ run_cmd += [
"--hostname", "--hostname",
"dangerzone", "dangerzone",
image_name_install(self.distro, self.version), image_name_build_enduser(self.distro, self.version),
] ]
run_cmd += cmd run_cmd += cmd
@ -575,8 +632,33 @@ class Env:
(dist_state / ".bash_history").touch(exist_ok=True) (dist_state / ".bash_history").touch(exist_ok=True)
self.runtime_run(*run_cmd) self.runtime_run(*run_cmd)
def build_dev(self, show_dockerfile=DEFAULT_SHOW_DOCKERFILE): def pull_image_from_registry(self, image):
try:
subprocess.run(self.runtime_cmd + ["pull", image], check=True)
return True
except subprocess.CalledProcessError:
# Do not log an error here, we are just checking if the image exists
# on the registry.
return False
def push_image_to_registry(self, image):
try:
subprocess.run(self.runtime_cmd + ["push", image], check=True)
return True
except subprocess.CalledProcessError as e:
print("An error occured when pulling the image: ", e)
return False
def build_dev(self, show_dockerfile=DEFAULT_SHOW_DOCKERFILE, sync=False):
"""Build a Linux environment and install tools for Dangerzone development.""" """Build a Linux environment and install tools for Dangerzone development."""
image = image_name_build_dev(self.distro, self.version)
if sync and self.pull_image_from_registry(image):
print("Image has been pulled from the registry, no need to build it.")
return
elif sync:
print("Image label not in registry, building it")
if self.distro == "fedora": if self.distro == "fedora":
install_deps = DOCKERFILE_BUILD_DEV_FEDORA_DEPS install_deps = DOCKERFILE_BUILD_DEV_FEDORA_DEPS
else: else:
@ -626,20 +708,18 @@ class Env:
os.makedirs(build_dir, exist_ok=True) os.makedirs(build_dir, exist_ok=True)
# Populate the build context. # Populate the build context.
shutil.copy(git_root() / "pyproject.toml", build_dir) for source in get_build_dir_sources(self.distro, self.version):
shutil.copy(git_root() / "poetry.lock", build_dir) shutil.copy(source, build_dir)
shutil.copy(git_root() / "dev_scripts" / "storage.conf", build_dir)
if self.distro == "ubuntu" and self.version in ("22.04", "jammy"):
shutil.copy(git_root() / "dev_scripts" / "apt-tools-prod.pref", build_dir)
shutil.copy(
git_root() / "dev_scripts" / "apt-tools-prod.sources", build_dir
)
with open(build_dir / "Dockerfile", mode="w") as f: with open(build_dir / "Dockerfile", mode="w") as f:
f.write(dockerfile) f.write(dockerfile)
image = image_name_build(self.distro, self.version)
self.runtime_run("build", "-t", image, build_dir) self.runtime_run("build", "-t", image, build_dir)
if sync:
if not self.push_image_to_registry(image):
print("An error occured while trying to push to the container registry")
def build( def build(
self, self,
show_dockerfile=DEFAULT_SHOW_DOCKERFILE, show_dockerfile=DEFAULT_SHOW_DOCKERFILE,
@ -715,6 +795,7 @@ class Env:
# Populate the build context. # Populate the build context.
shutil.copy(package_src, package_dst) shutil.copy(package_src, package_dst)
shutil.copy(git_root() / "dev_scripts" / "storage.conf", build_dir) shutil.copy(git_root() / "dev_scripts" / "storage.conf", build_dir)
shutil.copy(git_root() / "dev_scripts" / "containers.conf", build_dir)
if self.distro == "ubuntu" and self.version in ("22.04", "jammy"): if self.distro == "ubuntu" and self.version in ("22.04", "jammy"):
shutil.copy(git_root() / "dev_scripts" / "apt-tools-prod.pref", build_dir) shutil.copy(git_root() / "dev_scripts" / "apt-tools-prod.pref", build_dir)
shutil.copy( shutil.copy(
@ -723,7 +804,7 @@ class Env:
with open(build_dir / "Dockerfile", mode="w") as f: with open(build_dir / "Dockerfile", mode="w") as f:
f.write(dockerfile) f.write(dockerfile)
image = image_name_install(self.distro, self.version) image = image_name_build_enduser(self.distro, self.version)
self.runtime_run("build", "-t", image, build_dir) self.runtime_run("build", "-t", image, build_dir)
@ -742,7 +823,7 @@ def env_run(args):
def env_build_dev(args): def env_build_dev(args):
"""Invoke the 'build-dev' command based on the CLI args.""" """Invoke the 'build-dev' command based on the CLI args."""
env = Env.from_args(args) env = Env.from_args(args)
return env.build_dev(show_dockerfile=args.show_dockerfile) return env.build_dev(show_dockerfile=args.show_dockerfile, sync=args.sync)
def env_build(args): def env_build(args):
@ -828,6 +909,12 @@ def parse_args():
action="store_true", action="store_true",
help="Do not build, only show the Dockerfile", help="Do not build, only show the Dockerfile",
) )
parser_build_dev.add_argument(
"--sync",
default=False,
action="store_true",
help="Attempt to pull the image, build it if not found and push it to the container registry",
)
# Build a development variant of a Dangerzone environment. # Build a development variant of a Dangerzone environment.
parser_build = subparsers.add_parser( parser_build = subparsers.add_parser(