From 8f83a031ef35791864830560cab1e51eb3f94c03 Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Tue, 25 Feb 2025 16:19:44 +0200 Subject: [PATCH] REVERT ME: Remove some workflows we don't need for this round of tests --- .github/workflows/build.yml | 103 ------ .github/workflows/check_pr.yml | 35 -- .github/workflows/check_repos.yml | 116 ------- .github/workflows/ci.yml | 500 ---------------------------- .github/workflows/close-issues.yml | 22 -- .github/workflows/scan.yml | 88 ----- .github/workflows/scan_released.yml | 91 ----- 7 files changed, 955 deletions(-) delete mode 100644 .github/workflows/build.yml delete mode 100644 .github/workflows/check_pr.yml delete mode 100644 .github/workflows/check_repos.yml delete mode 100644 .github/workflows/ci.yml delete mode 100644 .github/workflows/close-issues.yml delete mode 100644 .github/workflows/scan.yml delete mode 100644 .github/workflows/scan_released.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index 108cb37..0000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,103 +0,0 @@ -name: Build dev environments -on: - pull_request: - push: - branches: - - main - - "test/**" - schedule: - - cron: "0 0 * * *" # Run every day at 00:00 UTC. - -permissions: - packages: write - -env: - IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} - REGISTRY_USER: ${{ github.actor }} - REGISTRY_PASSWORD: ${{ github.token }} - -# Each day, build and publish to ghcr.io: -# -# - the dangerzone/dangerzone container image -# - the dangerzone/build/{debian,ubuntu,fedora}:version -# dev environments used to run the tests -# -# End-user environments are not published to the GHCR because -# they need .rpm or .deb files to be built, which is what we -# want to test. - -jobs: - build-dev-environment: - name: "Build dev-env (${{ matrix.distro }}-${{ matrix.version }})" - runs-on: ubuntu-latest - strategy: - matrix: - include: - - distro: ubuntu - version: "20.04" - - distro: ubuntu - version: "22.04" - - distro: ubuntu - version: "24.04" - - distro: ubuntu - version: "24.10" - - distro: debian - version: bullseye - - distro: debian - version: bookworm - - distro: debian - version: trixie - - distro: fedora - version: "40" - - distro: fedora - version: "41" - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - uses: actions/setup-python@v5 - with: - python-version: "3.10" - - - name: Login to GHCR - run: | - echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin - - - name: Build dev environment - run: | - ./dev_scripts/env.py --distro ${{ matrix.distro }} \ - --version ${{ matrix.version }} \ - build-dev --sync - - build-container-image: - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Cache container image - id: cache-container-image - uses: actions/cache@v4 - with: - key: v4-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }} - path: | - share/container.tar.gz - share/image-id.txt - - - name: Build and push Dangerzone image - if: ${{ steps.cache-container-image.outputs.cache-hit != 'true' }} - run: | - sudo apt-get install -y python3-poetry - python3 ./install/common/build-image.py - echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin - gunzip -c share/container.tar.gz | podman load - tag=$(cat share/image-id.txt) - podman push \ - dangerzone.rocks/dangerzone:$tag \ - ${{ env.IMAGE_REGISTRY }}/dangerzone/dangerzone:tag diff --git a/.github/workflows/check_pr.yml b/.github/workflows/check_pr.yml deleted file mode 100644 index 0ced5ea..0000000 --- a/.github/workflows/check_pr.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: Check branch conformity -on: - pull_request: - -jobs: - prevent-fixup-commits: - runs-on: ubuntu-latest - env: - target: debian-bookworm - distro: debian - version: bookworm - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: prevent fixup commits - run: | - git fetch origin - git status - git log --pretty=format:%s origin/main..HEAD | grep -ie '^fixup\|^wip' && exit 1 || true - - check-changelog: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: ensure CHANGELOG.md is populated - env: - BASE_REF: ${{ github.event.pull_request.base.ref }} - shell: bash - run: | - if git diff --exit-code "origin/${BASE_REF}" -- CHANGELOG.md; then - echo "::warning::No CHANGELOG.md modifications were found in this pull request." - fi \ No newline at end of file diff --git a/.github/workflows/check_repos.yml b/.github/workflows/check_repos.yml deleted file mode 100644 index a6ef5e9..0000000 --- a/.github/workflows/check_repos.yml +++ /dev/null @@ -1,116 +0,0 @@ -# Test official instructions for installing Dangerzone -# ==================================================== -# -# The installation instructions have been copied from our INSTALL.md file. -# NOTE: When you change either place, please make sure to keep the two files in -# sync. -# NOTE: Because the commands run as root, the use of sudo is not necessary. -name: Test official instructions for installing Dangerzone -on: - schedule: - - cron: '0 0 * * *' # Run every day at 00:00 UTC. - workflow_dispatch: - -jobs: - install-from-apt-repo: - name: "Install Dangerzone on ${{ matrix.distro}} ${{ matrix.version }}" - runs-on: ubuntu-latest - container: ${{ matrix.distro }}:${{ matrix.version }} - strategy: - matrix: - include: - - distro: ubuntu - version: "24.10" # oracular - - distro: ubuntu - version: "24.04" # noble - - distro: ubuntu - version: "22.04" # jammy - - distro: ubuntu - version: "20.04" # focal - - distro: debian - version: "trixie" # 13 - - distro: debian - version: "12" # bookworm - - distro: debian - version: "11" # bullseye - steps: - - name: Add Podman repo for Ubuntu Focal - if: matrix.distro == 'ubuntu' && matrix.version == 20.04 - run: | - apt-get update && apt-get -y install curl wget gnupg2 - . /etc/os-release - sh -c "echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /' \ - > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list" - wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_${VERSION_ID}/Release.key -O- \ - | apt-key add - - apt update - apt-get install python-all -y - - - name: Add packages.freedom.press PGP key (gpg) - if: matrix.version != 'trixie' - run: | - apt-get update && apt-get install -y gnupg2 ca-certificates - dirmngr # NOTE: This is a command that's necessary only in containers - # The key needs to be in the GPG keybox database format so the - # signing subkey is detected by apt-secure. - gpg --keyserver hkps://keys.openpgp.org \ - --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \ - --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" - mkdir -p /etc/apt/keyrings/ - mv ./fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings/. - - - name: Add packages.freedom.press PGP key (sq) - if: matrix.version == 'trixie' - run: | - apt-get update && apt-get install -y ca-certificates sq - mkdir -p /etc/apt/keyrings/ - # On debian trixie, apt-secure uses `sqv` to verify the signatures - # so we need to retrieve PGP keys and store them using the base64 format. - sq network keyserver \ - --server hkps://keys.openpgp.org \ - search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \ - --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg - - name: Add packages.freedom.press to our APT sources - run: | - . /etc/os-release - echo "deb [signed-by=/etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg] \ - https://packages.freedom.press/apt-tools-prod ${VERSION_CODENAME?} main" \ - | tee /etc/apt/sources.list.d/fpf-apt-tools.list - - - name: Install Dangerzone - run: | - apt update - apt install -y dangerzone - - install-from-yum-repo: - name: "Install Dangerzone on ${{ matrix.distro}} ${{ matrix.version }}" - runs-on: ubuntu-latest - container: ${{ matrix.distro }}:${{ matrix.version }} - strategy: - matrix: - include: - - distro: fedora - version: 40 - - distro: fedora - version: 41 - steps: - - name: Add packages.freedom.press to our YUM sources - run: | - dnf install -y 'dnf-command(config-manager)' - dnf-3 config-manager --add-repo=https://packages.freedom.press/yum-tools-prod/dangerzone/dangerzone.repo - - - name: Replace 'rawhide' string with Fedora version - # The previous command has created a `dangerzone.repo` file. The - # config-manager plugin should have substituted the $releasever variable - # with the Fedora version number. However, for unreleased Fedora - # versions, this gets translated to "rawhide", even though they do have - # a number. To fix this, we need to substitute the "rawhide" string - # witht the proper Fedora version. - run: | - source /etc/os-release - sed -i "s/rawhide/${VERSION_ID}/g" /etc/yum.repos.d/dangerzone.repo - - - name: Install Dangerzone - # FIXME: We add the `-y` flag here, in lieu of a better way to check the - # Dangerzone signature. - run: dnf install -y dangerzone diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 0c32c9c..0000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,500 +0,0 @@ -name: Tests -on: - pull_request: - push: - branches: - - main - - "test/**" - schedule: - - cron: "2 0 * * *" # Run every day at 02:00 UTC. - workflow_dispatch: - -permissions: - packages: write - -env: - REGISTRY_USER: ${{ github.actor }} - REGISTRY_PASSWORD: ${{ github.token }} - IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} - QT_SELECT: "qt6" - -# Disable multiple concurrent runs on the same branch -# When a new CI build is triggered, it will cancel the -# other in-progress ones (for the same branch) -concurrency: - group: ${{ github.head_ref || github.run_id }} - cancel-in-progress: true - -jobs: - run-lint: - runs-on: ubuntu-latest - container: - image: debian:bookworm - steps: - - uses: actions/checkout@v4 - - name: Install dev. dependencies - run: |- - apt-get update - apt-get install -y git make python3 python3-poetry --no-install-recommends - poetry install --only lint,test - - name: Run linters to enforce code style - run: poetry run make lint - - name: Check that the QA script is up to date with the docs - run: "./dev_scripts/qa.py --check-refs" - - # This is already built daily by the "build.yml" file - # But we also want to include this in the checks that run on each push. - build-container-image: - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Cache container image - id: cache-container-image - uses: actions/cache@v4 - with: - key: v4-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }} - path: |- - share/container.tar.gz - share/image-id.txt - - - name: Build Dangerzone container image - if: ${{ steps.cache-container-image.outputs.cache-hit != 'true' }} - run: | - python3 ./install/common/build-image.py - - - name: Upload container image - uses: actions/upload-artifact@v4 - with: - name: container.tar.gz - path: share/container.tar.gz - - download-tessdata: - name: Download and cache Tesseract data - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Cache Tessdata - id: cache-tessdata - uses: actions/cache@v4 - with: - path: share/tessdata/ - key: v1-tessdata-${{ hashFiles('./install/common/download-tessdata.py') }} - enableCrossOsArchive: true - - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - name: Download Tessdata - run: |- - if [ -f "share/tessdata" ]; then - echo "Already cached, skipping" - else - python3 ./install/common/download-tessdata.py - fi - - windows: - runs-on: windows-latest - needs: - - download-tessdata - env: - DUMMY_CONVERSION: 1 - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - with: - python-version: "3.12" - - run: pip install poetry - - run: poetry install - - name: Restore cached tessdata - uses: actions/cache/restore@v4 - with: - path: share/tessdata/ - enableCrossOsArchive: true - fail-on-cache-miss: true - key: v1-tessdata-${{ hashFiles('./install/common/download-tessdata.py') }} - - name: Run CLI tests - run: poetry run make test - - name: Set up .NET CLI environment - uses: actions/setup-dotnet@v4 - with: - dotnet-version: "8.x" - - name: Install WiX Toolset - run: dotnet tool install --global wix - - name: Add WiX UI extension - run: wix extension add --global WixToolset.UI.wixext - - name: Build the MSI installer - # NOTE: This also builds the .exe internally. - run: poetry run .\install\windows\build-app.bat - - name: Upload MSI installer - uses: actions/upload-artifact@v4 - with: - name: Dangerzone.msi - path: "dist/Dangerzone.msi" - if-no-files-found: error - compression-level: 0 - - macOS: - name: "macOS (${{ matrix.arch }})" - runs-on: ${{ matrix.runner }} - needs: - - download-tessdata - strategy: - matrix: - include: - - runner: macos-latest # CPU type: Apple Silicon (M1) - arch: arch64 - - runner: macos-13 # CPU type: Intel x86_64 - arch: x86_64 - env: - DUMMY_CONVERSION: 1 - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - with: - python-version: "3.12" - - name: Restore cached tessdata - uses: actions/cache/restore@v4 - with: - path: share/tessdata/ - enableCrossOsArchive: true - fail-on-cache-miss: true - key: v1-tessdata-${{ hashFiles('./install/common/download-tessdata.py') }} - - run: pip install poetry - - run: poetry install - - name: Run CLI tests - run: poetry run make test - - name: Build macOS app - run: poetry run python ./install/macos/build-app.py - - name: Upload macOS app - uses: actions/upload-artifact@v4 - with: - name: Dangerzone-${{ matrix.arch }}.app - path: "dist/Dangerzone.app" - if-no-files-found: error - compression-level: 0 - build-deb: - needs: - - build-container-image - name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})" - runs-on: ubuntu-latest - strategy: - matrix: - include: - - distro: ubuntu - version: "20.04" - - distro: ubuntu - version: "22.04" - - distro: ubuntu - version: "24.04" - - distro: ubuntu - version: "24.10" - - distro: debian - version: bullseye - - distro: debian - version: bookworm - - distro: debian - version: trixie - steps: - - name: Checkout - uses: actions/checkout@v4 - - - uses: actions/setup-python@v5 - with: - python-version: "3.10" - - - name: Login to GHCR - run: | - echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin - - - name: Get the dev environment - run: | - ./dev_scripts/env.py \ - --distro ${{ matrix.distro }} \ - --version ${{ matrix.version }} \ - build-dev --sync - - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Restore container cache - uses: actions/cache/restore@v4 - with: - key: v4-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }} - path: |- - share/container.tar.gz - share/image-id.txt - fail-on-cache-miss: true - - - name: Build Dangerzone .deb - run: | - ./dev_scripts/env.py --distro ${{ matrix.distro }} \ - --version ${{ matrix.version }} \ - run --dev --no-gui ./dangerzone/install/linux/build-deb.py - - - name: Upload Dangerzone .deb - if: matrix.distro == 'debian' && matrix.version == 'bookworm' - uses: actions/upload-artifact@v4 - with: - name: dangerzone.deb - path: "deb_dist/dangerzone_*_*.deb" - if-no-files-found: error - compression-level: 0 - - install-deb: - name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})" - runs-on: ubuntu-latest - needs: - - build-deb - strategy: - matrix: - include: - - distro: ubuntu - version: "20.04" - - distro: ubuntu - version: "22.04" - - distro: ubuntu - version: "24.04" - - distro: ubuntu - version: "24.10" - - distro: debian - version: bullseye - - distro: debian - version: bookworm - - distro: debian - version: trixie - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - uses: actions/setup-python@v5 - with: - python-version: "3.10" - - - name: Download Dangerzone .deb - uses: actions/download-artifact@v4 - with: - name: dangerzone.deb - path: "deb_dist/" - - - name: Build end-user environment - run: | - ./dev_scripts/env.py --distro ${{ matrix.distro }} \ - --version ${{ matrix.version }} \ - build - - - name: Run a test command - run: | - ./dev_scripts/env.py --distro ${{ matrix.distro }} \ - --version ${{ matrix.version }} \ - run dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf --ocr-lang eng - - - name: Check that the Dangerzone GUI imports work - run: | - ./dev_scripts/env.py --distro ${{ matrix.distro }} \ - --version ${{ matrix.version }} \ - run dangerzone --help - - build-install-rpm: - name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})" - runs-on: ubuntu-latest - needs: - - build-container-image - strategy: - matrix: - distro: ["fedora"] - version: ["40", "41"] - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Login to GHCR - run: | - echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin - - - name: Get the dev environment - run: | - ./dev_scripts/env.py \ - --distro ${{ matrix.distro }} \ - --version ${{ matrix.version }} \ - build-dev --sync - - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Restore container image - uses: actions/cache/restore@v4 - with: - key: v4-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }} - path: |- - share/container.tar.gz - share/image-id.txt - fail-on-cache-miss: true - - - name: Build Dangerzone .rpm - run: | - ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \ - run --dev --no-gui ./dangerzone/install/linux/build-rpm.py - - - name: Upload Dangerzone .rpm - uses: actions/upload-artifact@v4 - with: - name: dangerzone-${{ matrix.distro }}-${{ matrix.version }}.rpm - path: "dist/dangerzone-*.x86_64.rpm" - if-no-files-found: error - compression-level: 0 - - # Reclaim some space in this step, now that the dev environment is no - # longer necessary. Previously, we encountered out-of-space issues while - # running this CI job. - - name: Reclaim some storage space - run: podman system reset -f - - - name: Build end-user environment - run: | - ./dev_scripts/env.py --distro ${{ matrix.distro }} \ - --version ${{ matrix.version }} \ - build - - - name: Run a test command - run: | - ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \ - run dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf --ocr-lang eng - - - name: Check that the Dangerzone GUI imports work - run: | - ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \ - run dangerzone --help - - run-tests: - name: "run tests (${{ matrix.distro }} ${{ matrix.version }})" - runs-on: ubuntu-latest - needs: - - build-container-image - - download-tessdata - strategy: - matrix: - include: - - distro: ubuntu - version: "20.04" - - distro: ubuntu - version: "22.04" - - distro: ubuntu - version: "24.04" - - distro: ubuntu - version: "24.10" - - distro: debian - version: bullseye - - distro: debian - version: bookworm - - distro: debian - version: trixie - - distro: fedora - version: "40" - - distro: fedora - version: "41" - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - uses: actions/setup-python@v5 - with: - python-version: "3.10" - - - name: Login to GHCR - run: | - echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin - - - name: Get current date - id: date - run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - - name: Get the dev environment - run: | - ./dev_scripts/env.py \ - --distro ${{ matrix.distro }} \ - --version ${{ matrix.version }} \ - build-dev --sync - - - name: Restore container image - uses: actions/cache/restore@v4 - with: - key: v4-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container_helpers/*', 'install/common/build-image.py') }} - path: |- - share/container.tar.gz - share/image-id.txt - fail-on-cache-miss: true - - - name: Restore cached tessdata - uses: actions/cache/restore@v4 - with: - path: share/tessdata/ - enableCrossOsArchive: true - fail-on-cache-miss: true - key: v1-tessdata-${{ hashFiles('./install/common/download-tessdata.py') }} - - - name: Setup xvfb (Linux) - run: | - sudo apt update - # Stuff copied wildly from several stackoverflow posts - sudo apt-get install -y xvfb libxkbcommon-x11-0 libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-randr0 libxcb-render-util0 libxcb-xinerama0 libxcb-xinput0 libxcb-xfixes0 libxcb-shape0 libglib2.0-0 libgl1-mesa-dev '^libxcb.*-dev' libx11-xcb-dev libglu1-mesa-dev libxrender-dev libxi-dev libxkbcommon-dev libxkbcommon-x11-dev - - # start xvfb in the background - sudo /usr/bin/Xvfb $DISPLAY -screen 0 1280x1024x24 & - - - name: Run CI tests - run: |- - # Pass the -ac Xserver flag, to disable host-based access controls. - # This should be used ONLY for testing [1]. If we don't pass this - # flag, the Podman container is not authorized [2] to access the Xvfb - # server. - # - # [1] From https://www.x.org/releases/X11R6.7.0/doc/Xserver.1.html#sect4: - # - # disables host-based access control mechanisms. Enables access by - # any host, and permits any host to modify the access control - # list. Use with extreme caution. This option exists primarily for - # running test suites remotely. - # - # [2] Fails with "Authorization required, but no authorization - # protocol specified". However, we have verified with strace(1) - # that the command in the Podman container can read the Xauthority - # file successfully. - xvfb-run -s '-ac' ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} run --dev \ - bash -c 'cd dangerzone; poetry run make test' - - check-reproducibility: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Install dev. dependencies - run: |- - sudo apt-get update - sudo apt-get install -y git python3-poetry --no-install-recommends - poetry install --only package - - - name: Verify that the Dockerfile matches the commited template and params - run: |- - cp Dockerfile Dockerfile.orig - make Dockerfile - diff Dockerfile.orig Dockerfile - - - name: Build Dangerzone container image - run: | - python3 ./install/common/build-image.py --no-save - - - name: Reproduce the same container image - run: | - ./dev_scripts/reproduce-image.py diff --git a/.github/workflows/close-issues.yml b/.github/workflows/close-issues.yml deleted file mode 100644 index cf503fd..0000000 --- a/.github/workflows/close-issues.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Close inactive issues -on: - schedule: - - cron: "30 1 * * *" - -jobs: - close-issues: - runs-on: ubuntu-latest - permissions: - issues: write - steps: - - uses: actions/stale@v9 - with: - days-before-issue-stale: 30 - days-before-issue-close: 14 - stale-issue-label: "stale" - stale-issue-message: "Marking this issue as stale because it has been open for 30 days with no activity. It will be closed in 14 days if there's no activity, or if the `stale` label is not removed. Does anyone want to add something?" - close-issue-message: "Closing this issue now. Don't hesitate to reopen if you have anything to add :-)" - days-before-pr-stale: -1 - days-before-pr-close: -1 - repo-token: ${{ secrets.GITHUB_TOKEN }} - any-of-labels: needs info diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml deleted file mode 100644 index e08dcef..0000000 --- a/.github/workflows/scan.yml +++ /dev/null @@ -1,88 +0,0 @@ -name: Scan latest app and container -on: - push: - branches: - - main - pull_request: - schedule: - - cron: '0 0 * * *' # Run every day at 00:00 UTC. - workflow_dispatch: - -jobs: - security-scan-container: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Install container build dependencies - run: | - sudo apt install pipx - pipx install poetry - pipx inject poetry poetry-plugin-export - poetry install --only package - - name: Bump date of Debian snapshot archive - run: | - date=$(date "+%Y%m%d") - sed -i "s/DEBIAN_ARCHIVE_DATE=[0-9]\+/DEBIAN_ARCHIVE_DATE=${date}/" Dockerfile.env - make Dockerfile - - name: Build container image - run: python3 ./install/common/build-image.py --runtime docker --no-save - - name: Get image tag - id: tag - run: echo "tag=$(cat share/image-id.txt)" >> $GITHUB_OUTPUT - # NOTE: Scan first without failing, else we won't be able to read the scan - # report. - - name: Scan container image (no fail) - uses: anchore/scan-action@v6 - id: scan_container - with: - image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}" - fail-build: false - only-fixed: false - severity-cutoff: critical - - name: Upload container scan report - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.scan_container.outputs.sarif }} - category: container - - name: Inspect container scan report - run: cat ${{ steps.scan_container.outputs.sarif }} - - name: Scan container image - uses: anchore/scan-action@v6 - with: - image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}" - fail-build: true - only-fixed: false - severity-cutoff: critical - - security-scan-app: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - # NOTE: Scan first without failing, else we won't be able to read the scan - # report. - - name: Scan application (no fail) - uses: anchore/scan-action@v6 - id: scan_app - with: - path: "." - fail-build: false - only-fixed: false - severity-cutoff: critical - - name: Upload application scan report - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.scan_app.outputs.sarif }} - category: app - - name: Inspect application scan report - run: cat ${{ steps.scan_app.outputs.sarif }} - - name: Scan application - uses: anchore/scan-action@v6 - with: - path: "." - fail-build: true - only-fixed: false - severity-cutoff: critical diff --git a/.github/workflows/scan_released.yml b/.github/workflows/scan_released.yml deleted file mode 100644 index 3688e61..0000000 --- a/.github/workflows/scan_released.yml +++ /dev/null @@ -1,91 +0,0 @@ -name: Scan released app and container -on: - schedule: - - cron: '0 0 * * *' # Run every day at 00:00 UTC. - workflow_dispatch: - -jobs: - security-scan-container: - strategy: - matrix: - include: - - runs-on: ubuntu-latest - arch: i686 - # Do not scan Silicon mac for now to avoid masking release scan results for other plaforms. - # - runs-on: macos-latest - # arch: arm64 - runs-on: ${{ matrix.runs-on }} - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Download container image for the latest release and load it - run: | - VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | grep "tag_name" | cut -d '"' -f 4) - CONTAINER_FILENAME=container-${VERSION:1}-${{ matrix.arch }}.tar.gz - wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/${CONTAINER_FILENAME} -O ${CONTAINER_FILENAME} - docker load -i ${CONTAINER_FILENAME} - - name: Get image tag - id: tag - run: | - tag=$(docker images dangerzone.rocks/dangerzone --format '{{ .Tag }}') - echo "tag=$tag" >> $GITHUB_OUTPUT - # NOTE: Scan first without failing, else we won't be able to read the scan - # report. - - name: Scan container image (no fail) - uses: anchore/scan-action@v6 - id: scan_container - with: - image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}" - fail-build: false - only-fixed: false - severity-cutoff: critical - - name: Upload container scan report - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.scan_container.outputs.sarif }} - category: container-${{ matrix.arch }} - - name: Inspect container scan report - run: cat ${{ steps.scan_container.outputs.sarif }} - - name: Scan container image - uses: anchore/scan-action@v6 - with: - image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}" - fail-build: true - only-fixed: false - severity-cutoff: critical - - security-scan-app: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Checkout the latest released tag - run: | - VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name') - git checkout $VERSION - # NOTE: Scan first without failing, else we won't be able to read the scan - # report. - - name: Scan application (no fail) - uses: anchore/scan-action@v6 - id: scan_app - with: - path: "." - fail-build: false - only-fixed: false - severity-cutoff: critical - - name: Upload application scan report - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.scan_app.outputs.sarif }} - category: app - - name: Inspect application scan report - run: cat ${{ steps.scan_app.outputs.sarif }} - - name: Scan application - uses: anchore/scan-action@v6 - with: - path: "." - fail-build: true - only-fixed: false - severity-cutoff: critical