92 commits

Author	SHA1	Message	Date
dependabot[bot]	d868699bab	build(deps): bump slsa-framework/slsa-github-generator ... Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 2.0.0 to 2.1.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v2.0.0...v2.1.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2025-03-26 14:54:50 +01:00
Alexis Métaireau	bbc90be217	Publish the resulted diffs as github artifacts ... Which makes it easier to inspect after CI run failures.	2025-03-26 11:45:45 +01:00
Alexis Métaireau	fa8e8c6dbb	CI: Enforce updating the CHANGELOG in the CI ... Currently, this is only returning warnings, but we seem to just skip them. As it's possible to merge PRs when the CI is red, issuing an error would help us to think about populating this file.	2025-03-21 11:10:56 +01:00
Alex Pyrgiotis	8d05b5779d	ci: Reproducibly build a container image ... Create a reusable GitHub Actions workflow that does the following: 1. Create a multi-architecture container image for Dangerzone, instead of having two different tarballs (or no option at all) 2. Build the Dangerzone container image on our supported architectures (linux/amd64 and linux/arm64). It so happens that GitHub also offers ARM machine runners, which speeds up the build. 3. Combine the images from these two architectures into one, multi-arch image. 4. Generate provenance info for each manifest, and the root manifest list. 5. Check the image's reproduciblity. Also, remove an older CI job for checking the reproducibility of the image, which is now obsolete. Fixes #1035	2025-03-20 17:24:42 +02:00
Alex Pyrgiotis	51f432be6b	Fix references to container.tar.gz ... Find all references to the `container.tar.gz` file, and replace them with references to `container.tar`. Moreover, remove the `--no-save` argument of `build-image.py` since we now always save the image. Finally, fix some stale references to Poetry, which are not necessary anymore.	2025-03-20 17:15:15 +02:00
Alex Pyrgiotis	6d269572ae	Add support for Ubuntu 25.04 (plucky) ... Closes #1090	2025-03-20 16:56:58 +02:00
Alex Pyrgiotis	c7ba9ee75c	Add support for Fedora 42 ... Closes #1091	2025-03-20 16:53:37 +02:00
Alex Pyrgiotis	4a48a2551b	Drop Ubuntu 20.04 (Focal) support ... Drop Ubuntu 20.04 (Focal) support, because it's nearing its end-of-life date. By doing so, we can remove several workarounds and notices we had in place for this version, and most importantly, remove the pin to our vendored PyMuPDF package. Refs #1018 Refs #965	2025-03-17 15:40:25 +02:00
Alex Pyrgiotis	56663023f5	ci: Security scan ARM images ... Scan ARM images using Anchore's scan action, by utilizing the Ubuntu ARM runners provided by GitHub. While our ARM images are used only in macOS silicon platforms, we can use the Ubuntu ARM runners just for scanning. Closes #1008	2025-03-10 18:45:26 +02:00
Alex Pyrgiotis	53a952235c	Specify version when installing WiX ... Update our CI job and build instructions with the latest WiX version, so that we don't encounter any installation issues when new WiX versions are released. Also, add a reminder in our release instruction to bump the WiX version before we start a new release. Fixes #1087	2025-03-10 18:03:24 +02:00
Alex Pyrgiotis	cfa4478ace	ci: Add a CI job that enforces image reproducibility ... Add a CI job that uses the `reproduce.py` dev script to enforce image reproducibility, for every PR that we send to the repo. Fixes #1047	2025-01-27 21:40:27 +02:00
Alex Pyrgiotis	5d49f5abdb	ci: Scan the latest image for CVEs ... Update the Debian snapshot date to the current one, so that we always scan the latest image for CVEs. Refs #1057	2025-01-27 21:40:27 +02:00
Alex Pyrgiotis	14bb6c0e39	Do not use poetry.lock when building the container image ... Remove all the scaffolding in our `build-image.py` script for using the `poetry.lock` file, now that we install PyMuPDF from the Debian repos.	2025-01-23 23:25:39 +02:00
Alex Pyrgiotis	8568b4bb9d	Move container-only build context to dangerzone/container ... Move container-only build context (currently just the entrypoint script) from `dangerzone/gvisor_wrapper` to `dangerzone/container_helpers`. Update the rest of the scripts to use this location as well.	2025-01-23 23:24:48 +02:00
Alexis Métaireau	c407e2ff84	doc: update Debian Trixie installation instructions ... Starting with Debian Trixie, `apt secure` relies on `sqv` to do its verification, which doesn't support the GPG keybox database format. At the same time, using the standard PGP base64 format makes the verification fail for versions of `apt secure` which relies on `gpg`, as the subkey isn't detected there. Fixes #1055	2025-01-20 14:10:15 +01:00
Alexis Métaireau	7f418118e6	CI: Drop Fedora 39 from the CI checks	2025-01-16 11:51:22 +01:00
Alexis Métaireau	2423fc18c5	CI: Store the signature key using the base64 format ... The GPG binary format used until now doesn't seem to please `sqv` which is now used by default on debian trixie. Fixes #1052	2025-01-15 19:39:02 +01:00
Alexis Métaireau	00e58a8707	build: add poetry-plugin-export to the dependencies ... Since Poetry 2.0.0, the `export` command has been removed and it's advised to use the "poetry-plugin-export" package instead. This commit adds this dependency to the different places it's needed (debian environments, CI, build instructions, etc).	2025-01-08 06:18:01 +01:00
Alexis Métaireau	1ea2f109cb	Run apt update before running apt get install	2024-12-17 17:24:46 +01:00
dependabot[bot]	df3063a825	build(deps): bump anchore/scan-action from 5 to 6 ... Bumps [anchore/scan-action](https://github.com/anchore/scan-action) from 5 to 6. - [Release notes](https://github.com/anchore/scan-action/releases) - [Changelog](https://github.com/anchore/scan-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/anchore/scan-action/compare/v5...v6) --- updated-dependencies: - dependency-name: anchore/scan-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-12-16 19:49:37 +02:00
Alex Pyrgiotis	3eac00b873	ci: Work with image tarballs that are not tagged as 'latest' ... Now that our image tarball is not tagged as 'latest', we must first grab the image tag first, and then refer to it. We can grab the tag either from `share/image-id.txt` (if available) or with: docker load dangerzone.rocks/dangerzone --format {{ .Tag }}	2024-12-10 11:31:39 +02:00
Alex Pyrgiotis	6a5e76f2b4	Build and tag Dangerzone images ... Build Dangerzone images and tag them with a unique ID that stems from the Git reop. Note that using tags as image IDs instead of regular image IDs breaks the current Dangerzone expectations, but this will be addressed in subsequent commits.	2024-12-10 11:18:23 +02:00
JKarasti	38a803085f	CI: Use WiX Toolset v5 to build the msi	2024-12-09 18:42:11 +02:00
Alexis Métaireau	fdc27c4d3b	CI: check that the changelog is populated on each pull request	2024-12-02 11:57:30 +01:00
Alexis Métaireau	23f5f96220	build: Publish the built artifacts ... - Fedora `.rpm` files - Windows `.msi` - macOS `.app` Are now published as part of the CI pipelines.	2024-12-02 11:35:54 +01:00
Alexis Métaireau	5744215d99	Issue templates: rephrase how we ask docker info to the users ... People might not now if the issue is related to docker or not, and we've had to ask them for additional information after they opened the issue. This makes it clearer that this information might be useful.	2024-11-28 18:04:24 +01:00
Alex Pyrgiotis	c89988654c	Drop checks for the FPF-maintained PySide6 package ... There are various place in our release process (build/installation/release instructions and CI checks) where we make sure that the FPF-maintained PySide6 package works in Fedora 39. Now that Fedora 39 is nearing its EOL date, we can remove those.	2024-11-26 16:06:38 +01:00
Alex Pyrgiotis	7eaa0cfe50	Drop Fedora 39 support ... Drop Fedora 39 support by removing it from our CI and installation instructions. Closes #999	2024-11-26 16:06:35 +01:00
Alexis Métaireau	9d69e3b261	CI: Do not scan release assets for mac silicon for now.	2024-11-25 18:54:46 +01:00
Alexis Métaireau	20354e7c11	CI: Use grep + cut rather than jq to get the version number ... Github macOS runners don't come with `jq` pre-installed.	2024-11-21 12:34:15 +01:00
Alexis Métaireau	944d58dd8d	CI: Update container scanning to account for the arm64 architecture.	2024-11-20 17:12:20 +01:00
Alexis Métaireau	630083bdea	CI: Only run the CI on pull requests, and on the "main" branch ... Previously, the actions were duplicated, due to the fact when developing we often create feature branches and open pull requests. This new setup requires us to open pull requests to trigger the CI.	2024-11-20 15:56:28 +01:00
Alex Pyrgiotis	96aa56a6dc	Remove version prefix v from container filename	2024-11-06 13:53:52 +02:00
Alex Pyrgiotis	91932046f5	ci: Use the new container filename in our assets ... The filename of the container image tarball that we published in our release assets has changed from `container.tar.gz` to `container-0.8.0-i686.tar.gz`. Change the scan action accordingly.	2024-11-06 13:41:37 +02:00
Alexis Métaireau	00480551ca	build: use the version-less container released-asset for now	2024-10-31 18:27:53 +01:00
Alexis Métaireau	f540a67d06	Update RELEASE.md to upload container.tar.gz for both i686 and arm64 architectures.	2024-10-30 19:11:24 +01:00
Alexis Métaireau	59e1666c28	Drop support for Ubuntu Mantic (23.10), which is EOL since 11 Jul 2024.	2024-10-30 16:43:50 +01:00
dependabot[bot]	e68a43bbbf	build(deps): bump actions/stale from 5 to 9 ... Bumps [actions/stale](https://github.com/actions/stale) from 5 to 9. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v5...v9) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-10-21 14:19:30 +03:00
dependabot[bot]	10fb631b8e	build(deps): bump actions/setup-python from 4 to 5 ... Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4 to 5. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-10-21 14:16:38 +03:00
Alexis Métaireau	796ca79289	Automate the closing of stale issues	2024-10-17 19:28:07 +02:00
Alex Pyrgiotis	0ea8e71f15	ci: Check OCR in Debian/Fedora tests	2024-10-17 15:50:12 +03:00
Alex Pyrgiotis	477bdfcc2e	ci: Add GitHub action for tessdata	2024-10-17 15:50:11 +03:00
Alex Pyrgiotis	fba009a7f0	ci: Be explicit about the Debian package we install in end-user envs	2024-10-17 15:33:58 +03:00
Alex Pyrgiotis	dd3ab71065	ci: Explicitly use Ubuntu 24.04 for our runner images ... GitHub actions somehow managed to downgrade our runners from Ubuntu 24.04 to Ubuntu 22.04, even though we use `ubuntu-latest`. Make the Ubuntu 24.04 requirement more explicit, until GitHub migrates fully to this version for the `ubuntu-latest` tag. Fixes #957	2024-10-17 14:40:45 +03:00
dependabot[bot]	941131f7a9	build(deps): bump anchore/scan-action from 4 to 5 ... Bumps [anchore/scan-action](https://github.com/anchore/scan-action) from 4 to 5. - [Release notes](https://github.com/anchore/scan-action/releases) - [Changelog](https://github.com/anchore/scan-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/anchore/scan-action/compare/v4...v5) --- updated-dependencies: - dependency-name: anchore/scan-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-10-16 17:52:33 +03:00
Alex Pyrgiotis	b6bb9a1216	ci: Make repo checking work for unreleased Fedora versions ... Unreleased Fedora versions may refer to themselves as "rawhide", instead of their version (e.g., "41"). For this reason, we should try and replace the "rawhide" string with the proper Fedora version.	2024-10-16 17:37:40 +03:00
Alex Pyrgiotis	eaef95b774	Call 'dnf config-manager' via the dnf-3 interface ... Fedora 41 has a newer dnf interface (dnf v5), and the config-manager plugin that we use is not compatible with it. Suggest running it with `dnf-3` instead, which is present in all Fedora versions.	2024-10-16 15:58:44 +03:00
Alex Pyrgiotis	5a97182979	ci: Add Fedora 41 CI jobs	2024-10-15 19:43:14 +03:00
Alexis Métaireau	49c3c2c6bb	Add support for 24.10 (oracular) ... Refs #947	2024-10-15 19:41:49 +03:00
Alex Pyrgiotis	fd5aafdde9	ci: Start an Xvfb server in our CI tests ... Remove the installation steps for Xvfb, since it's already included in GitHub actions, and fire up an Xvfb server with disabled host-based access control. Initially, we tried to wrap our CI tests with `xvfb-run`, but any X11 client within our Podman container failed with the following error message: Authorization required, but no authorization protocol specified. This error message is usually thrown when the X11 client does not provide the magic cookie in the Xauthority file back to the X11 server. In our case though, we can verify that commands in our Podman container read the Xauthority file successfully: socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_UNIX, sun_path=@"/tmp/.X11-unix/X99"}, 21) = -1 ECONNREFUSED (Connection refused) close(3) = 0 socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 getsockopt(3, SOL_SOCKET, SO_SNDBUF, [212992], [4]) = 0 connect(3, {sa_family=AF_UNIX, sun_path="/tmp/.X11-unix/X99"}, 110) = 0 getpeername(3, {sa_family=AF_UNIX, sun_path="/tmp/.X11-unix/X99"}, [124->21]) = 0 uname({sysname="Linux", nodename="dangerzone-dev", ...}) = 0 access("/home/runner/work/dangerzone/dangerzone/cookie", R_OK) = 0 openat(AT_FDCWD, "/home/runner/work/dangerzone/dangerzone/cookie", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0600, st_size=59, ...}) = 0 read(4, "\1\0\0\rfv-az1915-957\0\299\0\22MIT-MAGIC"..., 4096) = 59 read(4, "", 4096) = 0 close(4) = 0 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}]) writev(3, [{iov_base="l\0\v\0\0\0\0\0\0\0\0\0", iov_len=12}, {iov_base="", iov_len=0}], 2) = 12 recvfrom(3, 0x55a5635c0050, 8, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}]) recvfrom(3, "\0@\v\0\0\0\20\0", 8, 0, NULL, NULL) = 8 recvfrom(3, "Authorization required, but no a"..., 64, 0, NULL, NULL) = 64 write(2, "Authorization required, but no a"..., 64Authorization required, but no authorization protocol specified ) = 64 The line with the magic cookie is: read(4, "\1\0\0\rfv-az1915-957\0\299\0\22MIT-MAGIC"..., 4096) = 59 Since we are not sure why we are not allowed access to the X11 server from the Podman container, we decided to disable host-based access controls altogether. This is not a security concern, since this X11 session is a remote one. However, we shouldn't run tests this way in dev machines. Fixes #949	2024-10-14 17:02:43 +03:00