Add a set-container-runtime option to dangerzone-cli

This sets the container runtime in the settings, and provides an easy
way to do so for users, without having to mess with the json settings.

When setting the container runtime, one can just pass "podman" and the
path to the executable will be stored in the settings.

.github/workflows/build-push-image.yml

@@ -209,7 +209,7 @@ jobs:
       actions: read # for detecting the Github Actions environment.
       id-token: write # for creating OIDC tokens for signing.
       packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
     with:
       digest: ${{ needs.merge.outputs[format('digest_{0}', matrix.manifest_type)] }}
       image: ${{ needs.merge.outputs.image }}

.github/workflows/check_pr.yml

@@ -1,6 +1,7 @@
 name: Check branch conformity
 on:
   pull_request:
+    types: ["opened", "labeled", "unlabeled", "reopened", "synchronize"]
 
 jobs:
   prevent-fixup-commits:
@@ -20,17 +21,10 @@ jobs:
 
   check-changelog:
     runs-on: ubuntu-latest
+    name: Ensure CHANGELOG.md is populated for user-visible changes
     steps:
-      - name: Checkout code
+      # Pin the GitHub action to a specific commit that we have audited and know
-        uses: actions/checkout@v4
+      # how it works.
+      - uses: tarides/changelog-check-action@509965da3b8ac786a5e2da30c2ccf9661189121f
         with:
-          fetch-depth: 0
+          changelog: CHANGELOG.md
-      - name: ensure CHANGELOG.md is populated
-        env:
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
-        shell: bash
-        run: |
-          if git diff --exit-code "origin/${BASE_REF}" -- CHANGELOG.md; then
-              echo "::error::No CHANGELOG.md modifications were found in this pull request."
-              return -1;
-          fi

CHANGELOG.md

@@ -38,6 +38,10 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 
 - Platform support: Drop support for Fedora 39, since it's end-of-life ([#999](https://github.com/freedomofpress/dangerzone/pull/999))
 
+## Updated
+
+- Bump `slsa-framework/slsa-github-generator` from 2.0.0 to 2.1.0 ([#1109](https://github.com/freedomofpress/dangerzone/pull/1109))
+
 ### Development changes
 
   Thanks [@jkarasti](https://github.com/jkarasti) for the contribution.

RELEASE.md

@@ -17,6 +17,7 @@ Here is a list of tasks that should be done before issuing the release:
 - [ ] Bump the Debian version by adding a new changelog entry in `debian/changelog`
 - [ ] [Bump the minimum Docker Desktop versions](https://github.com/freedomofpress/dangerzone/blob/main/RELEASE.md#bump-the-minimum-docker-desktop-version) in `isolation_provider/container.py`
 - [ ] Bump the dates and versions in the `Dockerfile`
+- [ ] Update the download links in our `INSTALL.md` page to point to the new version (the download links will be populated after the release)
 - [ ] Update screenshot in `README.md`, if necessary
 - [ ] CHANGELOG.md should be updated to include a list of all major changes since the last release
 - [ ] A draft release should be created. Copy the release notes text from the template at [`docs/templates/release-notes`](https://github.com/freedomofpress/dangerzone/tree/main/docs/templates/)
@@ -340,7 +341,7 @@ To publish the release, you can follow these steps:
 
 - [ ] Update the [Dangerzone website](https://github.com/freedomofpress/dangerzone.rocks) to link to the new installers.
 - [ ] Update the brew cask release of Dangerzone with a [PR like this one](https://github.com/Homebrew/homebrew-cask/pull/116319)
-- [ ] Update version and download links in `README.md`
+- [ ] Update version and links to our installation instructions (`INSTALL.md`) in `README.md`
 
 ## Post-release
 

dangerzone/cli.py

@@ -38,7 +38,7 @@ def print_header(s: str) -> None:
 )
 @click.argument(
     "filenames",
-    required=True,
+    required=False,
     nargs=-1,
     type=click.UNPROCESSED,
     callback=args.validate_input_filenames,
@@ -59,7 +59,7 @@ def print_header(s: str) -> None:
 def cli_main(
     output_filename: Optional[str],
     ocr_lang: Optional[str],
-    filenames: List[str],
+    filenames: Optional[List[str]],
     archive: bool,
     dummy_conversion: bool,
     debug: bool,
@@ -69,8 +69,13 @@ def cli_main(
     display_banner()
     if set_container_runtime:
         settings = Settings()
-        settings.set("container_runtime", set_container_runtime, autosave=True)
+        container_runtime = settings.set_custom_runtime(
-        click.echo(f"Set the settings container_runtime to {set_container_runtime}")
+            set_container_runtime, autosave=True
+        )
+        click.echo(f"Set the settings container_runtime to {container_runtime}")
+        sys.exit(0)
+    elif not filenames:
+        raise click.UsageError("Missing argument 'FILENAMES...'")
 
     if getattr(sys, "dangerzone_dev", False) and dummy_conversion:
         dangerzone = DangerzoneCore(Dummy())

dangerzone/container_utils.py

@@ -16,6 +16,14 @@ log = logging.getLogger(__name__)
 
 
 class Runtime(object):
+    """Represents the container runtime to use.
+
+    - It can be specified via the settings, using the "container_runtime" key,
+      which should point to the full path of the runtime;
+    - If the runtime is not specified via the settings, it defaults
+      to "podman" on Linux and "docker" on macOS and Windows.
+    """
+
     def __init__(self) -> None:
         settings = Settings()
 
@@ -26,14 +34,22 @@ class Runtime(object):
             self.name = self.path.stem
         else:
             self.name = self.get_default_runtime_name()
-            binary_path = shutil.which(self.name)
+            self.path = Runtime.path_from_name(self.name)
-            if binary_path is None or not os.path.exists(binary_path):
-                raise errors.NoContainerTechException(self.name)
-            self.path = Path(binary_path)
 
         if self.name not in ("podman", "docker"):
             raise errors.UnsupportedContainerRuntime(self.name)
 
+    @staticmethod
+    def path_from_name(name: str) -> Path:
+        name_path = Path(name)
+        if name_path.is_file():
+            return name_path
+        else:
+            runtime = shutil.which(name_path)
+            if runtime is None:
+                raise errors.NoContainerTechException(name)
+            return Path(runtime)
+
     @staticmethod
     def get_default_runtime_name() -> str:
         return "podman" if platform.system() == "Linux" else "docker"

dangerzone/gui/main_window.py

@@ -221,11 +221,14 @@ class MainWindow(QtWidgets.QMainWindow):
         self.setProperty("OSColorMode", self.dangerzone.app.os_color_mode.value)
 
         if hasattr(self.dangerzone.isolation_provider, "check_docker_desktop_version"):
+            try:
                 is_version_valid, version = (
                     self.dangerzone.isolation_provider.check_docker_desktop_version()
                 )
                 if not is_version_valid:
                     self.handle_docker_desktop_version_check(is_version_valid, version)
+            except errors.UnsupportedContainerRuntime as e:
+                pass  # It's catched later in the flow.
 
         self.show()
 
@@ -602,17 +605,18 @@ class WaitingWidgetContainer(WaitingWidget):
                 )
             elif platform.system() == "Linux":
                 # "not_running" here means that the `podman image ls` command failed.
-                message = (
+                self.show_error(
                     "<strong>Dangerzone requires Podman</strong><br><br>"
-                    "Podman is installed but cannot run properly. See errors below"
+                    "Podman is installed but cannot run properly. See errors below",
+                    error,
                 )
             else:
-                message = (
+                self.show_error(
                     "<strong>Dangerzone requires Docker Desktop</strong><br><br>"
                     "Docker is installed but isn't running.<br><br>"
-                    "Open Docker and make sure it's running in the background."
+                    "Open Docker and make sure it's running in the background.",
+                    error,
                 )
-            self.show_error(message, error)
         else:
             self.show_message(
                 "Installing the Dangerzone container image.<br><br>"

dangerzone/settings.py

@@ -1,6 +1,7 @@
 import json
 import logging
 import os
+from pathlib import Path
 from typing import TYPE_CHECKING, Any, Dict
 
 from packaging import version
@@ -42,6 +43,15 @@ class Settings:
     def custom_runtime_specified(self) -> bool:
         return "container_runtime" in self.settings
 
+    def set_custom_runtime(self, runtime: str, autosave: bool = False) -> Path:
+        from .container_utils import Runtime  # Avoid circular import
+
+        container_runtime = Runtime.path_from_name(runtime)
+        self.settings["container_runtime"] = str(container_runtime)
+        if autosave:
+            self.save()
+        return container_runtime
+
     def get(self, key: str) -> Any:
         return self.settings[key]