WIP: Fix doit

dangerzone/isolation_provider/container.py

@@ -270,13 +270,7 @@ class Container(IsolationProvider):
         log.info(f"Successfully tagged container image '{cur_image_name}' as {new_image_name}")
 
     @staticmethod
-    def is_tag_latest(expected_tag: str, tag_map: [str]) -> None:
+    def install() -> bool:
-        try:
-            return tag_map[expected_tag] == tag_map["latest"]
-        except KeyError:
-            return False
-
-    def install(self) -> bool:
         """Install the container image tarball, or verify that it's already installed.
 
         Perform the following actions:
@@ -310,7 +304,7 @@ class Container(IsolationProvider):
         new_tags = Container.get_image_tags()
         if expected_tag not in new_tags:
             raise ImageNotPresentException(
-                "Could not find expected tag {tag} after loading the container image tarball"
+                f"Could not find expected tag '{expected_tag}' after loading the container image tarball"
             )
 
         # Mark the expected tag as "latest".

dodo.py

@@ -75,6 +75,17 @@ def task_clean_container_runtime():
     }
 
 
+def task_clean_git():
+    """Clean the Git repo."""
+    return {
+        "actions": None,
+        "clean": [
+            "git clean -fdx",
+            "git checkout -f",
+        ],
+    }
+
+
 def task_check_python():
     """Check that the latest supported Python version is installed (WIP).
 
@@ -164,8 +175,7 @@ def task_init_release_dir():
 
     return {
         "actions": [create_release_dir],
-        "targets": [RELEASE_DIR, RELEASE_DIR / "github", RELEASE_DIR / "tmp"],
+        "clean": [f"rm -rf {RELEASE_DIR}"],
-        "clean": True,
     }
 
 
@@ -188,9 +198,13 @@ def task_download_tessdata():
 
 def task_build_image():
     """Build the container image using ./install/common/build-image.py"""
+    img_src = f"share/container-{VERSION}.tar.gz"
+    img_dst = RELEASE_DIR / f"container-{VERSION}.tar.gz"  # FIXME: Add arch
+
     return {
         "actions": [
-            "python install/common/build-image.py --use-cache=%(use_cache)s",
+            "python install/common/build-image.py --use-cache=%(use_cache)s --force-tag=%(force_tag)s",
+            f"cp {img_src} {img_dst}",
         ],
         "params": [
             {
@@ -202,6 +216,15 @@ def task_build_image():
                 ),
                 "default": False,
             },
+            {
+                "name": "force_tag",
+                "long": "force-tag",
+                "help": (
+                    "Build the image using the specified tag. For reproducibility"
+                    " reasons, it's best to not use this flag"
+                ),
+                "default": "",
+            },
         ],
         "file_dep": [
             "Dockerfile",
@@ -210,8 +233,11 @@ def task_build_image():
             "dangerzone/gvisor_wrapper/entrypoint.py",
             "install/common/build-image.py",
         ],
-        "targets": ["share/container.tar.gz", "share/image-id.txt"],
+        "targets": [img_src, img_dst],
-        "task_dep": ["check_container_runtime"],
+        "task_dep": [
+            "init_release_dir",
+            "check_container_runtime",
+        ],
         "clean": True,
     }
 
@@ -223,39 +249,58 @@ def task_poetry_install():
     }
 
 
-def task_macos_build_app():
+def task_macos_build_dmg():
     """Build the macOS app bundle for Dangerzone."""
+    dz_dir = RELEASE_DIR / "tmp" / "macos"
+    dmg_src = dz_dir / "dist" / "Dangerzone.dmg"
+    dmg_dst = RELEASE_DIR / f"Dangerzone-{VERSION}.dmg"  # FIXME: Add -arch
 
-    return {
-        "actions": [["poetry", "run", "install/macos/build-app.py"]],
-        "file_dep": [
-            *list_files("share"),
-            *list_files("dangerzone"),
-            "share/container.tar.gz",
-            "share/image-id.txt",
-        ],
-        "task_dep": ["poetry_install"],
-        "targets": ["dist/Dangerzone.app"],
-        "clean": ["rm -rf dist/Dangerzone.app"],
-    }
-
-
-def task_macos_codesign():
     return {
         "actions": [
-            ["poetry", "run", "install/macos/build-app.py", "--only-codesign"],
+            (copy_dz_dir, [".", dz_dir]),
-            [
+            f"cd {dz_dir} && poetry run install/macos/build-app.py --with-codesign",
-                "xcrun notarytool submit --wait --apple-id %(apple_id)s"
+            ("xcrun notarytool submit --wait --apple-id %(apple_id)s"
-                " --keychain-profile dz-notarytool-release-key dist/Dangerzone.dmg",
+             f" --keychain-profile dz-notarytool-release-key {dmg_src}"),
-            ],
+            f"xcrun stapler staple {dmg_src}",
+            ["cp", "-r", dmg_src, dmg_dst],
+            ["rm", "-r", dz_dir],
         ],
         "params": [PARAM_APPLE_ID],
-        "file_dep": ["dist/Dangerzone.app"],
+        "file_dep": [
-        "targets": ["dist/Dangerzone.dmg"],
+            "poetry.lock",
+            "install/macos/build.app.py",
+            *list_files("assets"),
+            *list_files("share"),
+            *list_files("dangerzone"),
+            f"share/container-{VERSION}.tar.gz",
+        ],
+        "task_dep": [
+            "init_release_dir",
+            "poetry_install"
+        ],
+        "targets": [dmg_dst],
         "clean": True,
     }
 
 
+# def task_macos_codesign():
+#     dz_dir = RELEASE_DIR / "tmp" / "macos"
+#     app_src = RELEASE_DIR / "Dangerzone.app"
+#     dmg_src = dz_dir / "dist" / "Dangerzone.dmg"
+#     dmg_dst = RELEASE_DIR / "Dangerzone-{VERSION}.dmg"
+
+#     return {
+#         "actions": [
+#         ],
+#         "params": [PARAM_APPLE_ID],
+#         "file_dep": [
+#             RELEASE_DIR / "Dangerzone.app"
+#         ],
+#         "targets": ["dist/Dangerzone.dmg"],
+#         "clean": True,
+#     }
+
+
 def task_debian_env():
     return {
         "actions": [
@@ -286,11 +331,15 @@ def task_debian_deb():
             ["rm", "-r", dz_dir],
         ],
         "file_dep": [
-            RELEASE_DIR,
+            "poetry.lock",
-            "share/container.tar.gz",
+            "install/linux/build-deb.py",
-            "share/image-id.txt",
+            *list_files("assets"),
+            *list_files("share"),
+            *list_files("dangerzone"),
+            f"share/container-{VERSION}.tar.gz",
         ],
         "task_dep": [
+            "init_release_dir",
             "debian_env",
         ],
         "targets": [deb_dst],
@@ -338,11 +387,15 @@ def task_fedora_rpm():
                 ["rm", "-r", dz_dir],
             ],
             "file_dep": [
-                RELEASE_DIR,
+                "poetry.lock",
-                "share/container.tar.gz",
+                "install/linux/build-rpm.py",
-                "share/image-id.txt",
+                *list_files("assets"),
+                *list_files("share"),
+                *list_files("dangerzone"),
+                f"share/container-{VERSION}.tar.gz",
             ],
             "task_dep": [
+                "init_release_dir",
                 f"fedora_env:{version}",
             ],
             "targets": rpm_dst,

install/common/build-image.py

@@ -56,11 +56,17 @@ def main():
         const=True,
         help="Use the builder's cache to speed up the builds (not suitable for release builds)",
     )
+    parser.add_argument(
+        "--force-tag",
+        default=None,
+        help="Force tag the image with this tag",
+    )
     args = parser.parse_args()
 
     print(f"Building for architecture '{ARCH}'")
     dirty_tag = secrets.token_hex(2)
 
+    if not args.force_tag:
         tag = subprocess.check_output(
             [
                 "git",
@@ -69,6 +75,8 @@ def main():
                 f"--dirty=-{dirty_tag}"
             ],
         ).decode().strip()[1:]  # remove the "v" prefix of the tag.
+    else:
+        tag = args.force_tag
     image_name_tagged = IMAGE_NAME + ":" + tag
 
     print(f"Will tag the container image as '{image_name_tagged}'")

pyproject.toml

@@ -68,8 +68,13 @@ skip_gitignore = true
 follow_links = false
 
 [tool.doit.commands.clean]
-# XXX: Change this to false if you REALLY want to clean a task's output. Else,
+# XXX: Change this to false if you REALLY want to clean your environment. Note
-# the `doit clean` comamnd will print the commands that would run instead.
+# that this command will:
+# * prune container images,
+# * clean the Git repo, and
+# * remove all tasks output
+#
+# Else, the `doit clean` comamnd will print the commands that would run instead.
 dryrun = true
 
 [tool.doit.tasks.macos_check_cert]
@@ -78,8 +83,9 @@ apple_id = "fpf@example.com"
 [tool.doit.tasks.macos_codesign]
 apple_id = "fpf@example.com"
 
-[tool.doit.tasks.build_container]
+[tool.doit.tasks.build_image]
 use_cache = false
+force_tag = ""
 
 [build-system]
 requires = ["poetry-core>=1.2.0"]