Merge 2ba247e09c into 32deea10c4

Previously, the actions were duplicated, due to the fact when developing
we often create feature branches and open pull requests.

This new setup requires us to open pull requests to trigger the CI.

.github/workflows/build.yml

@@ -1,6 +1,6 @@
 name: Build dev environments
 on:
-  push:
+  pull_request:
   schedule:
     - cron: "0 0 * * *" # Run every day at 00:00 UTC.
 

.github/workflows/check_push.yml

@@ -1,6 +1,6 @@
 name: Check branch conformity
 on:
-  push:
+  pull_request:
 
 jobs:
   prevent-fixup-commits:

.github/workflows/ci.yml

@@ -1,8 +1,9 @@
 name: Tests
 on:
   push:
+    branches:
+      - main
   pull_request:
-    branches: [main]
   schedule:
     - cron: "2 0 * * *" # Run every day at 02:00 UTC.
   workflow_dispatch:
@@ -24,7 +25,24 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  should-run:
+    runs-on: ubuntu-latest
+    outputs:
+      run-workflow: ${{ steps.check.outputs.run-workflow }}
+    steps:
+      - id: check
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "run-workflow=true" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" != "refs/heads/main" ]]; then
+            echo "run-workflow=true" >> $GITHUB_OUTPUT
+          else
+            echo "run-workflow=false" >> $GITHUB_OUTPUT
+          fi
+
   run-lint:
+    needs: should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     runs-on: ubuntu-latest
     container:
       image: debian:bookworm
@@ -43,6 +61,8 @@ jobs:
   # This is already built daily by the "build.yml" file
   # But we also want to include this in the checks that run on each push.
   build-container-image:
+    needs: should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
@@ -67,6 +87,8 @@ jobs:
           python3 ./install/common/build-image.py
 
   download-tessdata:
+    needs: should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     name: Download and cache Tesseract data
     runs-on: ubuntu-latest
     steps:
@@ -91,7 +113,10 @@ jobs:
 
   windows:
     runs-on: windows-latest
-    needs: download-tessdata
+    needs:
+      - download-tessdata
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     env:
       DUMMY_CONVERSION: 1
     steps:
@@ -121,7 +146,10 @@ jobs:
   macOS:
     name: "macOS (${{ matrix.arch }})"
     runs-on: ${{ matrix.runner }}
-    needs: download-tessdata
+    needs:
+      - download-tessdata
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     strategy:
       matrix:
         include:
@@ -149,9 +177,12 @@ jobs:
         run: poetry run make test
 
   build-deb:
+    needs:
+      - should-run
+      - build-container-image
+    if: needs.should-run.outputs.run-workflow == 'true'
     name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
     runs-on: ubuntu-latest
-    needs: build-container-image
     strategy:
       matrix:
         include:
@@ -219,7 +250,10 @@ jobs:
   install-deb:
     name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
     runs-on: ubuntu-latest
-    needs: build-deb
+    needs: 
+      - build-deb
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     strategy:
       matrix:
         include:
@@ -273,7 +307,10 @@ jobs:
   build-install-rpm:
     name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
     runs-on: ubuntu-latest
-    needs: build-container-image
+    needs:
+      - build-container-image
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     strategy:
       matrix:
         distro: ["fedora"]
@@ -339,6 +376,8 @@ jobs:
     needs:
       - build-container-image
       - download-tessdata
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     strategy:
       matrix:
         include:

.github/workflows/scan.yml

@@ -1,8 +1,9 @@
 name: Scan latest app and container
 on:
   push:
+    branches:
+      - main
   pull_request:
-    branches: [ main ]
   schedule:
     - cron: '0 0 * * *' # Run every day at 00:00 UTC.
   workflow_dispatch:

.github/workflows/scan_released.yml

@@ -13,7 +13,7 @@ jobs:
       - name: Download container image for the latest release
         run: |
           VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
-          wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container.tar.gz
+          wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container-${VERSION}-i686.tar.gz -O container.tar.gz
       - name: Load container image
         run: docker load -i container.tar.gz
       # NOTE: Scan first without failing, else we won't be able to read the scan

INSTALL.md

@@ -289,7 +289,7 @@ Our [GitHub Releases page](https://github.com/freedomofpress/dangerzone/releases
 hosts the following files:
 * Windows installer (`Dangerzone-<version>.msi`)
 * macOS archives (`Dangerzone-<version>-<arch>.dmg`)
-* Container image (`container.tar.gz`)
+* Container images (`container-<version>-<arch>.tar.gz`)
 * Source package (`dangerzone-<version>.tar.gz`)
 
 All these files are accompanied by signatures (as `.asc` files). We'll explain
@@ -314,10 +314,10 @@ gpg --verify Dangerzone-0.6.1-arm64.dmg.asc Dangerzone-0.6.1-arm64.dmg
 gpg --verify Dangerzone-0.6.1-i686.dmg.asc Dangerzone-0.6.1-i686.dmg
 ```
 
-For the container image:
+For the container images:
 
 ```
-gpg --verify container.tar.gz.asc container.tar.gz
+gpg --verify container-0.6.1-i686.tar.gz.asc container-0.6.1-i686.tar.gz
 ```
 
 For the source package:

RELEASE.md

@@ -285,6 +285,11 @@ Once we are confident that the release will be out shortly, and doesn't need any
   * You can verify the correct Python version is used with `poetry debug info`
 - [ ] Verify and checkout the git tag for this release
 - [ ] Run `poetry install --sync`
+- [ ] On the silicon mac, build the container image:
+  ```
+  python3 ./install/common/build-image.py
+  ```
+  Then copy the `share/container.tar.gz` to the assets folder on `dangerzone-$VERSION-arm64.tar.gz`, along with the `share/image-id.txt` file.
 - [ ] Run `poetry run ./install/macos/build-app.py`; this will make `dist/Dangerzone.app`
 - [ ] Make sure that the build application works with the containerd graph
   driver (see [#933](https://github.com/freedomofpress/dangerzone/issues/933))
@@ -403,6 +408,8 @@ Build the latest container:
 python3 ./install/common/build-image.py
 ```
 
+Copy the container image to the assets folder on `dangerzone-$VERSION-i686.tar.gz`.
+
 Create a .rpm:
 
 ```sh
@@ -449,9 +456,9 @@ To publish the release:
   * Copy the release notes text from the template at [`docs/templates/release-notes`](https://github.com/freedomofpress/dangerzone/tree/main/docs/templates/)
   * You can use `./dev_scripts/upload-asset.py`, if you want to upload an asset
     using an access token.
-- [ ] Upload the `container.tar.gz` i686 image that was created in the previous step
+- [ ] Upload the `container-$VERSION-i686.tar.gz` and `container-$VERSION-arm64.tar.gz` images that were created in the previous step
 
-  **Important:** Make sure that it's the same container image as the ones that
+  **Important:** Make sure that it's the same container images as the ones that
   are shipped in other platforms (see our [Pre-release](#Pre-release) section)
 
 - [ ] Upload the detached signatures (.asc) and checksum file.

debian/changelog

@@ -1,3 +1,9 @@
+dangerzone (0.8.0) unstable; urgency=low
+
+  * Released Dangerzone 0.8.0
+
+ -- Freedom of the Press Foundation   <info@freedom.press>  Tue, 30 Oct 2024 01:56:28 +0300
+
 dangerzone (0.7.1) unstable; urgency=low
 
   * Released Dangerzone 0.7.1

dev_scripts/sign-assets.py

@@ -11,7 +11,8 @@ log = logging.getLogger(__name__)
 
 
 DZ_ASSETS = [
-    "container.tar.gz",
+    "container-{version}-i686.tar.gz",
+    "container-{version}-arm64.tar.gz",
     "Dangerzone-{version}.msi",
     "Dangerzone-{version}-arm64.dmg",
     "Dangerzone-{version}-i686.dmg",

install/linux/dangerzone.spec

@@ -32,7 +32,7 @@ Name:           dangerzone-qubes
 Name:           dangerzone
 %endif
 
-Version:        0.7.1
+Version:        0.8.0
 Release:        1%{?dist}
 Summary:        Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs
 

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "dangerzone"
-version = "0.7.1"
+version = "0.8.0"
 description = "Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs"
 authors = ["Freedom of the Press Foundation <info@freedom.press>", "Micah Lee <micah.lee@theintercept.com>"]
 license = "AGPL-3.0"

share/version.txt

@@ -1 +1 @@
-0.7.1
+0.8.0