Merge 6c8a75732e into dfcb74b427

Update our `RELEASE.md` so that we don't forget to bump the download
links in `INSTALL.md` prior to tagging a release. This way, we won't
have a versioned `INSTALL.md` page pointing to an older download link.

Note that this means that the latest version of the `INSTALL.md` page
will point to a broken link, in the short period of time between the
pre-release and the actual release. That's not an issue in our case,
because we don't point to the latest version of our `INSTALL.md` from
our `README.md`. We use versioned links instead, and thus we minimize
the chance that a user may encounter a broken link.

Fixes #1100

.github/workflows/build-push-image.yml

@@ -209,7 +209,7 @@ jobs:
       actions: read # for detecting the Github Actions environment.
       id-token: write # for creating OIDC tokens for signing.
       packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
     with:
       digest: ${{ needs.merge.outputs[format('digest_{0}', matrix.manifest_type)] }}
       image: ${{ needs.merge.outputs.image }}

.github/workflows/check_pr.yml

@@ -1,6 +1,7 @@
 name: Check branch conformity
 on:
   pull_request:
+    types: ["opened", "labeled", "unlabeled", "reopened", "synchronize"]
 
 jobs:
   prevent-fixup-commits:
@@ -20,17 +21,10 @@ jobs:
 
   check-changelog:
     runs-on: ubuntu-latest
+    name: Ensure CHANGELOG.md is populated for user-visible changes
     steps:
-      - name: Checkout code
+      # Pin the GitHub action to a specific commit that we have audited and know
-        uses: actions/checkout@v4
+      # how it works.
+      - uses: tarides/changelog-check-action@509965da3b8ac786a5e2da30c2ccf9661189121f
         with:
-          fetch-depth: 0
+          changelog: CHANGELOG.md
-      - name: ensure CHANGELOG.md is populated
-        env:
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
-        shell: bash
-        run: |
-          if git diff --exit-code "origin/${BASE_REF}" -- CHANGELOG.md; then
-              echo "::error::No CHANGELOG.md modifications were found in this pull request."
-              return -1;
-          fi

CHANGELOG.md

@@ -38,6 +38,10 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 
 - Platform support: Drop support for Fedora 39, since it's end-of-life ([#999](https://github.com/freedomofpress/dangerzone/pull/999))
 
+## Updated
+
+- Bump `slsa-framework/slsa-github-generator` from 2.0.0 to 2.1.0 ([#1109](https://github.com/freedomofpress/dangerzone/pull/1109))
+
 ### Development changes
 
   Thanks [@jkarasti](https://github.com/jkarasti) for the contribution.

RELEASE.md

@@ -17,6 +17,7 @@ Here is a list of tasks that should be done before issuing the release:
 - [ ] Bump the Debian version by adding a new changelog entry in `debian/changelog`
 - [ ] [Bump the minimum Docker Desktop versions](https://github.com/freedomofpress/dangerzone/blob/main/RELEASE.md#bump-the-minimum-docker-desktop-version) in `isolation_provider/container.py`
 - [ ] Bump the dates and versions in the `Dockerfile`
+- [ ] Update the download links in our `INSTALL.md` page to point to the new version (the download links will be populated after the release)
 - [ ] Update screenshot in `README.md`, if necessary
 - [ ] CHANGELOG.md should be updated to include a list of all major changes since the last release
 - [ ] A draft release should be created. Copy the release notes text from the template at [`docs/templates/release-notes`](https://github.com/freedomofpress/dangerzone/tree/main/docs/templates/)
@@ -340,7 +341,7 @@ To publish the release, you can follow these steps:
 
 - [ ] Update the [Dangerzone website](https://github.com/freedomofpress/dangerzone.rocks) to link to the new installers.
 - [ ] Update the brew cask release of Dangerzone with a [PR like this one](https://github.com/Homebrew/homebrew-cask/pull/116319)
-- [ ] Update version and download links in `README.md`
+- [ ] Update version and links to our installation instructions (`INSTALL.md`) in `README.md`
 
 ## Post-release
 

dangerzone/cli.py

@@ -11,6 +11,7 @@ from .isolation_provider.container import Container
 from .isolation_provider.dummy import Dummy
 from .isolation_provider.qubes import Qubes, is_qubes_native_conversion
 from .logic import DangerzoneCore
+from .settings import Settings
 from .util import get_version, replace_control_chars
 
 
@@ -48,6 +49,11 @@ def print_header(s: str) -> None:
     flag_value=True,
     help="Run Dangerzone in debug mode, to get logs from gVisor.",
 )
+@click.option(
+    "--set-container-runtime",
+    required=False,
+    help="The path to the container runtime you want to set in the settings",
+)
 @click.version_option(version=get_version(), message="%(version)s")
 @errors.handle_document_errors
 def cli_main(
@@ -57,8 +63,14 @@ def cli_main(
     archive: bool,
     dummy_conversion: bool,
     debug: bool,
+    set_container_runtime: Optional[str] = None,
 ) -> None:
     setup_logging()
+    display_banner()
+    if set_container_runtime:
+        settings = Settings()
+        settings.set("container_runtime", set_container_runtime, autosave=True)
+        click.echo(f"Set the settings container_runtime to {set_container_runtime}")
 
     if getattr(sys, "dangerzone_dev", False) and dummy_conversion:
         dangerzone = DangerzoneCore(Dummy())
@@ -67,7 +79,6 @@ def cli_main(
     else:
         dangerzone = DangerzoneCore(Container(debug=debug))
 
-    display_banner()
     if len(filenames) == 1 and output_filename:
         dangerzone.add_document_from_filename(filenames[0], output_filename, archive)
     elif len(filenames) > 1 and output_filename:
@@ -320,4 +331,10 @@ def display_banner() -> None:
         + Style.DIM
         + "│"
     )
-    print(Back.BLACK + Fore.YELLOW + Style.DIM + "╰──────────────────────────╯")
+    print(
+        Back.BLACK
+        + Fore.YELLOW
+        + Style.DIM
+        + "╰──────────────────────────╯"
+        + Style.RESET_ALL
+    )

dangerzone/container_utils.py

@@ -21,6 +21,8 @@ class Runtime(object):
 
         if settings.custom_runtime_specified():
             self.path = Path(settings.get("container_runtime"))
+            if not self.path.exists():
+                raise errors.UnsupportedContainerRuntime(self.path)
             self.name = self.path.stem
         else:
             self.name = self.get_default_runtime_name()
@@ -29,6 +31,9 @@ class Runtime(object):
                 raise errors.NoContainerTechException(self.name)
             self.path = Path(binary_path)
 
+        if self.name not in ("podman", "docker"):
+            raise errors.UnsupportedContainerRuntime(self.name)
+
     @staticmethod
     def get_default_runtime_name() -> str:
         return "podman" if platform.system() == "Linux" else "docker"

dangerzone/errors.py

@@ -140,3 +140,7 @@ class NotAvailableContainerTechException(Exception):
         self.error = error
         self.container_tech = container_tech
         super().__init__(f"{container_tech} is not available")
+
+
+class UnsupportedContainerRuntime(Exception):
+    pass

tests/test_container_utils.py

@@ -1,20 +1,21 @@
 from pathlib import Path
 
+import pytest
 from pytest_mock import MockerFixture
 
+from dangerzone import errors
 from dangerzone.container_utils import Runtime
 from dangerzone.settings import Settings
 
 
 def test_get_runtime_name_from_settings(mocker: MockerFixture, tmp_path: Path) -> None:
     mocker.patch("dangerzone.settings.get_config_dir", return_value=tmp_path)
+    mocker.patch("dangerzone.container_utils.Path.exists", return_value=True)
 
     settings = Settings()
-    settings.set(
+    settings.set("container_runtime", "/opt/somewhere/docker", autosave=True)
-        "container_runtime", "/opt/somewhere/new-kid-on-the-block", autosave=True
-    )
 
-    assert Runtime().name == "new-kid-on-the-block"
+    assert Runtime().name == "docker"
 
 
 def test_get_runtime_name_linux(mocker: MockerFixture, tmp_path: Path) -> None:
@@ -46,3 +47,14 @@ def test_get_runtime_name_non_linux(mocker: MockerFixture, tmp_path: Path) -> No
     assert runtime.name == "docker"
     assert runtime.path == Path("/usr/bin/docker")
     assert Runtime().name == "docker"
+
+
+def test_get_unsupported_runtime_name(mocker: MockerFixture, tmp_path: Path) -> None:
+    mocker.patch("dangerzone.settings.get_config_dir", return_value=tmp_path)
+    settings = Settings()
+    settings.set(
+        "container_runtime", "/opt/somewhere/new-kid-on-the-block", autosave=True
+    )
+
+    with pytest.raises(errors.UnsupportedContainerRuntime):
+        assert Runtime().name == "new-kid-on-the-block"