Merge pull request #7216 from freedomofpress/gha-2

Migrate deb-tests job to GitHub Actions
freedomofpress · Aug 15, 2024 · 97046f5 · 97046f5
2 parents ae36146 + e035637
commit 97046f5
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 42 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -291,42 +291,6 @@ jobs:
  - store_artifacts:
  path: ~/sd/junit
 
- deb-tests:
- machine:
- image: ubuntu-2004:current
- enabled: true
- environment:
- DOCKER_API_VERSION: 1.24
- BASE_OS: focal
- steps:
- - checkout
- - run:
- name: Build debs
- command: |
- make build-debs
- - run:
- name: Build OSSEC debs
- command: |
- make build-debs-ossec
- - run:
- name: Second round of builds
- command: |
- # TODO: use reprotest in the future
- mv build/focal build/focal-first
- make build-debs-notest
- make build-debs-ossec-notest
- mv build/focal build/focal-second
- - run:
- name: Run diffoscope
- command: |
- sha256sum build/focal-*/*.deb
- # FIXME: securedrop-app-code isn't reproducible
- for pkg in ossec-agent ossec-server securedrop-config securedrop-keyring securedrop-ossec-agent securedrop-ossec-server
- do
- echo "Checking ${pkg}..."
- ./.venv/bin/diffoscope build/focal-first/${pkg}*.deb build/focal-second/${pkg}*.deb
- done
-
 workflows:
  version: 2
  securedrop_ci:
@@ -376,10 +340,6 @@ workflows:
  context:
  - circleci-slack
  <<: *slack-fail-post-step
- - deb-tests:
- context:
- - circleci-slack
- <<: *slack-fail-post-step
 
  nightly:
  triggers:
@@ -402,5 +362,4 @@ workflows:
  only:
  - develop
  jobs:
- - deb-tests
  - translation-tests
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,61 @@
+name: Package builds
+on:
+ - merge_group
+ - push
+ - pull_request
+
+# Only build for latest push/PR unless it's main or release/
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) }}
+
+defaults:
+ run:
+ shell: bash
+
+jobs:
+ build-debs:
+ strategy:
+ matrix:
+ build: [one, two]
+ runs-on: ubuntu-latest
+ outputs:
+ artifact_id: ${{ steps.upload.outputs.artifact-id }}
+ steps:
+ - uses: actions/checkout@v4
+ - uses: actions/setup-python@v5
+ with:
+ python-version: '3.8'
+ - name: Build packages
+ run: |
+ ./builder/build-debs.sh
+ WHAT=ossec ./builder/build-debs.sh
+ - uses: actions/upload-artifact@v4
+ id: upload
+ with:
+ name: build-${{ matrix.build }}
+ path: build
+ if-no-files-found: error
+
+ reproducible-debs:
+ runs-on: ubuntu-latest
+ container: debian:bookworm
+ needs:
+ - build-debs
+ steps:
+ - name: Install dependencies
+ run: |
+ apt-get update && apt-get install --yes diffoscope-minimal \
+ --no-install-recommends
+ - uses: actions/download-artifact@v4
+ with:
+ pattern: "build-*"
+ - name: diffoscope
+ run: |
+ find . -name '*.deb' -exec sha256sum {} \;
+ # FIXME: securedrop-app-code isn't reproducible
+ for pkg in ossec-agent ossec-server securedrop-config securedrop-keyring securedrop-ossec-agent securedrop-ossec-server
+ do
+ echo "Checking ${pkg}..."
+ diffoscope build-one/focal/${pkg}*.deb build-two/focal/${pkg}*.deb
+ done
diff --git a/devops/scripts/boot-strap-venv.sh b/devops/scripts/boot-strap-venv.sh
@@ -51,7 +51,7 @@ function virtualenv_bootstrap() {
  then
  p=$(command -v "python${PYTHON_VERSION}" 2> /dev/null || command -v python3)
  echo "Creating ${p} virtualenv in ${VENV}"
- virtualenv -p "${p}" "${VENV}"
+ "${p}" -m venv "${VENV}"
  fi
 
  PIP_CONSTRAINT=${DEV_CONSTRAINT} "${VENV}/bin/pip" install -q -r "securedrop/requirements/python3/develop-requirements.txt"