From 4ce00bf55505a6ccb8318d4f2c93730c2dbce78d Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Wed, 7 Feb 2024 15:16:11 -0500
Subject: [PATCH] WIP: Have CI run piuparts

---
 .github/workflows/build.yml                | 24 ++++++++++++++++++++++
 .github/workflows/piuparts/Dockerfile      |  9 ++++++++
 .github/workflows/piuparts/run-piuparts.sh | 17 +++++++++++++++
 3 files changed, 50 insertions(+)
 create mode 100644 .github/workflows/piuparts/Dockerfile
 create mode 100644 .github/workflows/piuparts/run-piuparts.sh

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 781e85df19..2c6be66b29 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -119,3 +119,27 @@ jobs:
             echo "Diffoscoping $deb"
             diffoscope build-${{ matrix.debian_version }}/$deb build2-${{ matrix.debian_version }}/$deb
           done;
+
+  piuparts:
+    strategy:
+      matrix:
+        debian_version:
+          - bullseye
+          - bookworm
+    runs-on: ubuntu-latest
+    needs:
+      - build-debs
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: "build-${{ matrix.debian_version }}"
+      - name: Run piuparts
+        run: |
+          # We need to run it as docker-in-docker
+          docker run -v "/var/lib/docker:/var/lib/docker" \
+            -v "/$(pwd)/keyring:/keyring" \
+            -v "/$(pwd)/build-${{ matrix.debian_version }}:/build" \
+            -v "/$(pwd)/.github/workflows/piuparts:/piuparts" \
+            -e DISTRO=${{ matrix.debian_version }} \
+            debian:${{ matrix.debian_version }} bash /piuparts/run-piuparts.sh
diff --git a/.github/workflows/piuparts/Dockerfile b/.github/workflows/piuparts/Dockerfile
new file mode 100644
index 0000000000..3cc2f81f24
--- /dev/null
+++ b/.github/workflows/piuparts/Dockerfile
@@ -0,0 +1,9 @@
+ARG DISTRO=bullseye
+FROM debian:$DISTRO
+
+RUN apt-get update && apt-get install -y ca-certificates
+# FIXME: Do this to fool piuparts into thinking we didn't remove /opt during
+# the package purge. Why does purging our packages not work properly?
+RUN rm -rf /opt
+# CI manifest will copy keyring into the build directory
+COPY securedrop-keyring.gpg /usr/share/keyrings
diff --git a/.github/workflows/piuparts/run-piuparts.sh b/.github/workflows/piuparts/run-piuparts.sh
new file mode 100644
index 0000000000..99bcde148d
--- /dev/null
+++ b/.github/workflows/piuparts/run-piuparts.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Runs inside the container
+apt-get update && apt-get install --yes piuparts docker.io
+
+cd /piuparts
+
+cp /keyring/securedrop-keyring.gpg .
+docker build . --build-arg DISTRO=$DISTRO -t ourimage
+
+# TODO: get workstation-viewer to pass piuparts (pulls in grsec and qubes packages)
+for pkg in client export keyring log proxy workstation-config;
+do
+    piuparts --docker-image ourimage \
+        --distribution $DISTRO \
+        --extra-repo 'deb [signed-by=/usr/share/keyrings/securedrop-keyring.gpg] https://apt.freedom.press bullseye main' \
+        build/securedrop-${pkg}*.deb
+done