From a7fbc9264c0003bee7fda015d703558306ce82f1 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Mon, 5 Feb 2024 11:19:21 -0500
Subject: [PATCH] WIP: nightlies

---
 .github/workflows/nightlies.yml | 69 +++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 .github/workflows/nightlies.yml

diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml
new file mode 100644
index 0000000000..562fc88e9d
--- /dev/null
+++ b/.github/workflows/nightlies.yml
@@ -0,0 +1,69 @@
+name: Nightlies
+on:
+  push:
+#  schedule:
+#    - cron: "0 0 * * *"
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build-debs:
+    strategy:
+      matrix:
+        debian_version:
+          - bullseye
+          - bookworm
+    runs-on: ubuntu-latest
+    # We only run dch/podman in this container, so it's fine to run all in bookworm
+    container: debian:bookworm
+    outputs:
+      artifact_id: ${{ steps.upload.outputs.artifact-id }}
+    steps:
+      - name: Install dependencies
+        run: |
+          apt-get update && apt-get install --yes devscripts podman git git-lfs
+      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          repository: "freedomofpress/securedrop-builder"
+          path: "securedrop-builder"
+          lfs: true
+      - name: Build packages
+        run: |
+          CURRENT_VERSION=$(dpkg-parsechangelog -S Version)
+          VERSION_TO_BUILD="$CURRENT_VERSION.dev$(date +%Y%m%d%H%M%S)"
+          dch --distribution unstable --newversion $VERSION_TO_BUILD+buster "This is an automated build."
+          DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder ./scripts/build-debs.sh
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          name: build-${{ matrix.debian_version }}
+          path: build
+          if-no-files-found: error
+
+  reproducible-debs:
+    runs-on: ubuntu-latest
+    container: debian:bookworm
+    needs:
+      - build-debs
+    steps:
+      - name: Install dependencies
+        run: |
+          apt-get update && apt-get install --yes git git-lfs
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: "*${{ matrix.debian_version }}"
+      - uses: actions/checkout@v4
+        with:
+          repository: "freedomofpress/securedrop-apt-test"
+          path: "securedrop-apt-test"
+          lfs: true
+      - name: Commit and push
+        run: |
+          cd securedrop-apt-test
+          mv -v ../build-bullseye/*.deb workstation/bullseye-nightlies/
+          mv -v ../build-bookworm/*.deb workstation/bookworm-nightlies/
+          git add .
+          git commit -m "Automated SecureDrop workstation build"