WIP: Have CI run piuparts

freedomofpress · Feb 7, 2024 · ffd086c · ffd086c
1 parent e3c61d3
commit ffd086c
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -119,3 +119,27 @@ jobs:
             echo "Diffoscoping $deb"
             diffoscope build-${{ matrix.debian_version }}/$deb build2-${{ matrix.debian_version }}/$deb
           done;
+
+  piuparts:
+    strategy:
+      matrix:
+        debian_version:
+          - bullseye
+          - bookworm
+    runs-on: ubuntu-latest
+    needs:
+      - build-debs
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: "build-${{ matrix.debian_version }}"
+      - name: Run piuparts
+        run: |
+          # We need to run it as docker-in-docker
+          docker run -v "/var/lib/docker:/var/lib/docker" \
+            -v keyring:/keyring \
+            -v build-${{ matrix.debian_version }}:/build \
+            -v .github/workflows/piuparts:/piuparts \
+            -e DISTRO=${{ matrix.debian_version }} \
+            debian:${{ matrix.debian_version }} bash /piuparts/run-piuparts.sh
diff --git a/.github/workflows/piuparts/Dockerfile b/.github/workflows/piuparts/Dockerfile
@@ -0,0 +1,9 @@
+ARG DISTRO=bullseye
+FROM debian:$DISTRO
+
+RUN apt-get update && apt-get install -y ca-certificates
+# FIXME: Do this to fool piuparts into thinking we didn't remove /opt during
+# the package purge. Why does purging our packages not work properly?
+RUN rm -rf /opt
+# CI manifest will copy keyring into the build directory
+COPY securedrop-keyring.gpg /usr/share/keyrings
diff --git a/.github/workflows/piuparts/run-piuparts.sh b/.github/workflows/piuparts/run-piuparts.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Runs inside the container
+apt-get update && apt-get install --yes piuparts docker.io
+
+cd /piuparts
+
+cp /keyring/securedrop-keyring.gpg .
+docker build . --build-arg DISTRO=$DISTRO -t ourimage
+
+# TODO: get workstation-viewer to pass piuparts (pulls in grsec and qubes packages)
+for pkg in client export keyring log proxy workstation-config;
+do
+    piuparts --docker-image ourimage \
+        --distribution $DISTRO \
+        --extra-repo 'deb [signed-by=/usr/share/keyrings/securedrop-keyring.gpg] https://apt.freedom.press bullseye main' \
+        build/securedrop-${pkg}*.deb
+done