-
Notifications
You must be signed in to change notification settings - Fork 42
93 lines (89 loc) · 2.83 KB
/
nightlies.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: Nightlies
on:
schedule:
- cron: "0 6 * * *"
push:
branches:
- main
# Only allow one job to run at a time because we're pushing to git repos;
# the string value doesn't matter, just that it's a fixed string.
concurrency:
group: "just-one-please"
defaults:
run:
shell: bash
jobs:
build-debs:
strategy:
fail-fast: false
matrix:
debian_version:
- bookworm
runs-on: ubuntu-latest
outputs:
artifact_id: ${{ steps.upload.outputs.artifact-id }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/checkout@v4
with:
persist-credentials: false
repository: "freedomofpress/securedrop-builder"
path: "securedrop-builder"
lfs: true
- name: Build packages
run: |
git config --global --add safe.directory '*'
NIGHTLY=1 DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder \
./scripts/build-debs.sh
- uses: actions/upload-artifact@v4
id: upload
with:
name: build-${{ matrix.debian_version }}
path: build
if-no-files-found: error
commit-and-push:
runs-on: ubuntu-latest
container: debian:bookworm
needs:
- build-debs
steps:
- name: Install dependencies
run: |
apt-get update && apt-get install --yes git git-lfs
- uses: actions/download-artifact@v4
with:
pattern: "*${{ matrix.debian_version }}"
- uses: actions/checkout@v4
with:
# We need to store credentials here
persist-credentials: true
repository: "freedomofpress/securedrop-apt-test"
path: "securedrop-apt-test"
lfs: true
token: ${{ secrets.PUSH_TOKEN }}
- uses: actions/checkout@v4
with:
# We need to store credentials here
persist-credentials: true
repository: "freedomofpress/build-logs"
path: "build-logs"
token: ${{ secrets.PUSH_TOKEN }}
- name: Commit and push
run: |
git config --global user.email "securedrop@freedom.press"
git config --global user.name "sdcibot"
# First publish buildinfo files
cd build-logs
mkdir -p "buildinfo/$(date +%Y)"
cp -v ../build-*/*.buildinfo "buildinfo/$(date +%Y)"
git add .
git diff-index --quiet HEAD || git commit -m "Publishing buildinfo files for workstation nightlies"
git push origin main
# Now the packages themselves
cd ../securedrop-apt-test
cp -v ../build-bookworm/*.deb workstation/bookworm-nightlies/
git add .
git diff-index --quiet HEAD || git commit -m "Automated SecureDrop workstation build"
git push origin main