Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate this repository to GitHub Actions #482

Closed
7 tasks done
legoktm opened this issue Jan 9, 2024 · 5 comments · Fixed by #496
Closed
7 tasks done

Migrate this repository to GitHub Actions #482

legoktm opened this issue Jan 9, 2024 · 5 comments · Fixed by #496
Assignees

Comments

@legoktm
Copy link
Member

legoktm commented Jan 9, 2024

Take the opportunity to split up what's done into the respective repositories:

@eloquence
Copy link
Member

Per Kunal's suggestion I'm going to try to help get this over the finish line. I'll start with this one:

reprepro-update-tor should be moved to securedrop or securedrop-apt-test

I think securedrop-apt-test makes the most sense here, given that this is where the artifacts are committed.

If I understand the previous work that led to freedomofpress/securedrop-apt-test#216 correctly, I should be able to re-use secrets.PUSH_TOKEN to run a schedule-triggered job that performs the commit if needed. I'll take a stab at that, but please chime in if I'm missing something.

@legoktm
Copy link
Member Author

legoktm commented Mar 19, 2024

Yep, that should work. That job also creates/comments on an issue in the server repo, so you'll probably want to check that the token has that permission as well.

@eloquence
Copy link
Member

OK, I was able to create a test issue (in a private repo) via a dedicated PAT (issues read/write + code read + metadata read were all required for gh to work). No other method (e.g. GITHUB_TOKEN + permissions) seemed to work for cross-repo stuff. I don't see a way to have a PAT have different permissions for different repos (make issues in securedrop, push code in securedrop-apt-test), so I think we may have to switch tokens for those operations.

I'll continue to test with the private sandbox repo next week, pointers always appreciated :)

@legoktm
Copy link
Member Author

legoktm commented Mar 22, 2024

I think having two separate PATs will be fine, we already have one named PUSH_TOKEN so another one named ISSUE_TOKEN or w/e seems fine.

@eloquence
Copy link
Member

Also have a clean-old-packages job in securedrop-yum-test

Planning out the next steps:

  1. At a high level, building/pushing nightlies will live in securedrop-workstation, while cleaning them up will live in securedrop-yum-test, similar to https://github.com/freedomofpress/securedrop-apt-test/blob/main/.github/workflows/cleanup.yml for securedrop-apt-test
  2. Therefore, we'll want to split out the cleanup portion of
    # Copy the new packages over and cleanup the old ones
    cp -v /tmp/workspace/*.rpm workstation/dom0/f32-nightlies/
    ~/project/scripts/clean-old-packages workstation/dom0/f32-nightlies 7
    git add .
    # If there are changes, diff-index will fail, so we commit
    git diff-index --quiet HEAD || git commit -m "Automated SecureDrop workstation build"
    # And clean up non-nightly packages too
    ~/project/scripts/clean-old-packages workstation/dom0/f32 4
    git add .
    git diff-index --quiet HEAD || git commit -m "Cleanup old packages"
    and turn it into a GHA workflow in securedrop-yum-test
  3. Because main is branch-protected, we'll again need to generate a PAT, which we'll call PUSH_TOKEN for consistency.
  4. We'll have a parallel PR in securedrop-builder to remove the CircleCI cleanup code. This also removes the need for scripts/clean-old-packages to remain in this repository. An RPM-only version of the script will be migrated to securedrop-yum-test.

Starting to poke, but will get on it (and maybe the build/push portion) more tomorrow, as always please don't hesitate to chime in if I'm misunderstanding anything :)

legoktm added a commit to freedomofpress/securedrop-workstation that referenced this issue Apr 11, 2024
Take this responsibility over from securedrop-builder.

Refs <freedomofpress/securedrop-builder#482>.
legoktm added a commit to freedomofpress/securedrop-workstation that referenced this issue Apr 11, 2024
Take this responsibility over from securedrop-builder.

Refs <freedomofpress/securedrop-builder#482>.
legoktm added a commit to freedomofpress/securedrop-workstation that referenced this issue Apr 11, 2024
Take this responsibility over from securedrop-builder.

Refs <freedomofpress/securedrop-builder#482>.
legoktm added a commit to freedomofpress/securedrop-workstation that referenced this issue Apr 11, 2024
Take this responsibility over from securedrop-builder.

Refs <freedomofpress/securedrop-builder#482>.
legoktm added a commit to freedomofpress/securedrop-workstation that referenced this issue Apr 11, 2024
Take this responsibility over from securedrop-builder.

Refs <freedomofpress/securedrop-builder#482>.
legoktm added a commit to freedomofpress/securedrop-workstation that referenced this issue Apr 12, 2024
Take this responsibility over from securedrop-builder.

Refs <freedomofpress/securedrop-builder#482>.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants