From 49ef23dbc1a15655c23682844c51380f3f670f89 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Fri, 23 Feb 2024 15:20:33 -0500
Subject: [PATCH] Push our own nightlies to securedrop-yum-test

Take this responsibility over from securedrop-builder.

Refs <https://github.com/freedomofpress/securedrop-builder/issues/482>.
---
 .github/workflows/nightlies.yml | 69 +++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 .github/workflows/nightlies.yml

diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml
new file mode 100644
index 00000000..72530a18
--- /dev/null
+++ b/.github/workflows/nightlies.yml
@@ -0,0 +1,69 @@
+name: Nightlies
+on:
+  schedule:
+    - cron: "0 6 * * *"
+  push:
+    branches:
+      - main
+
+# Only allow one job to run at a time because we're pushing to git repos;
+# the string value doesn't matter, just that it's a fixed string.
+  concurrency:
+    group: "just-one-please"
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build-rpm:
+    runs-on: ubuntu-latest
+    container:
+      image: registry.fedoraproject.org/fedora:37
+    steps:
+      - run: dnf install -y make git
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: make install-deps
+      - name: Build RPM
+        run: |
+          git config --global --add safe.directory '*'
+          # Version format is "${VERSION}-0.YYYYMMDDHHMMSS.fXX", which sorts lower than "${VERSION}-1"
+          rpmdev-bumpspec --new="$(cat VERSION)-0.$(date +%Y%m%d%H%M%S)%{?dist}" rpm-build/SPECS/*.spec
+          make build-rpm
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          name: rpm-build
+          path: rpm-build/RPMS/noarch/*.rpm
+          if-no-files-found: error
+
+  commit-and-push:
+    runs-on: ubuntu-latest
+    container: debian:bookworm
+    needs:
+      - build-rpm
+    steps:
+      - name: Install dependencies
+        run: |
+          apt-get update && apt-get install --yes git git-lfs
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: "*"
+      - uses: actions/checkout@v4
+        with:
+          repository: "freedomofpress/securedrop-yum-test"
+          path: "securedrop-yum-test"
+          lfs: true
+          token: ${{ secrets.PUSH_TOKEN }}
+      - name: Commit and push
+        run: |
+          git config --global user.email "securedrop@freedom.press"
+          git config --global user.name "sdcibot"
+          # Now the packages themselves
+          cd ../securedrop-yum-test
+          mkdir -p workstation/dom0/f37-nightlies
+          cp -v /rpm-build/*.rpm workstation/dom0/f37-nightlies/
+          git add .
+          git diff-index --quiet HEAD || git commit -m "Automated SecureDrop workstation build"
+          git push origin main