Tor package updates #72
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tor package updates | |
| on: | |
| schedule: | |
| - cron: "0 7 * * *" | |
| jobs: | |
| check-for-tor-updates: | |
| runs-on: ubuntu-latest | |
| container: debian:bookworm | |
| env: | |
| # This token is used by the issue generation script to open an issue | |
| # in the SecureDrop repository via the `gh` CLI (hence GH_TOKEN). | |
| # It is distinct from the PUSH_TOKEN, which is used for `git` | |
| # commands. | |
| GH_TOKEN: ${{ secrets.ISSUES_TOKEN }} | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| apt-get update && apt-get install --yes reprepro ca-certificates dctrl-tools \ | |
| git git-lfs openssh-client python3 gh | |
| - uses: actions/checkout@v4 | |
| with: | |
| lfs: true | |
| # This token is required to push to the protected `main` branch. | |
| token: ${{ secrets.PUSH_TOKEN }} | |
| - name: Check for and commit Tor package updates | |
| run: | | |
| git config --global --add safe.directory '*' | |
| git config user.email "securedrop@freedom.press" | |
| git config user.name "sdcibot" | |
| # Import the Tor repo signing key | |
| gpg --import repo/conf/updates-keys/*.gpg | |
| # Run reprepro update, skip export since we just want the debs (and we don't have | |
| # the repo signing key anyways) | |
| REPREPRO_BASE_DIR=repo reprepro --export=never update | |
| # Move the new packages over, intentionally leaving the old ones around | |
| mv repo/pool/main/t/tor/*.deb core/focal/ | |
| git add core/focal/*.deb | |
| # If there are changes, diff-index will fail, so we commit and push | |
| git diff-index --quiet HEAD || (git commit -m "Automatically updating Tor packages" \ | |
| && git push origin main && ./scripts/new-tor-issue) |