[WIP] Switch update Tor logic to GHA

freedomofpress · Mar 22, 2024 · 01d281d · 01d281d
1 parent 8b6e2c5
commit 01d281d
Show file tree

Hide file tree

Showing 3 changed files with 140 additions and 0 deletions.
diff --git a/.github/workflows/create-issue-test.yml b/.github/workflows/create-issue-test.yml
@@ -0,0 +1,23 @@
+name: Create issue in sandbox repo
+on: [pull_request]
+
+jobs:
+    buildinfo:
+        runs-on: ubuntu-latest
+        container: debian:bullseye-backports
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        permissions:
+          issues: write
+        steps:
+            - name: Install dependencies
+              run: |
+                apt-get update && apt-get install --yes python3 gh git git-lfs
+            - uses: actions/checkout@v4
+              with:
+                lfs: true
+                fetch-depth: 0
+            - name: Create issue in sandbox repo
+              run: |
+                git config --global --add safe.directory '*'
+                ./scripts/new-tor-issue
diff --git a/.github/workflows/update-tor.yml b/.github/workflows/update-tor.yml
@@ -0,0 +1,44 @@
+# name: Check for and commit Tor package updates
+# # TODO: Switch to nightly
+# on: [pull_request]
+
+# jobs:
+#     buildinfo:
+#         runs-on: ubuntu-latest
+#         container: debian:bullseye-backports
+#         env:
+#           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+#         permissions:
+#           issues: write
+#         steps:
+#             - name: Install dependencies
+#               run: |
+#                 apt-get update && apt-get install --yes reprepro ca-certificates dctrl-tools \
+#                   git git-lfs openssh-client python3 gh
+#             - uses: actions/checkout@v4
+#               with:
+#                 lfs: true
+#                 fetch-depth: 0
+#                 token: ${{ secrets.PUSH_TOKEN }}
+#             - name: Check for and commit Tor package updates
+#               run: |
+#                 git config --global --add safe.directory '*'
+#                 git config user.email "securedrop@freedom.press"
+#                 git config user.name "sdcibot"
+
+#                 # Import the Tor repo signing key
+#                 gpg --import repo/conf/updates-keys/*.gpg
+#                 # Run reprepro update, skip export since we just want the debs (and we don't have
+#                 # the repo signing key anyways)
+#                 REPREPRO_BASE_DIR=repo reprepro --export=never update
+
+#                 # Move the new packages over, intentionally leaving the old ones around
+#                 mv repo/pool/main/t/tor/*.deb core/focal/
+#                 git add core/focal/*.deb
+#                 git diff-index --quiet HEAD
+#                 # If there are changes, diff-index will fail, so we commit and push
+#                 # git diff-index --quiet HEAD ||
+#                 gh auth status
+#                 ./scripts/new-tor-issue
+#                 # (git commit -m "Automatically updating Tor packages" \
+#                 #   && git push origin main &&
diff --git a/scripts/new-tor-issue b/scripts/new-tor-issue
@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+"""
+Creates a new issue to track Tor updates or appends a comment
+to any existing issues
+"""
+
+import json
+import random
+import subprocess
+import tempfile
+
+# FIXME: Replace with freedomofpress/securedrop once everything works
+REPOSITORY = "freedomofpress/securedrop-issues-sandbox"
+# TODO: Add more
+SALUTATIONS = ["Aloha", "Bonjour", "Ciao", "Dear human overlords"]
+TEMPLATE = """\
+{salutation},
+
+A new Tor update is available.
+
+Details should be available on the [Tor forum](https://forum.torproject.net/c/news/tor-release-announcement/28).
+
+<details><summary>Here is the commit I just pushed to
+apt-test:</summary>
+
+```diff
+{patch}
+```
+</details>
+
+* [x] CI adds new packages to apt-test
+* [ ] Install tor, tor-geoipdb packages from apt-test on a prod
+      install and let them sit overnight
+* [ ] Verify that tor is still running after reboot, services
+      available, no errors or unexpected messages in logs
+* [ ] Submit a PR to `securedrop-apt-prod` to deploy
+      the same packages
+
+P.S.  This issue was created by `scripts/new-tor-issue` via the GitHub workflow `update-tor.yml`.
+"""
+TITLE = "New Tor update available"
+
+
+def main():
+    patch = subprocess.check_output(["git", "format-patch", "HEAD~1", "--stdout"]).decode().strip()
+    # Query open issues to see if there's a task already open
+    existing = json.loads(subprocess.check_output(
+        ["gh", "issue", "list", "-R", REPOSITORY,
+         "-S", TITLE, "--json", "title,number"]
+    ))
+    with tempfile.TemporaryFile("w") as message:
+        message.write(TEMPLATE.format(salutation=random.choice(SALUTATIONS), patch=patch))
+        message.seek(0)
+        for issue in existing:
+            # Looks like there's already an open issue
+            if issue["title"] == TITLE:
+                subprocess.run(
+                    ["gh", "issue", "comment", "-R", REPOSITORY,
+                     str(issue["number"]), "-F", "-"],
+                    stdin=message, check=True
+                )
+                return
+
+        # Create a new issue
+        subprocess.run(
+            ["gh", "issue", "create", "-R", REPOSITORY,
+             "--title", TITLE, "-F", "-"],
+            stdin=message, check=True
+        )
+
+
+if __name__ == "__main__":
+    main()