Have CI verify new packages match buildinfo files

CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script was added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
freedomofpress · Apr 3, 2023 · 7ab49bd · 7ab49bd
1 parent 2c72e42
commit 7ab49bd
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,25 @@
+name: CI
+on: [pull_request]
+
+jobs:
+    buildinfo:
+        runs-on: ubuntu-latest
+        container: debian:bullseye
+        steps:
+            - name: Install dependencies
+              run: |
+                apt-get update && apt-get install --yes python3-debian git git-lfs
+            - name: Checkout
+              uses: actions/checkout@v3
+              with:
+                lfs: true
+                fetch-depth: 0
+            - name: Check buildinfo
+              run: |
+                git config --global --add safe.directory '*'
+                # We already checked out securedrop-apt-test above, we also need
+                # securedrop-builder for the check-buildinfo script, and build-logs
+                # for the `.buildinfo` files to check against.
+                git clone https://github.com/freedomofpress/securedrop-builder --depth 1
+                git clone https://github.com/freedomofpress/build-logs --depth 1
+                ./securedrop-builder/scripts/check-buildinfo build-logs