Skip to content

Tor package updates #321

Tor package updates

Tor package updates #321

Workflow file for this run

name: Tor package updates
on:
schedule:
- cron: "0 7 * * *"
jobs:
check-for-tor-updates:
runs-on: ubuntu-latest
container: debian:bookworm
env:
# This token is used by the issue generation script to open an issue
# in the SecureDrop repository via the `gh` CLI (hence GH_TOKEN).
# It is distinct from the PUSH_TOKEN, which is used for `git`
# commands.
GH_TOKEN: ${{ secrets.ISSUES_TOKEN }}
steps:
- name: Install dependencies
run: |
apt-get update && apt-get install --yes reprepro ca-certificates dctrl-tools \
git git-lfs openssh-client python3 gh
- uses: actions/checkout@v4
with:
lfs: true
# This token is required to push to the protected `main` branch.
token: ${{ secrets.PUSH_TOKEN }}
- name: Check for and commit Tor package updates
run: |
git config --global --add safe.directory '*'
git config user.email "[email protected]"
git config user.name "sdcibot"
# Import the Tor repo signing key
gpg --import repo/conf/updates-keys/*.gpg
# Run reprepro update, skip export since we just want the debs (and we don't have
# the repo signing key anyways)
REPREPRO_BASE_DIR=repo reprepro --export=never update
# Move the new packages over, intentionally leaving the old ones around
mv repo/pool/main/t/tor/*focal*.deb core/focal/
mv repo/pool/main/t/tor/*noble*.deb core/noble/
git add core/focal/*.deb
git add core/noble/*.deb
# If there are changes, diff-index will fail, so we commit and push
git diff-index --quiet HEAD || (git commit -m "Automatically updating Tor packages" \
&& git push origin main && ./scripts/new-tor-issue)