Merge pull request #1958 from freedomofpress/drop-bullseye

Drop bullseye support

.github/workflows/build.yml

@@ -18,7 +18,6 @@ jobs:
     strategy:
       matrix:
         debian_version:
-          - bullseye
           - bookworm
     runs-on: ubuntu-latest
     container: debian:${{ matrix.debian_version }}
@@ -50,7 +49,6 @@ jobs:
     strategy:
       matrix:
         debian_version:
-          - bullseye
           - bookworm
     runs-on: ubuntu-latest
     outputs:
@@ -78,7 +76,6 @@ jobs:
     strategy:
       matrix:
         debian_version:
-          - bullseye
           - bookworm
     runs-on: ubuntu-latest
     outputs:
@@ -104,7 +101,6 @@ jobs:
     strategy:
       matrix:
         debian_version:
-          - bullseye
           - bookworm
     runs-on: ubuntu-latest
     container: debian:bookworm
@@ -142,7 +138,6 @@ jobs:
           - log
           - proxy
         debian_version:
-          - bullseye
           - bookworm
     runs-on: ubuntu-latest
     needs:

.github/workflows/ci.yml

@@ -18,7 +18,6 @@ jobs:
     strategy:
       matrix:
         debian_version:
-          - bullseye
           - bookworm
     runs-on: ubuntu-latest
     container: debian:${{ matrix.debian_version }}
@@ -34,28 +33,15 @@ jobs:
     strategy:
       matrix:
         debian_version:
-          - bullseye
           - bookworm
     runs-on: ubuntu-latest
     container: debian:${{ matrix.debian_version }}
     steps:
       - run: |
-          apt-get update && apt-get install --yes git make file
+          apt-get update && apt-get install --yes git make file python3-poetry
       - uses: actions/checkout@v4
       - name: Install dependencies
         run: |
-          source /etc/os-release
-          if [[ "$VERSION_CODENAME" == "bullseye" ]]; then
-              # Install Poetry via PyPI
-              apt-get install --yes --no-install-recommends python3-pip
-              pip install poetry==1.6.1
-          elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then
-              # Install Poetry via system package
-              apt-get install --yes --no-install-recommends python3-poetry
-          else
-              echo "Unsupported Debian version: $VERSION_CODENAME"
-              exit 1
-          fi
           poetry install
       - name: Run lint
         run: make lint
@@ -71,7 +57,6 @@ jobs:
           - log
           - proxy
         debian_version:
-          - bullseye
           - bookworm
         # bookworm jobs are failing and will be
         # replaced with proxy v2 shortly, so skip
@@ -83,22 +68,10 @@ jobs:
     container: debian:${{ matrix.debian_version }}
     steps:
       - run: |
-          apt-get update && apt-get install --yes git make gnupg
+          apt-get update && apt-get install --yes git make gnupg python3-poetry
       - uses: actions/checkout@v4
       - name: Install dependencies
         run: |
-          source /etc/os-release
-          if [[ "$VERSION_CODENAME" == "bullseye" ]]; then
-              # Install Poetry via PyPI
-              apt-get install --yes --no-install-recommends python3-pip
-              pip install poetry==1.6.1
-          elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then
-              # Install Poetry via system package
-              apt-get install --yes --no-install-recommends python3-poetry
-          else
-              echo "Unsupported Debian version: $VERSION_CODENAME"
-              exit 1
-          fi
           poetry -C ${{ matrix.component }} install
           if [[ "${{ matrix.component }}" == "client" ]]; then
             make -C ${{ matrix.component }} ci-install-deps

.github/workflows/nightlies.yml

@@ -21,7 +21,6 @@ jobs:
       fail-fast: false
       matrix:
         debian_version:
-          - bullseye
           - bookworm
     runs-on: ubuntu-latest
     outputs:
@@ -81,7 +80,6 @@ jobs:
           git push origin main
           # Now the packages themselves
           cd ../securedrop-apt-test
-          cp -v ../build-bullseye/*.deb workstation/bullseye-nightlies/
           cp -v ../build-bookworm/*.deb workstation/bookworm-nightlies/
           git add .
           git diff-index --quiet HEAD || git commit -m "Automated SecureDrop workstation build"

.github/workflows/piuparts/Dockerfile

@@ -1,4 +1,4 @@
-ARG DISTRO=bullseye
+ARG DISTRO=bookworm
 FROM debian:$DISTRO
 
 RUN apt-get update && apt-get upgrade --yes && apt-get install -y ca-certificates

.github/workflows/piuparts/run-piuparts.sh

@@ -11,9 +11,10 @@ docker build . --build-arg DISTRO="$DISTRO" -t ourimage
 # TODO: Our currently released packages don't install with piuparts, so we pass
 # --no-upgrade-test to avoid installing them and testing the upgrade path. Once
 # they do we can remove that line.
+# FIXME: switch --extra-repo to bookworm once it exists
 piuparts --docker-image ourimage \
     --distribution "$DISTRO" \
-    --extra-repo 'deb [signed-by=/usr/share/keyrings/securedrop-keyring.gpg] https://apt.freedom.press bullseye main' \
+    --extra-repo "deb [signed-by=/usr/share/keyrings/securedrop-keyring.gpg] https://apt.freedom.press bullseye main" \
     --warn-on-leftovers-after-purge \
     --no-upgrade-test \
     /build/securedrop-"${PACKAGE}"*.deb

.github/workflows/sdk.yml

@@ -26,7 +26,7 @@ jobs:
           path: "securedrop-server"
       - uses: actions/setup-python@v5
         with:
-          python-version: "3.9"
+          python-version: "3.11"
       - name: Install dependencies
         run: |
           pip install poetry==1.6.1

.github/workflows/test.yml

@@ -24,7 +24,6 @@ jobs:
           - log
           - proxy
         debian_version:
-          - bullseye
           - bookworm
         # bookworm jobs are failing and will be
         # replaced with proxy v2 shortly, so skip
@@ -36,26 +35,14 @@ jobs:
     container: debian:${{ matrix.debian_version }}
     steps:
       - run: |
-          apt-get update && apt-get install --yes git make gnupg sudo
+          apt-get update && apt-get install --yes git make gnupg sudo python3-poetry
       - uses: actions/checkout@v4
       - name: Setup user
         run: |
           # We want to run tests as a regular user, similar to Qubes VMs
           useradd --create-home --shell /bin/bash user
       - name: Install dependencies
         run: |
-          source /etc/os-release
-          if [[ "$VERSION_CODENAME" == "bullseye" ]]; then
-              # Install Poetry via PyPI
-              apt-get install --yes --no-install-recommends python3-pip
-              pip install poetry==1.6.1
-          elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then
-              # Install Poetry via system package
-              apt-get install --yes --no-install-recommends python3-poetry
-          else
-              echo "Unsupported Debian version: $VERSION_CODENAME"
-              exit 1
-          fi
           sudo -u user poetry -C ${{ matrix.component }} install
       - name: Run test
         run: |
@@ -73,32 +60,19 @@ jobs:
           - test-integration
           - test-random
         debian_version:
-          - bullseye
           - bookworm
     runs-on: ubuntu-latest
     container: debian:${{ matrix.debian_version }}
     steps:
       - run: |
-          apt-get update && apt-get install --yes git make gnupg sudo
+          apt-get update && apt-get install --yes git make gnupg sudo python3-poetry
       - uses: actions/checkout@v4
       - name: Setup user
         run: |
           # We want to run tests as a regular user, similar to Qubes VMs
           useradd --create-home --shell /bin/bash user
       - name: Install dependencies
         run: |
-          source /etc/os-release
-          if [[ "$VERSION_CODENAME" == "bullseye" ]]; then
-              # Install Poetry via PyPI
-              apt-get install --yes --no-install-recommends python3-pip
-              pip install poetry==1.6.1
-          elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then
-              # Install Poetry via system package
-              apt-get install --yes --no-install-recommends python3-poetry
-          else
-              echo "Unsupported Debian version: $VERSION_CODENAME"
-              exit 1
-          fi
           make -C client ci-install-deps
           sudo -u user poetry -C client install
       - name: Run test
@@ -111,28 +85,15 @@ jobs:
     strategy:
       matrix:
         debian_version:
-          - bullseye
           - bookworm
     runs-on: ubuntu-latest
     container: debian:${{ matrix.debian_version }}
     steps:
       - run: |
-          apt-get update && apt-get install --yes git make
+          apt-get update && apt-get install --yes git make python3-poetry
       - uses: actions/checkout@v4
       - name: Install dependencies
         run: |
-          source /etc/os-release
-          if [[ "$VERSION_CODENAME" == "bullseye" ]]; then
-              # Install Poetry via PyPI
-              apt-get install --yes --no-install-recommends python3-pip
-              pip install poetry==1.6.1
-          elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then
-              # Install Poetry via system package
-              apt-get install --yes --no-install-recommends python3-poetry
-          else
-              echo "Unsupported Debian version: $VERSION_CODENAME"
-              exit 1
-          fi
           poetry -C client install
           make -C client ci-install-deps
           git config --global --add safe.directory '*'

client/Makefile

@@ -1,11 +1,10 @@
 .PHONY: all
 all: help
 
-# We prefer to use python3.9 if it's availabe, especially on arm64 based Macs,
+# We prefer to use python3.11 if it's available, especially on arm64 based Macs,
 # which would not be able to install the virtual environment without an x86_64
-# Python 3.9, but we're also OK with just python3 if that's all we've got
-PYTHON := $(if $(shell bash -c "command -v python3.9"), python3.9, python3)
-VERSION_CODENAME ?= bullseye
+# Python 3.11, but we're also OK with just python3 if that's all we've got
+PYTHON := $(if $(shell bash -c "command -v python3.11"), python3.11, python3)
 
 SEMGREP_FLAGS := --exclude "tests/" --error --strict --verbose