Skip to content

Commit

Permalink
Add script to commit repodata/
Browse files Browse the repository at this point in the history
Let's match the securedrop-apt-prod process by generating metadata at
commit-time instead of doing it on the server.

CI verifies the generated metadata is up to date and fully reproducible.
  • Loading branch information
legoktm committed Jul 16, 2024
1 parent 89a87dc commit 9fb4054
Show file tree
Hide file tree
Showing 4 changed files with 78 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
*.deb filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
21 changes: 21 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,24 @@ jobs:
- name: Verify the signatures of all rpm artifacts
run: |
./scripts/check.py --verify --all
metadata:
runs-on: ubuntu-latest
container: debian:bookworm
steps:
- name: Install dependencies
run: |
apt-get update && apt-get install --yes python3 git git-lfs createrepo-c
- name: Checkout
uses: actions/checkout@v3
with:
lfs: true
fetch-depth: 0
- name: Check repository metadata is up-to-date
run: |
git config --global --add safe.directory '*'
shopt -s globstar
# Parse the value out of <revision></revision>
export SOURCE_DATE_EPOCH=$(grep -m 1 "revision" public/**/repomd.xml | cut -d '>' -f 2 | cut -d '<' -f 1)
./tools/publish-real
git status
git diff --exit-code
6 changes: 6 additions & 0 deletions tools/publish
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/bin/bash
# Pull the latest image
podman pull debian:bookworm
# Mount the git repo to /srv, install necessary packages and run the publish script
podman run --rm -it -v $(git rev-parse --show-toplevel):/srv:Z debian:bookworm \
bash -c "apt-get update && apt-get install -y python3 createrepo-c && /srv/tools/publish-real"
49 changes: 49 additions & 0 deletions tools/publish-real
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
#!/usr/bin/env python3
"""
Script for generating yum repository metadata. Files are
copied into public/ and metadata is generated there.
"""
import os
import shutil
import subprocess
from pathlib import Path


def main():
root = Path(__file__).parent.parent
public = root / "public"
workstation = root / "workstation"
source_date_epoch = int(os.environ.get("SOURCE_DATE_EPOCH", 0))
# Reset public, copy the workstation/ tree into it
print("Creating public/ (from scratch)")
if public.exists():
shutil.rmtree(public)
public.mkdir()
shutil.copytree(workstation, public / "workstation")
if source_date_epoch:
for rpm in public.glob("**/*.rpm"):
os.utime(rpm, (source_date_epoch, source_date_epoch))
# Folders are public/workstation/dom0/fXX, run createrepo_c in each one
for folder in public.glob("*/*/*/"):
if not folder.is_dir():
continue
print(f"Generating metadata for {folder}")
args = ["createrepo_c"]
if source_date_epoch:
# The <revision> and <timestamp> fields are set to the current UNIX time
# unless we explicitly override them. In most cases we want to use
# the current time except when we're doing reproducibility testing.
args.extend(
[
"--revision",
str(source_date_epoch),
"--set-timestamp-to-revision",
]
)
args.append(str(folder))
subprocess.check_call(args)
print("Done!")


if __name__ == "__main__":
main()

0 comments on commit 9fb4054

Please sign in to comment.