-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Let's match the securedrop-apt-prod process by generating metadata at commit-time instead of doing it on the server. CI verifies the generated metadata is up to date and fully reproducible.
- Loading branch information
Showing
4 changed files
with
78 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,4 @@ | ||
*.deb filter=lfs diff=lfs merge=lfs -text | ||
*.rpm filter=lfs diff=lfs merge=lfs -text | ||
*.gz filter=lfs diff=lfs merge=lfs -text | ||
*.bz2 filter=lfs diff=lfs merge=lfs -text |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/bin/bash | ||
# Pull the latest image | ||
podman pull debian:bookworm | ||
# Mount the git repo to /srv, install necessary packages and run the publish script | ||
podman run --rm -it -v $(git rev-parse --show-toplevel):/srv:Z debian:bookworm \ | ||
bash -c "apt-get update && apt-get install -y python3 createrepo-c && /srv/tools/publish-real" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
#!/usr/bin/env python3 | ||
""" | ||
Script for generating yum repository metadata. Files are | ||
copied into public/ and metadata is generated there. | ||
""" | ||
import os | ||
import shutil | ||
import subprocess | ||
from pathlib import Path | ||
|
||
|
||
def main(): | ||
root = Path(__file__).parent.parent | ||
public = root / "public" | ||
workstation = root / "workstation" | ||
source_date_epoch = int(os.environ.get("SOURCE_DATE_EPOCH", 0)) | ||
# Reset public, copy the workstation/ tree into it | ||
print("Creating public/ (from scratch)") | ||
if public.exists(): | ||
shutil.rmtree(public) | ||
public.mkdir() | ||
shutil.copytree(workstation, public / "workstation") | ||
if source_date_epoch: | ||
for rpm in public.glob("**/*.rpm"): | ||
os.utime(rpm, (source_date_epoch, source_date_epoch)) | ||
# Folders are public/workstation/dom0/fXX, run createrepo_c in each one | ||
for folder in public.glob("*/*/*/"): | ||
if not folder.is_dir(): | ||
continue | ||
print(f"Generating metadata for {folder}") | ||
args = ["createrepo_c"] | ||
if source_date_epoch: | ||
# The <revision> and <timestamp> fields are set to the current UNIX time | ||
# unless we explicitly override them. In most cases we want to use | ||
# the current time except when we're doing reproducibility testing. | ||
args.extend( | ||
[ | ||
"--revision", | ||
str(source_date_epoch), | ||
"--set-timestamp-to-revision", | ||
] | ||
) | ||
args.append(str(folder)) | ||
subprocess.check_call(args) | ||
print("Done!") | ||
|
||
|
||
if __name__ == "__main__": | ||
main() |