This diff forwardports 856e436e20d511a4f0d618546da7921fa9f8c5f6 to the master branch Original commit message: - - - This pull request changes `mk` and github workflows to build and publish binaries on tag. We also update the documentation to explain this new branching model. Basically, we have release branches where we produce binary packages and we add extra code, on tag, to publish such packages inside a release. We discussed removing most secrets from builds in this repository and having a different tool/repository that takes in input also secrets for doing follow-up actions after publishing. As a consequence, this pull request also removes all pieces of code that require secrets. The next step is to reinstate this code in this new repository/tool. The existing code in `mk` also implemented caching. This feature was useful when doing local builds because it reduced the time required to obtain binary releases. With builds running as part of GitHub actions, we don't need caching because we spawn parallel machines to build binaries. Therefore, let us also remove caching, which makes the code simpler. (Caching in itself is hard and in https://github.com/ooni/probe/issues/1875 I noted that, for example, caching of the `ooni/go` repository was leading to some unwanted behaviour when changing the branch. Without caching, this behaviour is gone and we always generally use fresh information to produce builds.) Of course, this means that local builds are now slower, but I do not think this is a problem _because_ we want to use GitHub actions for building in the common case. Reference issues: https://github.com/ooni/probe/issues/1879 and https://github.com/ooni/probe/issues/1875. The final aspect to mention to conclude this description is an implementation one: ``` gh release create -p $tag --target $GITHUB_SHA || true ``` The code above uses `|| true` because there could already be a release. So, basically, it means that, if a release does not already exist, then we're going to create one. Otherwise, it does not matter because there's already a release.
This commit is contained in:
Simone Basso
GitHub
@@ -1,5 +0,0 @@
|
||||
oohelperd (0.0.1) unstable; urgency=medium
|
||||
|
||||
* Test release
|
||||
|
||||
-- Federico Ceratto <federico@openobservatory.org> Tue, 16 Feb 2021 12:39:41 +0000
|
||||
@@ -1 +0,0 @@
|
||||
11
|
||||
@@ -1,22 +0,0 @@
|
||||
Source: oohelperd
|
||||
Maintainer: Federico Ceratto <federico@openobservatory.org>
|
||||
Section: devel
|
||||
Priority: optional
|
||||
Build-Depends:
|
||||
devscripts,
|
||||
dpkg-dev,
|
||||
Standards-Version: 4.5.0
|
||||
Vcs-Browser: https://github.com/ooni/probe-cli
|
||||
Vcs-Git: https://github.com/ooni/probe-cli.git
|
||||
Homepage: https://github.com/ooni/probe-cli
|
||||
Rules-Requires-Root: no
|
||||
XS-Go-Import-Path: github.com/ooni/probe-cli
|
||||
|
||||
Package: oohelperd
|
||||
Architecture: any
|
||||
Pre-Depends: debconf (>= 1.0.0)
|
||||
Depends: ${misc:Depends}, ${shlibs:Depends},
|
||||
adduser,
|
||||
debconf
|
||||
Built-Using: ${misc:Built-Using}
|
||||
Description: OONI test helper
|
||||
@@ -1,40 +0,0 @@
|
||||
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
|
||||
Source: https://github.com/ooni/probe-cli
|
||||
Upstream-Name: oohelperd
|
||||
|
||||
Files: *
|
||||
Copyright: 2018 Open Observatory of Network Interference (OONI)
|
||||
License: BSD-3-clause
|
||||
|
||||
Files: debian/*
|
||||
Copyright: 2020 Federico Ceratto <federico@openobservatory.org>
|
||||
License: BSD-3-clause
|
||||
Comment: Debian packaging is licensed under the same terms as upstream
|
||||
|
||||
License: BSD-3-clause
|
||||
Copyright 2018 Open Observatory of Network Interference (OONI), The Tor Project
|
||||
.
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are met:
|
||||
.
|
||||
1. Redistributions of source code must retain the above copyright notice, this
|
||||
list of conditions and the following disclaimer.
|
||||
.
|
||||
2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation
|
||||
and/or other materials provided with the distribution.
|
||||
.
|
||||
3. Neither the name of the copyright holder nor the names of its contributors
|
||||
may be used to endorse or promote products derived from this software
|
||||
without specific prior written permission.
|
||||
.
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
||||
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||||
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
@@ -1 +0,0 @@
|
||||
oohelperd /usr/bin
|
||||
@@ -1,15 +0,0 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
. /usr/share/debconf/confmodule
|
||||
db_version 2.0
|
||||
|
||||
if [ "$1" = "configure" ]; then
|
||||
if ! getent passwd oohelperd >/dev/null; then
|
||||
adduser --quiet --system --group --home /var/lib/oohelperd oohelperd
|
||||
fi
|
||||
fi
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
exit 0
|
||||
@@ -1,50 +0,0 @@
|
||||
[Unit]
|
||||
Description=OONI Test heper
|
||||
Documentation=https://ooni.org/
|
||||
After=network.target tor.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/bin/oohelperd
|
||||
TimeoutStopSec=5
|
||||
KillMode=mixed
|
||||
|
||||
User=oohelperd
|
||||
PermissionsStartOnly=true
|
||||
Restart=on-abnormal
|
||||
RestartSec=2s
|
||||
LimitNOFILE=65536
|
||||
WorkingDirectory=/var/lib/oohelperd
|
||||
RuntimeDirectory=oohelperd
|
||||
StateDirectory=oohelperd
|
||||
LogsDirectory=oohelperd
|
||||
ConfigurationDirectory=oohelperd
|
||||
|
||||
# Sandboxing
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
LockPersonality=yes
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
PrivateUsers=yes
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectSystem=full
|
||||
ReadOnlyDirectories=/
|
||||
ReadWriteDirectories=-/proc
|
||||
ReadWriteDirectories=-/var/lib/oohelperd
|
||||
ReadWriteDirectories=-/var/run
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -1,19 +0,0 @@
|
||||
#!/usr/bin/make -f
|
||||
|
||||
export DH_VERBOSE=1
|
||||
|
||||
%:
|
||||
dh $@
|
||||
|
||||
override_dh_auto_clean:
|
||||
dh_auto_clean
|
||||
|
||||
override_dh_auto_build:
|
||||
# The oohelperd binary is provided
|
||||
cp ../../../oohelperd .
|
||||
|
||||
override_dh_dwz:
|
||||
true
|
||||
|
||||
override_dh_auto_install:
|
||||
dh_auto_install -- --no-source
|
||||
@@ -1 +0,0 @@
|
||||
3.0 (native)
|
||||
Reference in New Issue
Block a user