-
Notifications
You must be signed in to change notification settings - Fork 48
262 lines (251 loc) Β· 8.54 KB
/
app.yml
File metadata and controls
262 lines (251 loc) Β· 8.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
name: app
on:
- merge_group
- push
- pull_request
# Only build for latest push/PR unless it's main or release/
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) && !startsWith( github.ref, 'refs/heads/gh-readonly-queue/' ) }}
defaults:
run:
shell: bash
permissions:
contents: read
jobs:
lint-and-build:
strategy:
matrix:
debian_version:
- bookworm
runs-on: ubuntu-latest
container: debian:${{ matrix.debian_version }}
steps:
- name: Install base dependencies
run: |
apt-get update
apt-get install --yes \
build-essential \
git \
make \
python3 python3-pip \
sqlite3
- name: Checkout repository
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 10
- name: Install node
uses: actions/setup-node@v6
with:
node-version: "24.x"
cache: pnpm
cache-dependency-path: app/pnpm-lock.yaml
- name: Install node dependencies
working-directory: app
run: pnpm install
- name: Lint
working-directory: app
run: pnpm lint
- name: Check that database schema is up to date
working-directory: app
run: |
mkdir -p "${HOME}/.config/SecureDrop"
git config --global --add safe.directory "$GITHUB_WORKSPACE"
pnpm dbmate:check
- name: Test (unit tests)
working-directory: app
run: pnpm test
- name: Build
working-directory: app
run: pnpm build:linux
translator-screenshots:
strategy:
matrix:
debian_version:
- bookworm
runs-on: ubuntu-latest
container: debian:${{ matrix.debian_version }}
steps:
- name: Install base plus Electron runtime dependencies
run: |
apt-get update && apt-get install --yes git make python3 python3-pip python3-requests build-essential \
libglib2.0-0 libnspr4 libnss3 libdbus-1-3 libatk1.0-0 libatk-bridge2.0-0 \
libcups2 libcairo2 libgtk-3-0 libgbm1 libasound2 xvfb sqlite3
- name: Checkout repository
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Checkout repository
uses: actions/checkout@v6
with:
repository: "freedomofpress/securedrop"
path: "securedrop-server"
persist-credentials: false
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 10
- name: Install node
uses: actions/setup-node@v6
with:
node-version: "24.x"
cache: pnpm
cache-dependency-path: app/pnpm-lock.yaml
- name: Install node dependencies
working-directory: app
run: pnpm install
- name: Install Rust-specific dependencies for sd-proxy
run: apt-get install --yes build-essential curl libssl-dev pkg-config
- name: Install Rust to build sd-proxy
uses: dtolnay/rust-toolchain@1.90.0
- name: Generate and insert test data
working-directory: app
run: |
pnpm test-data-generate ../securedrop-server 10
mkdir -p ~/.config/SecureDrop
pnpm test-data-insert
- name: Generate translator screenshots
working-directory: app
run: xvfb-run --auto-servernum --server-args="-screen 0 1920x1080x24" pnpm translator-screenshots
- name: Save screenshots as an artifact
uses: actions/upload-artifact@v6
with:
name: translator-screenshots
path: app/screenshots/
retention-days: 30
if-no-files-found: error
- name: Upload screenshots to Weblate and associate with source strings (on main branch only)
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
working-directory: app
run: |
python3 scripts/upload_screenshots.py \
--project securedrop \
--component securedrop-app \
screenshots/
env:
WEBLATE: ${{ vars.WEBLATE }}
WEBLATE_API_TOKEN: ${{ secrets.WEBLATE_API_TOKEN }}
integration-tests:
strategy:
matrix:
debian_version:
- bookworm
runs-on: ubuntu-latest
container: debian:${{ matrix.debian_version }}
services:
httpbin:
image: kennethreitz/httpbin # zizmor: ignore[unpinned-images]
ports:
- 80:80
steps:
- name: Install base dependencies
run: |
apt-get update && apt-get install --yes git make python3 python3-pip build-essential
- name: Checkout repository
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 10
- name: Install node
uses: actions/setup-node@v6
with:
node-version: "24.x"
cache: pnpm
cache-dependency-path: app/pnpm-lock.yaml
- name: Install node dependencies
working-directory: app
run: pnpm install
- name: Install Rust-specific dependencies for sd-proxy
run: apt-get install --yes build-essential curl libssl-dev pkg-config
- name: Install Rust to build sd-proxy
uses: dtolnay/rust-toolchain@1.90.0
- name: Run integration tests
working-directory: app
run: NODE_ENV=ci VITE_HTTPBIN_URL=http://httpbin:80 pnpm integration-test
server-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- uses: actions/checkout@v6
with:
persist-credentials: false
repository: "freedomofpress/securedrop"
path: "securedrop-server"
- uses: actions/setup-python@v6
with:
python-version: "3.11"
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 10
- name: Install node
uses: actions/setup-node@v6
with:
node-version: "24.x"
cache: pnpm
cache-dependency-path: app/pnpm-lock.yaml
- name: Install node dependencies
working-directory: app
run: pnpm install
# n.b. because this runs on Ubuntu runner directly,
# build-essential, curl, libssl-dev and pkg-config are already installed
- name: Install Rust to build sd-proxy
uses: dtolnay/rust-toolchain@1.90.0
- name: Install ffmpeg for video recording
run: sudo apt-get update && sudo apt-get install -y ffmpeg
- name: Prebuild SecureDrop Docker image
run: |
# Build the Docker image ahead of time so tests don't timeout waiting
cd securedrop-server/securedrop
docker build \
--build-arg=USER_ID="$(id -u)" \
--build-arg=USER_NAME="${USER:-root}" \
--build-arg=OS_VERSION="noble" \
-t "securedrop-slim-noble-py3" \
--file "dockerfiles/noble/python3/SlimDockerfile" \
.
- name: Run tests
run: |
# Build the proxy Rust code before the tests start
cargo build
# Start Xvfb on display :99
Xvfb :99 -screen 0 1920x1080x24 &
XVFB_PID=$!
export DISPLAY=:99
sleep 1 # Give Xvfb a moment to start
# Start video recording
ffmpeg -video_size 1920x1080 -framerate 25 -f x11grab -i :99 \
-codec:v libx264 -preset ultrafast -pix_fmt yuv420p \
server-test-recording.mp4 &
FFMPEG_PID=$!
sleep 1 # Give ffmpeg a moment to start
# Setup cleanup trap to ensure recording is stopped even if tests fail
cleanup() {
echo "Stopping video recording and Xvfb..."
kill $FFMPEG_PID 2>/dev/null || true
sleep 2 # Give ffmpeg time to finish writing
kill $XVFB_PID 2>/dev/null || true
}
trap cleanup EXIT
# Run tests - each test file will start its own isolated server
cd app
pnpm server-test
env:
SERVER_PATH: ${{ github.workspace }}/securedrop-server
- name: Upload test video
if: always()
uses: actions/upload-artifact@v6
with:
name: server-test-recording
path: server-test-recording.mp4
retention-days: 30
if-no-files-found: warn