Migrate this repository to GitHub Actions

[legoktm]

Take the opportunity to split up what's done into the respective repositories:

• [x] All the packaging and reproduciblity jobs are moving to securedrop-client as part of https://github.com/freedomofpress/securedrop-client/pull/1741
  • [x] nightly pushing should go there too
• [x] clean-old-packages should be moved to securedrop-apt-test
• [x] reprepro-update-tor should be moved to securedrop or securedrop-apt-test - https://github.com/freedomofpress/securedrop-apt-test/pull/221
• [x] Also have a clean-old-packages job in securedrop-yum-test
• [x] build-rpm nightly should move to securedrop-workstation repo - https://github.com/freedomofpress/securedrop-workstation/pull/955 + https://github.com/freedomofpress/securedrop-builder/pull/495
• [x] lint-and-test + reprotest-wheels should stay in this repo and need to be converted.

[eloquence]

Per Kunal's suggestion I'm going to try to help get this over the finish line. I'll start with this one:

reprepro-update-tor should be moved to securedrop or securedrop-apt-test

I think securedrop-apt-test makes the most sense here, given that this is where the artifacts are committed.

If I understand the previous work that led to https://github.com/freedomofpress/securedrop-apt-test/pull/216 correctly, I should be able to re-use secrets.PUSH_TOKEN to run a schedule-triggered job that performs the commit if needed. I'll take a stab at that, but please chime in if I'm missing something.

[legoktm]

Yep, that should work. That job also creates/comments on an issue in the server repo, so you'll probably want to check that the token has that permission as well.

[eloquence]

OK, I was able to create a test issue (in a private repo) via a dedicated PAT (issues read/write + code read + metadata read were all required for gh to work). No other method (e.g. GITHUB_TOKEN + permissions) seemed to work for cross-repo stuff. I don't see a way to have a PAT have different permissions for different repos (make issues in securedrop, push code in securedrop-apt-test), so I think we may have to switch tokens for those operations.

I'll continue to test with the private sandbox repo next week, pointers always appreciated :)

[legoktm]

I think having two separate PATs will be fine, we already have one named PUSH_TOKEN so another one named ISSUE_TOKEN or w/e seems fine.

[eloquence]

Also have a clean-old-packages job in securedrop-yum-test

Planning out the next steps:

1. At a high level, building/pushing nightlies will live in securedrop-workstation, while cleaning them up will live in securedrop-yum-test, similar to https://github.com/freedomofpress/securedrop-apt-test/blob/main/.github/workflows/cleanup.yml for securedrop-apt-test
2. Therefore, we'll want to split out the cleanup portion of https://github.com/freedomofpress/securedrop-builder/blob/ce7080373b44fd6a05037ee9318dfe1c72076db5/.circleci/config.yml#L113-L122 and turn it into a GHA workflow in securedrop-yum-test
3. Because main is branch-protected, we'll again need to generate a PAT, which we'll call PUSH_TOKEN for consistency.
4. We'll have a parallel PR in securedrop-builder to remove the CircleCI cleanup code. This also removes the need for scripts/clean-old-packages to remain in this repository. An RPM-only version of the script will be migrated to securedrop-yum-test.

Starting to poke, but will get on it (and maybe the build/push portion) more tomorrow, as always please don't hesitate to chime in if I'm misunderstanding anything :)