Migrate this repository to GitHub Actions

[legoktm]

Take the opportunity to split up what's done into the respective repositories:

• All the packaging and reproduciblity jobs are moving to securedrop-client as part of Add and refactor Debianization securedrop-client#1741
  • nightly pushing should go there too
• clean-old-packages should be moved to securedrop-apt-test
• reprepro-update-tor should be moved to securedrop or securedrop-apt-test - Add GitHub Action for Tor update check securedrop-apt-test#221
• Also have a clean-old-packages job in securedrop-yum-test
• build-rpm nightly should move to securedrop-workstation repo - Push our own nightlies to securedrop-yum-test securedrop-workstation#955 + Remove migrated CircleCI jobs and cleanup script #495
• lint-and-test + reprotest-wheels should stay in this repo and need to be converted.

[eloquence]

Per Kunal's suggestion I'm going to try to help get this over the finish line. I'll start with this one:

reprepro-update-tor should be moved to securedrop or securedrop-apt-test

I think securedrop-apt-test makes the most sense here, given that this is where the artifacts are committed.

If I understand the previous work that led to freedomofpress/securedrop-apt-test#216 correctly, I should be able to re-use secrets.PUSH_TOKEN to run a schedule-triggered job that performs the commit if needed. I'll take a stab at that, but please chime in if I'm missing something.

[legoktm]

Yep, that should work. That job also creates/comments on an issue in the server repo, so you'll probably want to check that the token has that permission as well.

[eloquence]

OK, I was able to create a test issue (in a private repo) via a dedicated PAT (issues read/write + code read + metadata read were all required for gh to work). No other method (e.g. GITHUB_TOKEN + permissions) seemed to work for cross-repo stuff. I don't see a way to have a PAT have different permissions for different repos (make issues in securedrop, push code in securedrop-apt-test), so I think we may have to switch tokens for those operations.

I'll continue to test with the private sandbox repo next week, pointers always appreciated :)

[legoktm]

I think having two separate PATs will be fine, we already have one named PUSH_TOKEN so another one named ISSUE_TOKEN or w/e seems fine.

[eloquence]

Also have a clean-old-packages job in securedrop-yum-test

Planning out the next steps:

1. At a high level, building/pushing nightlies will live in securedrop-workstation, while cleaning them up will live in securedrop-yum-test, similar to https://github.com/freedomofpress/securedrop-apt-test/blob/main/.github/workflows/cleanup.yml for securedrop-apt-test
2. Therefore, we'll want to split out the cleanup portion of

   securedrop-builder/.circleci/config.yml

   Lines 113 to 122 in ce70803

   	# Copy the new packages over and cleanup the old ones
   	cp -v /tmp/workspace/*.rpm workstation/dom0/f32-nightlies/
   	~/project/scripts/clean-old-packages workstation/dom0/f32-nightlies 7
   	git add .
   	# If there are changes, diff-index will fail, so we commit
   	git diff-index --quiet HEAD || git commit -m "Automated SecureDrop workstation build"
   	# And clean up non-nightly packages too
   	~/project/scripts/clean-old-packages workstation/dom0/f32 4
   	git add .
   	git diff-index --quiet HEAD || git commit -m "Cleanup old packages"

   and turn it into a GHA workflow in securedrop-yum-test
3. Because main is branch-protected, we'll again need to generate a PAT, which we'll call PUSH_TOKEN for consistency.
4. We'll have a parallel PR in securedrop-builder to remove the CircleCI cleanup code. This also removes the need for scripts/clean-old-packages to remain in this repository. An RPM-only version of the script will be migrated to securedrop-yum-test.

Starting to poke, but will get on it (and maybe the build/push portion) more tomorrow, as always please don't hesitate to chime in if I'm misunderstanding anything :)