From 491edf413a713d2aa819d6e37fe888138883d5b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= <alexis@freedom.press>
Date: Fri, 6 Sep 2024 17:38:23 +0200
Subject: [PATCH] Switch from CircleCI runners to Github actions.

As part of this change, the dev (build) and end-user test images names
changed from `dangerzone.rocks/*` to `dangerzone/`, to allow using
another container registry. For the needs of our CI, we use ghcr.io.
---
 .circleci/config.yml        | 622 ------------------------------------
 .github/workflows/build.yml | 103 ++++++
 .github/workflows/ci.yml    | 261 +++++++++++----
 dev_scripts/containers.conf |   3 +
 dev_scripts/env.py          | 101 +++++-
 5 files changed, 386 insertions(+), 704 deletions(-)
 delete mode 100644 .circleci/config.yml
 create mode 100644 .github/workflows/build.yml
 create mode 100644 dev_scripts/containers.conf

diff --git a/.circleci/config.yml b/.circleci/config.yml
deleted file mode 100644
index 62e689144..000000000
--- a/.circleci/config.yml
+++ /dev/null
@@ -1,622 +0,0 @@
-version: 2.1
-
-aliases:
-  - &install-podman
-    name: Install Podman in Ubuntu Focal
-    command: ./install/linux/install-podman-ubuntu-focal.sh
-
-    # FIXME: Remove the following step once we drop Ubuntu Focal support. The
-    # python-all dependency is an artificial requirement due to an stdeb bug
-    # prior to v0.9.1. See:
-    #
-    # * https://github.com/astraw/stdeb/issues/153
-    # * https://github.com/freedomofpress/dangerzone/issues/292#issuecomment-1349967888
-  - &install-python-all
-    name: Install python-all package
-    command: |
-      export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true
-      apt-get update
-      apt-get install -y python-all
-
-  - &install-dependencies-deb
-    name: Install dependencies (deb)
-    command: |
-      export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true
-      apt-get update
-      apt-get install -y dh-python python3 python3-stdeb
-
-  - &install-dependencies-rpm
-    name: Install dependencies (rpm)
-    command: |
-      dnf install -y rpm-build python3 python3-devel python3-poetry-core pipx
-      pipx install poetry
-
-  - &build-deb
-    name: Build the .deb package
-    command: |
-      ./install/linux/build-deb.py
-      ls -lh deb_dist/
-
-  - &build-rpm
-    name: Build the .rpm package
-    command: |
-      PATH=/root/.local/bin:$PATH ./install/linux/build-rpm.py
-      ls -lh dist/
-
-  - &build-rpm-qubes
-    name: Build the Qubes .rpm package
-    command: |
-      PATH=/root/.local/bin:$PATH ./install/linux/build-rpm.py --qubes
-      ls -lh dist/
-
-  - &calculate-cache-key
-    name: Caculating container cache key
-    command: |
-      mkdir -p /caches/
-      cd dangerzone/conversion/
-      cat common.py doc_to_pixels.py pixels_to_pdf.py | sha1sum | cut -d' ' -f1 > /caches/cache-id.txt
-      cd ../../
-
-  - &restore-cache
-    key: v1-{{ checksum "Dockerfile" }}-{{ checksum "/caches/cache-id.txt" }}
-    paths:
-      - /caches/container.tar.gz
-      - /caches/image-id.txt
-
-  - &copy-image
-    name: Copy container image into package
-    command: |
-      cp /caches/container.tar.gz share/
-      cp /caches/image-id.txt share/
-
-jobs:
-  run-lint:
-    docker:
-      - image: debian:bookworm
-    resource_class: small
-    steps:
-      - checkout
-      - run:
-          name: Install dev. dependencies
-          # Install only the necessary packages to run our linters.
-          #
-          # We run poetry with --no-ansi, to sidestep a Poetry bug that
-          # currently exists in 1.3. See:
-          # https://github.com/freedomofpress/dangerzone/issues/292#issuecomment-1351368122
-          command: |
-            apt-get update
-            apt-get install -y git make python3 python3-poetry --no-install-recommends
-            poetry install --no-ansi --only lint,test
-      - run:
-          name: Run linters to enforce code style
-          command: poetry run make lint
-      - run:
-          name: Check that the QA script is up to date with the docs
-          command: ./dev_scripts/qa.py --check-refs
-
-  build-container-image:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      # setup_remote_docker
-      - run:
-          name: Build Dangerzone image
-          command: |
-            if [ -f "/caches/container.tar.gz" ]; then
-              echo "Already cached, skipping"
-            else
-              sudo pip3 install poetry
-              python3 ./install/common/build-image.py
-            fi
-      - run:
-          name: Save Dangerzone image and image-id.txt to cache
-          command: |
-            if [ -f "/caches/container.tar.gz" ]; then
-              echo "Already cached, skipping"
-            else
-              mkdir -p /caches
-              podman save -o /caches/container.tar dangerzone.rocks/dangerzone
-              gzip -f /caches/container.tar
-              podman image ls dangerzone.rocks/dangerzone | grep "dangerzone.rocks/dangerzone" | tr -s ' ' | cut -d' ' -f3 > /caches/image-id.txt
-            fi
-      - run: *calculate-cache-key
-      - save_cache:
-          key: v1-{{ checksum "Dockerfile" }}-{{ checksum "/caches/cache-id.txt" }}
-          paths:
-            - /caches/container.tar.gz
-            - /caches/image-id.txt
-
-  convert-test-docs:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-      - run:
-          name: Install poetry dependencies
-          command: |
-            sudo pip3 install poetry
-            # This flag is important, due to an open upstream Poetry issue:
-            # https://github.com/python-poetry/poetry/issues/7184
-            poetry install --no-ansi
-      - run:
-          name: Install test dependencies
-          command: |
-            sudo apt-get install -y libqt5gui5 libxcb-cursor0 --no-install-recommends
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run:
-          name: run automated tests
-          command: |
-            poetry run make test
-
-  ci-ubuntu-noble:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 24.04 build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 24.04 run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-ubuntu-mantic:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 23.10 build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 23.10 run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-ubuntu-jammy:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 22.04 build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 22.04 run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-ubuntu-focal:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 20.04 build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 20.04 run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-fedora-40:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro fedora --version 40 build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro fedora --version 40 run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-fedora-39:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro fedora --version 39 build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro fedora --version 39 run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-debian-trixie:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro debian --version trixie build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro debian --version trixie run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-debian-bookworm:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro debian --version bookworm build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro debian --version bookworm run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  # NOTE: Making CI tests work in Debian Bullseye requires some tip-toeing
-  # around certain Podman issues, as you'll see below. Read the following for
-  # more details:
-  #
-  # https://github.com/freedomofpress/dangerzone/issues/388
-  ci-debian-bullseye:
-    machine:
-      image: ubuntu-2204:2023.04.2
-    steps:
-      - checkout
-      - run: *install-podman
-      - run:
-          name: Configure Podman for Ubuntu 22.04
-          command: |
-            # This config circumvents the following issues:
-            # * https://github.com/containers/podman/issues/6368
-            # * https://github.com/containers/podman/issues/10987
-            mkdir -p ~/.config/containers
-            cat > ~/.config/containers/containers.conf \<<EOF
-            [engine]
-            cgroup_manager="cgroupfs"
-            events_logger="file"
-            EOF
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro debian --version bullseye build-dev
-
-      - run:
-          name: Configure Podman for Debian Bullseye
-          command: |
-            # Copy the Podman config into the container image we created for the
-            # Dangerzone environment.
-            cp ~/.config/containers/containers.conf containers.conf
-            cat > Dockerfile.bullseye \<<EOF
-            FROM dangerzone.rocks/build/debian:bullseye-backports
-            RUN mkdir -p /home/user/.config/containers
-            COPY containers.conf /home/user/.config/containers/
-            EOF
-
-            # Create a new image from the Dangerzone environment and re-tag it.
-            podman build -t dangerzone.rocks/build/debian:bullseye-backports \
-                -f Dockerfile.bullseye .
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro debian --version bullseye run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  build-ubuntu-noble:
-    docker:
-      - image: ubuntu:24.04
-    resource_class: medium+
-    steps:
-      - run: *install-dependencies-deb
-      - checkout
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-ubuntu-mantic:
-    docker:
-      - image: ubuntu:23.10
-    resource_class: medium+
-    steps:
-      - run: *install-dependencies-deb
-      - checkout
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-ubuntu-jammy:
-    docker:
-      - image: ubuntu:22.04
-    resource_class: medium+
-    steps:
-      - run: *install-dependencies-deb
-      - checkout
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-ubuntu-focal:
-    docker:
-      - image: ubuntu:20.04
-    resource_class: medium+
-    steps:
-      - run: *install-dependencies-deb
-      - run: *install-python-all
-      - checkout
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-debian-trixie:
-    docker:
-      - image: debian:trixie
-    resource_class: medium+
-    steps:
-      - run: *install-dependencies-deb
-      - checkout
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-debian-bookworm:
-    docker:
-      - image: debian:bookworm
-    resource_class: medium+
-    steps:
-      - run: *install-dependencies-deb
-      - checkout
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-debian-bullseye:
-    docker:
-      - image: debian:bullseye
-    resource_class: medium+
-    steps:
-      - run: *install-dependencies-deb
-      - checkout
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-fedora-40:
-    docker:
-      - image: fedora:40
-    resource_class: medium+
-    steps:
-      - run: *install-dependencies-rpm
-      - checkout
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-rpm
-      - run: *build-rpm-qubes
-
-  build-fedora-39:
-    docker:
-      - image: fedora:39
-    resource_class: medium+
-    steps:
-      - run: *install-dependencies-rpm
-      - checkout
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-rpm
-      - run: *build-rpm-qubes
-
-workflows:
-  version: 2
-
-  build:
-    jobs:
-      - run-lint
-      - build-container-image
-      - convert-test-docs:
-          requires:
-            - build-container-image
-      - ci-ubuntu-noble:
-          requires:
-            - build-container-image
-      - ci-ubuntu-mantic:
-          requires:
-            - build-container-image
-      - ci-ubuntu-jammy:
-          requires:
-            - build-container-image
-      - ci-ubuntu-focal:
-          requires:
-            - build-container-image
-      - ci-debian-trixie:
-          requires:
-            - build-container-image
-      - ci-debian-bookworm:
-          requires:
-            - build-container-image
-      - ci-debian-bullseye:
-          requires:
-            - build-container-image
-      - ci-fedora-40:
-          requires:
-            - build-container-image
-      - ci-fedora-39:
-          requires:
-            - build-container-image
-      # FIXME: Currently disabled because `stdeb` does not work with Python
-      # 3.12, which is the default in Ubuntu Noble. See also:
-      # https://github.com/freedomofpress/dangerzone/issues/773
-      #
-      #- build-ubuntu-noble:
-      #    requires:
-      #      - build-container-image
-      - build-ubuntu-mantic:
-          requires:
-            - build-container-image
-      - build-ubuntu-jammy:
-          requires:
-            - build-container-image
-      - build-ubuntu-focal:
-          requires:
-            - build-container-image
-      - build-debian-bullseye:
-          requires:
-            - build-container-image
-      - build-debian-trixie:
-          requires:
-            - build-container-image
-      - build-debian-bookworm:
-          requires:
-            - build-container-image
-      - build-fedora-40:
-          requires:
-            - build-container-image
-      - build-fedora-39:
-          requires:
-            - build-container-image
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 000000000..9aa276ab1
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,103 @@
+name: Build dev environments
+on:
+  push:
+  schedule:
+    - cron: "0 0 * * *" # Run every day at 00:00 UTC.
+env:
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  REGISTRY_USER: ${{ github.actor }}
+  REGISTRY_PASSWORD: ${{ github.token }}
+
+# Each day, build and publish to ghcr.io:
+#
+# - the dangerzone/dangerzone container image
+# - the dangerzone/build/{debian,ubuntu,fedora}:version
+#   dev environments used to run the tests
+#
+# End-user environments are not published to the GHCR because
+# they need .rpm or .deb files to be built, which is what we
+# want to test.
+
+jobs:
+  build-dev-environment:
+    name: "Build dev-env (${{ matrix.distro }}-${{ matrix.version }})"
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - distro: ubuntu
+            version: "20.04"
+          - distro: ubuntu
+            version: "22.04"
+          - distro: ubuntu
+            version: "23.10"
+          - distro: ubuntu
+            version: "24.04"
+          - distro: debian
+            version: bullseye
+          - distro: debian
+            version: bookworm
+          - distro: debian
+            version: trixie
+          - distro: fedora
+            version: "39"
+          - distro: fedora
+            version: "40"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Login to GHCR
+        run: |
+          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
+
+      - name: Build dev environment
+        run: |
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} \
+              --version ${{ matrix.version }} \
+              build-dev --sync
+
+  build-container-image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get current date
+        id: date
+        run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
+
+      - name: Restore container cache
+        uses: actions/cache@v4
+        with:
+          key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py') }}
+          path: |
+            share/container.tar.gz
+            share/image-id.txt
+
+      - name: Build Dangerzone image
+        run: |
+          if [ -f "share/container.tar.gz" ]; then
+            echo "Already cached, skipping"
+          else
+            sudo apt-get install -y python3-poetry
+            python3 ./install/common/build-image.py
+          fi
+
+      - name: Load container image
+        run: |
+          gunzip -c share/container.tar.gz | podman load
+
+      - name: Login to GHCR
+        run: |
+          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
+
+      - name: Push To GHCR
+        run: |
+          podman push \
+            dangerzone.rocks/dangerzone \
+            ${{ env.IMAGE_REGISTRY }}/dangerzone/dangerzone
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2ea394dda..98b59a27e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,9 +4,64 @@ on:
   pull_request:
     branches: [ main ]
   schedule:
-    - cron: '0 0 * * *' # Run every day at 00:00 UTC.
+    - cron: "2 0 * * *" # Run every day at 02:00 UTC.
+  workflow_dispatch:
+
+env:
+  REGISTRY_USER: ${{ github.actor }}
+  REGISTRY_PASSWORD: ${{ github.token }}
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  # This is required for running GUI tests on Github Actions
+  DISPLAY: ":99.0"
+  QT_SELECT: "qt6"
+
+# Disable multiple concurrent runs on the same branch
+# When a new CI build is triggered, it will cancel the
+# other in-progress ones (for the same branch)
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
 
 jobs:
+  run-lint:
+    runs-on: ubuntu-latest
+    container:
+      image: debian:bookworm
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dev. dependencies
+        run: |-
+          apt-get update
+          apt-get install -y git make python3 python3-poetry --no-install-recommends
+          poetry install --no-ansi --only lint,test
+      - name: Run linters to enforce code style
+        run: poetry run make lint
+      - name: Check that the QA script is up to date with the docs
+        run: "./dev_scripts/qa.py --check-refs"
+
+  # This is already built daily by the "build.yml" file
+  # But we also want to include this in the checks that run on each push.
+  build-container-image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Restore container cache
+        uses: actions/cache@v4
+        with:
+          key: v2-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py') }}
+          path: |-
+            share/container.tar.gz
+            share/image-id.txt
+      - name: Build Dangerzone image
+        run: |-
+          if [ -f "share/container.tar.gz" ]; then
+            echo "Already cached, skipping"
+          else
+            sudo apt-get install -y python3-poetry
+            python3 ./install/common/build-image.py
+          fi
+
   windows:
     runs-on: windows-latest
     env:
@@ -43,11 +98,26 @@ jobs:
         run: poetry run make test
 
   build-deb:
+    name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
     runs-on: ubuntu-latest
-    env:
-      target: debian-bookworm
-      distro: debian
-      version: bookworm
+    needs: build-container-image
+    strategy:
+      matrix:
+        include:
+          - distro: ubuntu
+            version: "20.04"
+          - distro: ubuntu
+            version: "22.04"
+          - distro: ubuntu
+            version: "23.10"
+          - distro: ubuntu
+            version: "24.04"
+          - distro: debian
+            version: bullseye
+          - distro: debian
+            version: bookworm
+          - distro: debian
+            version: trixie
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -56,56 +126,58 @@ jobs:
         with:
           python-version: '3.10'
 
-      - name: Build dev environment
+      - name: Login to GHCR
         run: |
-          ./dev_scripts/env.py --distro ${{ env.distro }} \
-              --version ${{ env.version }} \
-              build-dev
+          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
 
-      - name: Install container build dependencies
-        run: sudo apt install pipx && pipx install poetry
+      - name: Get the dev environment
+        run: |
+          ./dev_scripts/env.py \
+              --distro ${{ matrix.distro }} \
+              --version ${{ matrix.version }} \
+              build-dev --sync
 
-      - name: Build Dangerzone image
-        run: python3 ./install/common/build-image.py
+      - name: Restore container cache
+        uses: actions/cache@v4
+        with:
+          key: v2-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py') }}
+          path: |-
+            share/container.tar.gz
+            share/image-id.txt
 
       - name: Build Dangerzone .deb
         run: |
-          ./dev_scripts/env.py --distro ${{ env.distro }} \
-              --version ${{ env.version }} \
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} \
+              --version ${{ matrix.version }} \
               run --dev --no-gui ./dangerzone/install/linux/build-deb.py
 
       - name: Upload Dangerzone .deb
+        if: matrix.distro == 'debian' && matrix.version == 'trixie'
         uses: actions/upload-artifact@v4
         with:
           name: dangerzone.deb
           path: "deb_dist/dangerzone_*_all.deb"
 
   install-deb:
+    name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
     runs-on: ubuntu-latest
     needs: build-deb
     strategy:
       matrix:
         include:
-          - target: ubuntu-20.04
-            distro: ubuntu
+          - distro: ubuntu
             version: "20.04"
-          - target: ubuntu-22.04
-            distro: ubuntu
+          - distro: ubuntu
             version: "22.04"
-          - target: ubuntu-23.10
-            distro: ubuntu
+          - distro: ubuntu
             version: "23.10"
-          - target: ubuntu-24.04
-            distro: ubuntu
+          - distro: ubuntu
             version: "24.04"
-          - target: debian-bullseye
-            distro: debian
+          - distro: debian
             version: bullseye
-          - target: debian-bookworm
-            distro: debian
+          - distro: debian
             version: bookworm
-          - target: debian-trixie
-            distro: debian
+          - distro: debian
             version: trixie
 
     steps:
@@ -122,36 +194,12 @@ jobs:
           name: dangerzone.deb
           path: "deb_dist/"
 
-      - name: Create end-user environment on (${{ matrix.target }})
+      - name: Build end-user environment
         run: |
           ./dev_scripts/env.py --distro ${{ matrix.distro }} \
               --version ${{ matrix.version }} \
               build
 
-      - name: Configure Podman for Debian Bullseye specifically
-        if: matrix.target == 'debian-bullseye'
-        run: |
-          # Create a Podman config specifically for Bullseye (see #388).
-          mkdir bullseye_fix
-          cd bullseye_fix
-          cat > containers.conf <<EOF
-          [engine]
-          cgroup_manager="cgroupfs"
-          events_logger="file"
-          EOF
-
-          # Copy the Podman config into the container image we created for the
-          # Dangerzone environment.
-          cat > Dockerfile.bullseye <<EOF
-          FROM dangerzone.rocks/debian:bullseye-backports
-          RUN mkdir -p /home/user/.config/containers
-          COPY containers.conf /home/user/.config/containers/
-          EOF
-
-          # Create a new image from the Dangerzone environment and re-tag it.
-          podman build -t dangerzone.rocks/debian:bullseye-backports \
-              -f Dockerfile.bullseye .
-
       - name: Run a test command
         run: |
           ./dev_scripts/env.py --distro ${{ matrix.distro }} \
@@ -165,31 +213,39 @@ jobs:
               run dangerzone --help
 
   build-install-rpm:
-    name: "Build and install a Dangerzone RPM on Fedora ${{matrix.version}}"
+    name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
     runs-on: ubuntu-latest
+    needs: build-container-image
     strategy:
       matrix:
-        include:
-          - version: "39"
-          - version: "40"
+        distro: ["fedora"]
+        version: ["39", "40"]
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Build dev environment
+      - name: Login to GHCR
         run: |
-          ./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \
-              build-dev
+          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
 
-      - name: Build Dangerzone image
+      - name: Get the dev environment
         run: |
-          ./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \
-              run --dev --no-gui \
-              bash -c 'cd /home/user/dangerzone && python3 ./install/common/build-image.py'
+          ./dev_scripts/env.py \
+              --distro ${{ matrix.distro }} \
+              --version ${{ matrix.version }} \
+              build-dev --sync
+
+      - name: Restore container cache
+        uses: actions/cache@v4
+        with:
+          key: v2-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py') }}
+          path: |-
+            share/container.tar.gz
+            share/image-id.txt
 
       - name: Build Dangerzone .rpm
         run: |
-          ./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
               run --dev --no-gui ./dangerzone/install/linux/build-rpm.py
 
       # Reclaim some space in this step, now that the dev environment is no
@@ -200,15 +256,82 @@ jobs:
 
       - name: Build end-user environment
         run: |
-          ./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} \
+              --version ${{ matrix.version }} \
               build --download-pyside6
 
       - name: Run a test command
         run: |
-          ./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
               run dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf
 
       - name: Check that the Dangerzone GUI imports work
         run: |
-          ./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
               run dangerzone --help
+
+  run-tests:
+    name: "run tests (${{ matrix.distro }} ${{ matrix.version }})"
+    runs-on: ubuntu-latest
+    needs: build-container-image
+    strategy:
+      matrix:
+        include:
+          - distro: ubuntu
+            version: "20.04"
+          - distro: ubuntu
+            version: "22.04"
+          - distro: ubuntu
+            version: "23.10"
+          - distro: ubuntu
+            version: "24.04"
+          - distro: debian
+            version: bullseye
+          - distro: debian
+            version: bookworm
+          - distro: debian
+            version: trixie
+          - distro: fedora
+            version: "39"
+          - distro: fedora
+            version: "40"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Login to GHCR
+        run: |
+          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
+
+      - name: Get the dev environment
+        run: |
+          ./dev_scripts/env.py \
+              --distro ${{ matrix.distro }} \
+              --version ${{ matrix.version }} \
+              build-dev --sync
+
+      - name: Restore container cache
+        uses: actions/cache@v4
+        with:
+          key: v2-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py') }}
+          path: |-
+            share/container.tar.gz
+            share/image-id.txt
+
+      - name: Setup xvfb (Linux)
+        run: |
+          # Stuff copied wildly from several stackoverflow posts
+          sudo apt-get install -y xvfb libxkbcommon-x11-0 libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-randr0 libxcb-render-util0 libxcb-xinerama0 libxcb-xinput0 libxcb-xfixes0 libxcb-shape0 libglib2.0-0 libgl1-mesa-dev '^libxcb.*-dev' libx11-xcb-dev libglu1-mesa-dev libxrender-dev libxi-dev libxkbcommon-dev libxkbcommon-x11-dev
+
+          # start xvfb in the background
+          sudo /usr/bin/Xvfb $DISPLAY -screen 0 1280x1024x24 &
+
+      - name: Run CI tests
+        run: |-
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} run --dev \
+              bash -c 'cd dangerzone; poetry run make test'
diff --git a/dev_scripts/containers.conf b/dev_scripts/containers.conf
new file mode 100644
index 000000000..e638b650f
--- /dev/null
+++ b/dev_scripts/containers.conf
@@ -0,0 +1,3 @@
+[engine]
+cgroup_manager="cgroupfs"
+events_logger="file"
diff --git a/dev_scripts/env.py b/dev_scripts/env.py
index 2931965e5..f92e40bfd 100755
--- a/dev_scripts/env.py
+++ b/dev_scripts/env.py
@@ -1,12 +1,14 @@
 #!/usr/bin/env python3
 
 import argparse
+import hashlib
 import os
 import pathlib
 import shutil
 import subprocess
 import sys
 import urllib.request
+from datetime import date
 
 DEFAULT_GUI = True
 DEFAULT_USER = "user"
@@ -55,8 +57,9 @@
 # FIXME: Maybe create an enum for these values.
 DISTROS = ["debian", "fedora", "ubuntu"]
 CONTAINER_RUNTIMES = ["podman", "docker"]
-IMAGE_NAME_BUILD_DEV_FMT = "dangerzone.rocks/build/{distro}:{version}"
-IMAGE_NAME_BUILD_FMT = "dangerzone.rocks/{distro}:{version}"
+IMAGES_REGISTRY = "ghcr.io/freedomofpress/"
+IMAGE_NAME_BUILD_DEV_FMT = "v2/dangerzone/build-dev/{distro}-{version}:{hash}"
+IMAGE_NAME_BUILD_ENDUSER_FMT = "v2/dangerzone/end-user/{distro}-{version}:{hash}"
 
 EPILOG = """\
 Examples:
@@ -288,14 +291,29 @@ def distro_build(distro, version):
     return distro_root(distro, version) / "build"
 
 
-def image_name_build(distro, version):
+def image_name_build_dev(distro, version):
     """Get the container image for the dev variant of a Dangerzone environment."""
-    return IMAGE_NAME_BUILD_DEV_FMT.format(distro=distro, version=version)
+    hash = hash_files(
+        get_files_in("dev_scripts")
+        + [
+            git_root() / "pyproject.toml",
+            git_root() / "poetry.lock",
+        ],
+        include_current_date=True,
+    )
+
+    return IMAGE_NAME_BUILD_DEV_FMT.format(distro=distro, version=version, hash=hash)
+
 
+def image_name_build_enduser(distro, version):
+    """Get the container image for the Dangerzone end-user environment."""
 
-def image_name_install(distro, version):
-    """Get the container image for the Dangerzone environment."""
-    return IMAGE_NAME_BUILD_FMT.format(distro=distro, version=version)
+    hash = hash_files(
+        get_files_in("install/linux", "debian"), include_current_date=True
+    )
+    return IMAGE_NAME_BUILD_ENDUSER_FMT.format(
+        distro=distro, version=version, hash=hash
+    )
 
 
 def dz_version():
@@ -304,6 +322,34 @@ def dz_version():
         return f.read().strip()
 
 
+def hash_files(
+    file_paths: list[pathlib.Path], include_current_date: bool = False
+) -> str:
+    """Returns the hash value of a list of files using the sha256 hashing algorithm.
+
+    If specified, also adds the current date in the hash.
+    """
+    hash_obj = hashlib.new("sha256")
+    for path in file_paths:
+        with open(path, "rb") as file:
+            file_data = file.read()
+            hash_obj.update(file_data)
+
+    if include_current_date:
+        current_date = date.today().strftime("%Y-%m-%d")
+        hash_obj.update(current_date.encode())
+
+    return hash_obj.hexdigest()
+
+
+def get_files_in(*folders: list[str]) -> list[pathlib.Path]:
+    """Return the list of all files present in the given folders"""
+    files = []
+    for folder in folders:
+        files.extend([p for p in (git_root() / folder).glob("**") if p.is_file()])
+    return files
+
+
 class PySide6Manager:
     """Provision PySide6 RPMs in our Dangerzone environments.
 
@@ -512,13 +558,13 @@ def run(
             run_cmd += [
                 "--hostname",
                 "dangerzone-dev",
-                image_name_build(self.distro, self.version),
+                image_name_build_dev(self.distro, self.version),
             ]
         else:
             run_cmd += [
                 "--hostname",
                 "dangerzone",
-                image_name_install(self.distro, self.version),
+                image_name_build_enduser(self.distro, self.version),
             ]
 
         run_cmd += cmd
@@ -534,8 +580,26 @@ def run(
         (dist_state / ".bash_history").touch(exist_ok=True)
         self.runtime_run(*run_cmd)
 
-    def build_dev(self, show_dockerfile=DEFAULT_SHOW_DOCKERFILE):
+    def pull_image_from_registry(self, image):
+        process = subprocess.run(self.runtime_cmd + ["pull", IMAGES_REGISTRY + image])
+        return process.returncode == 0
+
+    def push_image_to_registry(self, image):
+        process = subprocess.run(
+            self.runtime_cmd + ["push", image, IMAGES_REGISTRY + image]
+        )
+        return process.returncode == 0
+
+    def build_dev(self, show_dockerfile=DEFAULT_SHOW_DOCKERFILE, sync=False):
         """Build a Linux environment and install tools for Dangerzone development."""
+        image = image_name_build_dev(self.distro, self.version)
+
+        if sync and self.pull_image_from_registry(image):
+            # The image has been pulled from the registry, no need to build it.
+            return
+        elif sync:
+            print("Image label not in registry, building it")
+
         if self.distro == "fedora":
             install_deps = DOCKERFILE_BUILD_DEV_FEDORA_DEPS
         else:
@@ -588,6 +652,7 @@ def build_dev(self, show_dockerfile=DEFAULT_SHOW_DOCKERFILE):
         shutil.copy(git_root() / "pyproject.toml", build_dir)
         shutil.copy(git_root() / "poetry.lock", build_dir)
         shutil.copy(git_root() / "dev_scripts" / "storage.conf", build_dir)
+        shutil.copy(git_root() / "dev_scripts" / "containers.conf", build_dir)
         if self.distro == "ubuntu" and self.version in ("22.04", "jammy"):
             shutil.copy(git_root() / "dev_scripts" / "apt-tools-prod.pref", build_dir)
             shutil.copy(
@@ -596,9 +661,12 @@ def build_dev(self, show_dockerfile=DEFAULT_SHOW_DOCKERFILE):
         with open(build_dir / "Dockerfile", mode="w") as f:
             f.write(dockerfile)
 
-        image = image_name_build(self.distro, self.version)
         self.runtime_run("build", "-t", image, build_dir)
 
+        if sync:
+            if not self.push_image_to_registry(image):
+                print("An error occured while trying to push to the container registry")
+
     def build(
         self,
         show_dockerfile=DEFAULT_SHOW_DOCKERFILE,
@@ -671,6 +739,7 @@ def build(
         # Populate the build context.
         shutil.copy(package_src, package_dst)
         shutil.copy(git_root() / "dev_scripts" / "storage.conf", build_dir)
+        shutil.copy(git_root() / "dev_scripts" / "containers.conf", build_dir)
         if self.distro == "ubuntu" and self.version in ("22.04", "jammy"):
             shutil.copy(git_root() / "dev_scripts" / "apt-tools-prod.pref", build_dir)
             shutil.copy(
@@ -679,7 +748,7 @@ def build(
         with open(build_dir / "Dockerfile", mode="w") as f:
             f.write(dockerfile)
 
-        image = image_name_install(self.distro, self.version)
+        image = image_name_build_enduser(self.distro, self.version)
         self.runtime_run("build", "-t", image, build_dir)
 
 
@@ -698,7 +767,7 @@ def env_run(args):
 def env_build_dev(args):
     """Invoke the 'build-dev' command based on the CLI args."""
     env = Env.from_args(args)
-    return env.build_dev(show_dockerfile=args.show_dockerfile)
+    return env.build_dev(show_dockerfile=args.show_dockerfile, sync=args.sync)
 
 
 def env_build(args):
@@ -784,6 +853,12 @@ def parse_args():
         action="store_true",
         help="Do not build, only show the Dockerfile",
     )
+    parser_build_dev.add_argument(
+        "--sync",
+        default=False,
+        action="store_true",
+        help="Attempt to pull the image, build it if not found and push it to the container registry",
+    )
 
     # Build a development variant of a Dangerzone environment.
     parser_build = subparsers.add_parser(