From 025e5dda513abb213809faaf8e26a9e83fba1522 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= <alexis@freedom.press>
Date: Fri, 6 Sep 2024 17:38:23 +0200
Subject: [PATCH 1/4] Switch from CircleCI runners to Github actions.

As part of this change, the dev (build) and end-user test images names
changed from `dangerzone.rocks/*` to `ghcr.io`.

A new `--sync` option is provided in the `env.py` command, in order to
retrieve the images from the registry, or build and upload otherwise.
---
 .circleci/config.yml        | 628 ------------------------------------
 .github/workflows/build.yml |  96 ++++++
 .github/workflows/ci.yml    | 283 ++++++++++++----
 dev_scripts/containers.conf |   3 +
 dev_scripts/env.py          | 129 ++++++--
 5 files changed, 421 insertions(+), 718 deletions(-)
 delete mode 100644 .circleci/config.yml
 create mode 100644 .github/workflows/build.yml
 create mode 100644 dev_scripts/containers.conf

diff --git a/.circleci/config.yml b/.circleci/config.yml
deleted file mode 100644
index 94bf93cfa..000000000
--- a/.circleci/config.yml
+++ /dev/null
@@ -1,628 +0,0 @@
-version: 2.1
-
-aliases:
-  - &install-podman
-    name: Install Podman in Ubuntu Focal
-    command: ./install/linux/install-podman-ubuntu-focal.sh
-
-  - &install-dependencies-deb
-    name: Install dependencies (deb)
-    command: |
-      export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true
-      apt-get update
-      apt build-dep -y .
-
-  - &install-dependencies-rpm
-    name: Install dependencies (rpm)
-    command: |
-      dnf install -y rpm-build python3 python3-devel python3-poetry-core pipx
-      pipx install poetry
-
-  - &build-deb
-    name: Build the .deb package
-    command: |
-      ./install/linux/build-deb.py
-      ls -lh deb_dist/
-
-  - &build-rpm
-    name: Build the .rpm package
-    command: |
-      PATH=/root/.local/bin:$PATH ./install/linux/build-rpm.py
-      ls -lh dist/
-
-  - &build-rpm-qubes
-    name: Build the Qubes .rpm package
-    command: |
-      PATH=/root/.local/bin:$PATH ./install/linux/build-rpm.py --qubes
-      ls -lh dist/
-
-  - &calculate-cache-key
-    name: Caculating container cache key
-    command: |
-      mkdir -p /caches/
-      cd dangerzone/conversion/
-      cat common.py doc_to_pixels.py pixels_to_pdf.py | sha1sum | cut -d' ' -f1 > /caches/cache-id.txt
-      cd ../../
-
-  - &restore-cache
-    key: v1-{{ checksum "Dockerfile" }}-{{ checksum "/caches/cache-id.txt" }}
-    paths:
-      - /caches/container.tar.gz
-      - /caches/image-id.txt
-
-  - &copy-image
-    name: Copy container image into package
-    command: |
-      cp /caches/container.tar.gz share/
-      cp /caches/image-id.txt share/
-
-jobs:
-  run-lint:
-    docker:
-      - image: debian:bookworm
-    resource_class: small
-    steps:
-      - checkout
-      - run:
-          name: Install dev. dependencies
-          # Install only the necessary packages to run our linters.
-          #
-          # We run poetry with --no-ansi, to sidestep a Poetry bug that
-          # currently exists in 1.3. See:
-          # https://github.com/freedomofpress/dangerzone/issues/292#issuecomment-1351368122
-          command: |
-            apt-get update
-            apt-get install -y git make python3 python3-poetry --no-install-recommends
-            poetry install --no-ansi --only lint,test
-      - run:
-          name: Run linters to enforce code style
-          command: poetry run make lint
-      - run:
-          name: Check that the QA script is up to date with the docs
-          command: ./dev_scripts/qa.py --check-refs
-
-  build-container-image:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      # setup_remote_docker
-      - run:
-          name: Build Dangerzone image
-          command: |
-            if [ -f "/caches/container.tar.gz" ]; then
-              echo "Already cached, skipping"
-            else
-              sudo pip3 install poetry
-              python3 ./install/common/build-image.py
-            fi
-      - run:
-          name: Save Dangerzone image and image-id.txt to cache
-          command: |
-            if [ -f "/caches/container.tar.gz" ]; then
-              echo "Already cached, skipping"
-            else
-              mkdir -p /caches
-              podman save -o /caches/container.tar dangerzone.rocks/dangerzone
-              gzip -f /caches/container.tar
-              podman image ls dangerzone.rocks/dangerzone | grep "dangerzone.rocks/dangerzone" | tr -s ' ' | cut -d' ' -f3 > /caches/image-id.txt
-            fi
-      - run: *calculate-cache-key
-      - save_cache:
-          key: v1-{{ checksum "Dockerfile" }}-{{ checksum "/caches/cache-id.txt" }}
-          paths:
-            - /caches/container.tar.gz
-            - /caches/image-id.txt
-
-  convert-test-docs:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-      - run:
-          name: Install poetry dependencies
-          command: |
-            sudo pip3 install poetry
-            # This flag is important, due to an open upstream Poetry issue:
-            # https://github.com/python-poetry/poetry/issues/7184
-            poetry install --no-ansi
-      - run:
-          name: Install test dependencies
-          command: |
-            sudo apt-get install -y libqt5gui5 libxcb-cursor0 --no-install-recommends
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run:
-          name: run automated tests
-          command: |
-            poetry run make test
-
-  ci-ubuntu-noble:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 24.04 build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 24.04 run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-ubuntu-mantic:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 23.10 build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 23.10 run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-ubuntu-jammy:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 22.04 build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 22.04 run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-ubuntu-focal:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 20.04 build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro ubuntu --version 20.04 run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-fedora-40:
-    machine:
-      image: ubuntu-2204:current
-    steps:
-      - checkout
-      - run: *install-podman
-      - run:
-          name: Configure Podman for Ubuntu 22.04
-          command: |
-            # This config circumvents the following issues:
-            # * https://github.com/containers/podman/issues/6368
-            # * https://github.com/containers/podman/issues/10987
-            mkdir -p ~/.config/containers
-            cat > ~/.config/containers/containers.conf \<<EOF
-            [engine]
-            cgroup_manager="cgroupfs"
-            events_logger="file"
-            EOF
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro fedora --version 40 build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro fedora --version 40 run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-fedora-39:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro fedora --version 39 build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro fedora --version 39 run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-debian-trixie:
-    machine:
-      image: ubuntu-2204:current
-    steps:
-      - checkout
-      - run: *install-podman
-      - run:
-          name: Configure Podman for Ubuntu 22.04
-          command: |
-            # This config circumvents the following issues:
-            # * https://github.com/containers/podman/issues/6368
-            # * https://github.com/containers/podman/issues/10987
-            mkdir -p ~/.config/containers
-            cat > ~/.config/containers/containers.conf \<<EOF
-            [engine]
-            cgroup_manager="cgroupfs"
-            events_logger="file"
-            EOF
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro debian --version trixie build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro debian --version trixie run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  ci-debian-bookworm:
-    machine:
-      image: ubuntu-2004:202111-01
-    steps:
-      - checkout
-      - run: *install-podman
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro debian --version bookworm build-dev
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro debian --version bookworm run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  # NOTE: Making CI tests work in Debian Bullseye requires some tip-toeing
-  # around certain Podman issues, as you'll see below. Read the following for
-  # more details:
-  #
-  # https://github.com/freedomofpress/dangerzone/issues/388
-  ci-debian-bullseye:
-    machine:
-      image: ubuntu-2204:2023.04.2
-    steps:
-      - checkout
-      - run: *install-podman
-      - run:
-          name: Configure Podman for Ubuntu 22.04
-          command: |
-            # This config circumvents the following issues:
-            # * https://github.com/containers/podman/issues/6368
-            # * https://github.com/containers/podman/issues/10987
-            mkdir -p ~/.config/containers
-            cat > ~/.config/containers/containers.conf \<<EOF
-            [engine]
-            cgroup_manager="cgroupfs"
-            events_logger="file"
-            EOF
-
-      - run:
-          name: Prepare cache directory
-          command: |
-            sudo mkdir -p /caches
-            sudo chown -R $USER:$USER /caches
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-
-      - run:
-          name: Prepare Dangerzone environment
-          command: |
-            ./dev_scripts/env.py --distro debian --version bullseye build-dev
-
-      - run:
-          name: Configure Podman for Debian Bullseye
-          command: |
-            # Copy the Podman config into the container image we created for the
-            # Dangerzone environment.
-            cp ~/.config/containers/containers.conf containers.conf
-            cat > Dockerfile.bullseye \<<EOF
-            FROM dangerzone.rocks/build/debian:bullseye-backports
-            RUN mkdir -p /home/user/.config/containers
-            COPY containers.conf /home/user/.config/containers/
-            EOF
-
-            # Create a new image from the Dangerzone environment and re-tag it.
-            podman build -t dangerzone.rocks/build/debian:bullseye-backports \
-                -f Dockerfile.bullseye .
-
-      - run:
-          name: Run CI tests
-          command: |
-            ./dev_scripts/env.py --distro debian --version bullseye run --dev \
-                bash -c 'cd dangerzone; poetry run make test'
-
-  build-ubuntu-noble:
-    docker:
-      - image: ubuntu:24.04
-    resource_class: medium+
-    steps:
-      - checkout
-      - run: *install-dependencies-deb
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-ubuntu-mantic:
-    docker:
-      - image: ubuntu:23.10
-    resource_class: medium+
-    steps:
-      - checkout
-      - run: *install-dependencies-deb
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-ubuntu-jammy:
-    docker:
-      - image: ubuntu:22.04
-    resource_class: medium+
-    steps:
-      - checkout
-      - run: *install-dependencies-deb
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-ubuntu-focal:
-    docker:
-      - image: ubuntu:20.04
-    resource_class: medium+
-    steps:
-      - checkout
-      - run: *install-dependencies-deb
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-debian-trixie:
-    docker:
-      - image: debian:trixie
-    resource_class: medium+
-    steps:
-      - checkout
-      - run: *install-dependencies-deb
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-debian-bookworm:
-    docker:
-      - image: debian:bookworm
-    resource_class: medium+
-    steps:
-      - checkout
-      - run: *install-dependencies-deb
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-debian-bullseye:
-    docker:
-      - image: debian:bullseye
-    resource_class: medium+
-    steps:
-      - checkout
-      - run: *install-dependencies-deb
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-deb
-
-  build-fedora-40:
-    docker:
-      - image: fedora:40
-    resource_class: medium+
-    steps:
-      - run: *install-dependencies-rpm
-      - checkout
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-rpm
-      - run: *build-rpm-qubes
-
-  build-fedora-39:
-    docker:
-      - image: fedora:39
-    resource_class: medium+
-    steps:
-      - run: *install-dependencies-rpm
-      - checkout
-      - run: *calculate-cache-key
-      - restore_cache: *restore-cache
-      - run: *copy-image
-      - run: *build-rpm
-      - run: *build-rpm-qubes
-
-workflows:
-  version: 2
-
-  build:
-    jobs:
-      - run-lint
-      - build-container-image
-      - convert-test-docs:
-          requires:
-            - build-container-image
-      - ci-ubuntu-noble:
-          requires:
-            - build-container-image
-      - ci-ubuntu-mantic:
-          requires:
-            - build-container-image
-      - ci-ubuntu-jammy:
-          requires:
-            - build-container-image
-      - ci-ubuntu-focal:
-          requires:
-            - build-container-image
-      - ci-debian-trixie:
-          requires:
-            - build-container-image
-      - ci-debian-bookworm:
-          requires:
-            - build-container-image
-      - ci-debian-bullseye:
-          requires:
-            - build-container-image
-      - ci-fedora-40:
-          requires:
-            - build-container-image
-      - ci-fedora-39:
-          requires:
-            - build-container-image
-      - build-ubuntu-noble:
-          requires:
-            - build-container-image
-      - build-ubuntu-mantic:
-          requires:
-            - build-container-image
-      - build-ubuntu-jammy:
-          requires:
-            - build-container-image
-      - build-ubuntu-focal:
-          requires:
-            - build-container-image
-      - build-debian-bullseye:
-          requires:
-            - build-container-image
-      - build-debian-trixie:
-          requires:
-            - build-container-image
-      - build-debian-bookworm:
-          requires:
-            - build-container-image
-      - build-fedora-40:
-          requires:
-            - build-container-image
-      - build-fedora-39:
-          requires:
-            - build-container-image
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 000000000..489c574fc
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,96 @@
+name: Build dev environments
+on:
+  push:
+  schedule:
+    - cron: "0 0 * * *" # Run every day at 00:00 UTC.
+
+permissions:
+  packages: write
+
+env:
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  REGISTRY_USER: ${{ github.actor }}
+  REGISTRY_PASSWORD: ${{ github.token }}
+
+# Each day, build and publish to ghcr.io:
+#
+# - the dangerzone/dangerzone container image
+# - the dangerzone/build/{debian,ubuntu,fedora}:version
+#   dev environments used to run the tests
+#
+# End-user environments are not published to the GHCR because
+# they need .rpm or .deb files to be built, which is what we
+# want to test.
+
+jobs:
+  build-dev-environment:
+    name: "Build dev-env (${{ matrix.distro }}-${{ matrix.version }})"
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - distro: ubuntu
+            version: "20.04"
+          - distro: ubuntu
+            version: "22.04"
+          - distro: ubuntu
+            version: "23.10"
+          - distro: ubuntu
+            version: "24.04"
+          - distro: debian
+            version: bullseye
+          - distro: debian
+            version: bookworm
+          - distro: debian
+            version: trixie
+          - distro: fedora
+            version: "39"
+          - distro: fedora
+            version: "40"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Login to GHCR
+        run: |
+          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
+
+      - name: Build dev environment
+        run: |
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} \
+              --version ${{ matrix.version }} \
+              build-dev --sync
+
+  build-container-image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get current date
+        id: date
+        run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
+
+      - name: Cache container image
+        id: cache-container-image
+        uses: actions/cache@v4
+        with:
+          key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
+          path: |
+            share/container.tar.gz
+            share/image-id.txt
+
+      - name: Build and push Dangerzone image
+        if: ${{ steps.cache-container-image.outputs.cache-hit != 'true' }}
+        run: |
+          sudo apt-get install -y python3-poetry
+          python3 ./install/common/build-image.py
+          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
+          gunzip -c share/container.tar.gz | podman load
+          podman push \
+                  dangerzone.rocks/dangerzone \
+                  ${{ env.IMAGE_REGISTRY }}/dangerzone/dangerzone
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 57d6a3c6d..a8c4ffe76 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,10 +4,70 @@ on:
   pull_request:
     branches: [main]
   schedule:
-    - cron: "0 0 * * *" # Run every day at 00:00 UTC.
+    - cron: "2 0 * * *" # Run every day at 02:00 UTC.
   workflow_dispatch:
 
+permissions:
+  packages: write
+
+env:
+  REGISTRY_USER: ${{ github.actor }}
+  REGISTRY_PASSWORD: ${{ github.token }}
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  # This is required for running GUI tests on Github Actions
+  DISPLAY: ":99.0"
+  QT_SELECT: "qt6"
+
+# Disable multiple concurrent runs on the same branch
+# When a new CI build is triggered, it will cancel the
+# other in-progress ones (for the same branch)
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
+  run-lint:
+    runs-on: ubuntu-latest
+    container:
+      image: debian:bookworm
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dev. dependencies
+        run: |-
+          apt-get update
+          apt-get install -y git make python3 python3-poetry --no-install-recommends
+          poetry install --only lint,test
+      - name: Run linters to enforce code style
+        run: poetry run make lint
+      - name: Check that the QA script is up to date with the docs
+        run: "./dev_scripts/qa.py --check-refs"
+
+  # This is already built daily by the "build.yml" file
+  # But we also want to include this in the checks that run on each push.
+  build-container-image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get current date
+        id: date
+        run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
+
+      - name: Cache container image
+        id: cache-container-image
+        uses: actions/cache@v4
+        with:
+          key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
+          path: |-
+            share/container.tar.gz
+            share/image-id.txt
+
+      - name: Build Dangerzone container image
+        if: ${{ steps.cache-container-image.outputs.cache-hit != 'true' }}
+        run: |
+          sudo apt-get install -y python3-poetry
+          python3 ./install/common/build-image.py
+
   windows:
     runs-on: windows-latest
     env:
@@ -44,11 +104,26 @@ jobs:
         run: poetry run make test
 
   build-deb:
+    name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
     runs-on: ubuntu-latest
-    env:
-      target: debian-bookworm
-      distro: debian
-      version: bookworm
+    needs: build-container-image
+    strategy:
+      matrix:
+        include:
+          - distro: ubuntu
+            version: "20.04"
+          - distro: ubuntu
+            version: "22.04"
+          - distro: ubuntu
+            version: "23.10"
+          - distro: ubuntu
+            version: "24.04"
+          - distro: debian
+            version: bullseye
+          - distro: debian
+            version: bookworm
+          - distro: debian
+            version: trixie
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -57,56 +132,65 @@ jobs:
         with:
           python-version: "3.10"
 
-      - name: Build dev environment
+      - name: Login to GHCR
+        run: |
+          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
+
+      - name: Get the dev environment
         run: |
-          ./dev_scripts/env.py --distro ${{ env.distro }} \
-              --version ${{ env.version }} \
-              build-dev
+          ./dev_scripts/env.py \
+              --distro ${{ matrix.distro }} \
+              --version ${{ matrix.version }} \
+              build-dev --sync
 
-      - name: Install container build dependencies
-        run: sudo apt install pipx && pipx install poetry
+      - name: Get current date
+        id: date
+        run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
 
-      - name: Build Dangerzone image
-        run: python3 ./install/common/build-image.py
+      - name: Restore container cache
+        uses: actions/cache/restore@v4
+        with:
+          key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
+          path: |-
+            share/container.tar.gz
+            share/image-id.txt
+          fail-on-cache-miss: true
 
       - name: Build Dangerzone .deb
         run: |
-          ./dev_scripts/env.py --distro ${{ env.distro }} \
-              --version ${{ env.version }} \
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} \
+              --version ${{ matrix.version }} \
               run --dev --no-gui ./dangerzone/install/linux/build-deb.py
 
       - name: Upload Dangerzone .deb
+        if: matrix.distro == 'debian' && matrix.version == 'bookworm'
         uses: actions/upload-artifact@v4
         with:
           name: dangerzone.deb
           path: "deb_dist/dangerzone_*_*.deb"
+          if-no-files-found: error
+          compression-level: 0
 
   install-deb:
+    name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
     runs-on: ubuntu-latest
     needs: build-deb
     strategy:
       matrix:
         include:
-          - target: ubuntu-20.04
-            distro: ubuntu
+          - distro: ubuntu
             version: "20.04"
-          - target: ubuntu-22.04
-            distro: ubuntu
+          - distro: ubuntu
             version: "22.04"
-          - target: ubuntu-23.10
-            distro: ubuntu
+          - distro: ubuntu
             version: "23.10"
-          - target: ubuntu-24.04
-            distro: ubuntu
+          - distro: ubuntu
             version: "24.04"
-          - target: debian-bullseye
-            distro: debian
+          - distro: debian
             version: bullseye
-          - target: debian-bookworm
-            distro: debian
+          - distro: debian
             version: bookworm
-          - target: debian-trixie
-            distro: debian
+          - distro: debian
             version: trixie
 
     steps:
@@ -123,36 +207,12 @@ jobs:
           name: dangerzone.deb
           path: "deb_dist/"
 
-      - name: Create end-user environment on (${{ matrix.target }})
+      - name: Build end-user environment
         run: |
           ./dev_scripts/env.py --distro ${{ matrix.distro }} \
               --version ${{ matrix.version }} \
               build
 
-      - name: Configure Podman for Debian Bullseye specifically
-        if: matrix.target == 'debian-bullseye'
-        run: |
-          # Create a Podman config specifically for Bullseye (see #388).
-          mkdir bullseye_fix
-          cd bullseye_fix
-          cat > containers.conf <<EOF
-          [engine]
-          cgroup_manager="cgroupfs"
-          events_logger="file"
-          EOF
-
-          # Copy the Podman config into the container image we created for the
-          # Dangerzone environment.
-          cat > Dockerfile.bullseye <<EOF
-          FROM dangerzone.rocks/debian:bullseye-backports
-          RUN mkdir -p /home/user/.config/containers
-          COPY containers.conf /home/user/.config/containers/
-          EOF
-
-          # Create a new image from the Dangerzone environment and re-tag it.
-          podman build -t dangerzone.rocks/debian:bullseye-backports \
-              -f Dockerfile.bullseye .
-
       - name: Run a test command
         run: |
           ./dev_scripts/env.py --distro ${{ matrix.distro }} \
@@ -166,31 +226,44 @@ jobs:
               run dangerzone --help
 
   build-install-rpm:
-    name: "Build and install a Dangerzone RPM on Fedora ${{matrix.version}}"
+    name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
     runs-on: ubuntu-latest
+    needs: build-container-image
     strategy:
       matrix:
-        include:
-          - version: "39"
-          - version: "40"
+        distro: ["fedora"]
+        version: ["39", "40"]
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Build dev environment
+      - name: Login to GHCR
         run: |
-          ./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \
-              build-dev
+          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
 
-      - name: Build Dangerzone image
+      - name: Get the dev environment
         run: |
-          ./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \
-              run --dev --no-gui \
-              bash -c 'cd /home/user/dangerzone && python3 ./install/common/build-image.py'
+          ./dev_scripts/env.py \
+              --distro ${{ matrix.distro }} \
+              --version ${{ matrix.version }} \
+              build-dev --sync
+
+      - name: Get current date
+        id: date
+        run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
+
+      - name: Restore container image
+        uses: actions/cache/restore@v4
+        with:
+          key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
+          path: |-
+            share/container.tar.gz
+            share/image-id.txt
+          fail-on-cache-miss: true
 
       - name: Build Dangerzone .rpm
         run: |
-          ./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
               run --dev --no-gui ./dangerzone/install/linux/build-rpm.py
 
       # Reclaim some space in this step, now that the dev environment is no
@@ -201,15 +274,87 @@ jobs:
 
       - name: Build end-user environment
         run: |
-          ./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} \
+              --version ${{ matrix.version }} \
               build --download-pyside6
 
       - name: Run a test command
         run: |
-          ./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
               run dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf
 
       - name: Check that the Dangerzone GUI imports work
         run: |
-          ./dev_scripts/env.py --distro fedora --version ${{ matrix.version }} \
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
               run dangerzone --help
+
+  run-tests:
+    name: "run tests (${{ matrix.distro }} ${{ matrix.version }})"
+    runs-on: ubuntu-latest
+    needs: build-container-image
+    strategy:
+      matrix:
+        include:
+          - distro: ubuntu
+            version: "20.04"
+          - distro: ubuntu
+            version: "22.04"
+          - distro: ubuntu
+            version: "23.10"
+          - distro: ubuntu
+            version: "24.04"
+          - distro: debian
+            version: bullseye
+          - distro: debian
+            version: bookworm
+          - distro: debian
+            version: trixie
+          - distro: fedora
+            version: "39"
+          - distro: fedora
+            version: "40"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Login to GHCR
+        run: |
+          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
+
+      - name: Get current date
+        id: date
+        run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
+
+      - name: Get the dev environment
+        run: |
+          ./dev_scripts/env.py \
+              --distro ${{ matrix.distro }} \
+              --version ${{ matrix.version }} \
+              build-dev --sync
+
+      - name: Restore container image
+        uses: actions/cache/restore@v4
+        with:
+          key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
+          path: |-
+            share/container.tar.gz
+            share/image-id.txt
+          fail-on-cache-miss: true
+
+      - name: Setup xvfb (Linux)
+        run: |
+          # Stuff copied wildly from several stackoverflow posts
+          sudo apt-get install -y xvfb libxkbcommon-x11-0 libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-randr0 libxcb-render-util0 libxcb-xinerama0 libxcb-xinput0 libxcb-xfixes0 libxcb-shape0 libglib2.0-0 libgl1-mesa-dev '^libxcb.*-dev' libx11-xcb-dev libglu1-mesa-dev libxrender-dev libxi-dev libxkbcommon-dev libxkbcommon-x11-dev
+
+          # start xvfb in the background
+          sudo /usr/bin/Xvfb $DISPLAY -screen 0 1280x1024x24 &
+
+      - name: Run CI tests
+        run: |-
+          ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} run --dev \
+              bash -c 'cd dangerzone; poetry run make test'
diff --git a/dev_scripts/containers.conf b/dev_scripts/containers.conf
new file mode 100644
index 000000000..e638b650f
--- /dev/null
+++ b/dev_scripts/containers.conf
@@ -0,0 +1,3 @@
+[engine]
+cgroup_manager="cgroupfs"
+events_logger="file"
diff --git a/dev_scripts/env.py b/dev_scripts/env.py
index 61ba88152..8f21ddacd 100755
--- a/dev_scripts/env.py
+++ b/dev_scripts/env.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 
 import argparse
+import hashlib
 import os
 import pathlib
 import platform
@@ -8,6 +9,7 @@
 import subprocess
 import sys
 import urllib.request
+from datetime import date
 
 DEFAULT_GUI = True
 DEFAULT_USER = "user"
@@ -56,8 +58,13 @@
 # FIXME: Maybe create an enum for these values.
 DISTROS = ["debian", "fedora", "ubuntu"]
 CONTAINER_RUNTIMES = ["podman", "docker"]
-IMAGE_NAME_BUILD_DEV_FMT = "dangerzone.rocks/build/{distro}:{version}"
-IMAGE_NAME_BUILD_FMT = "dangerzone.rocks/{distro}:{version}"
+IMAGES_REGISTRY = "ghcr.io/freedomofpress/"
+IMAGE_NAME_BUILD_DEV_FMT = (
+    IMAGES_REGISTRY + "v2/dangerzone/build-dev/{distro}-{version}:{date}-{hash}"
+)
+IMAGE_NAME_BUILD_ENDUSER_FMT = (
+    IMAGES_REGISTRY + "v2/dangerzone/end-user/{distro}-{version}:{date}-{hash}"
+)
 
 EPILOG = """\
 Examples:
@@ -306,14 +313,45 @@ def distro_build(distro, version):
     return distro_root(distro, version) / "build"
 
 
-def image_name_build(distro, version):
+def get_current_date():
+    return date.today().strftime("%Y-%m-%d")
+
+
+def get_build_dir_sources(distro, version):
+    """Return the files needed to build an image."""
+    sources = [
+        git_root() / "pyproject.toml",
+        git_root() / "poetry.lock",
+        git_root() / "dev_scripts" / "storage.conf",
+        git_root() / "dev_scripts" / "containers.conf",
+    ]
+
+    if distro == "ubuntu" and version in ("22.04", "jammy"):
+        sources.extend(
+            [
+                git_root() / "dev_scripts" / "apt-tools-prod.pref",
+                git_root() / "dev_scripts" / "apt-tools-prod.sources",
+            ]
+        )
+    return sources
+
+
+def image_name_build_dev(distro, version):
     """Get the container image for the dev variant of a Dangerzone environment."""
-    return IMAGE_NAME_BUILD_DEV_FMT.format(distro=distro, version=version)
+    hash = hash_files(get_build_dir_sources(distro, version))
+
+    return IMAGE_NAME_BUILD_DEV_FMT.format(
+        distro=distro, version=version, hash=hash, date=get_current_date()
+    )
 
 
-def image_name_install(distro, version):
-    """Get the container image for the Dangerzone environment."""
-    return IMAGE_NAME_BUILD_FMT.format(distro=distro, version=version)
+def image_name_build_enduser(distro, version):
+    """Get the container image for the Dangerzone end-user environment."""
+
+    hash = hash_files(get_files_in("install/linux", "debian"))
+    return IMAGE_NAME_BUILD_ENDUSER_FMT.format(
+        distro=distro, version=version, hash=hash, date=get_current_date()
+    )
 
 
 def dz_version():
@@ -322,6 +360,25 @@ def dz_version():
         return f.read().strip()
 
 
+def hash_files(file_paths: list[pathlib.Path]) -> str:
+    """Returns the hash value of a list of files using the sha256 hashing algorithm."""
+    hash_obj = hashlib.new("sha256")
+    for path in file_paths:
+        with open(path, "rb") as file:
+            file_data = file.read()
+            hash_obj.update(file_data)
+
+    return hash_obj.hexdigest()
+
+
+def get_files_in(*folders: list[str]) -> list[pathlib.Path]:
+    """Return the list of all files present in the given folders"""
+    files = []
+    for folder in folders:
+        files.extend([p for p in (git_root() / folder).glob("**") if p.is_file()])
+    return files
+
+
 class PySide6Manager:
     """Provision PySide6 RPMs in our Dangerzone environments.
 
@@ -553,13 +610,13 @@ def run(
             run_cmd += [
                 "--hostname",
                 "dangerzone-dev",
-                image_name_build(self.distro, self.version),
+                image_name_build_dev(self.distro, self.version),
             ]
         else:
             run_cmd += [
                 "--hostname",
                 "dangerzone",
-                image_name_install(self.distro, self.version),
+                image_name_build_enduser(self.distro, self.version),
             ]
 
         run_cmd += cmd
@@ -575,8 +632,33 @@ def run(
         (dist_state / ".bash_history").touch(exist_ok=True)
         self.runtime_run(*run_cmd)
 
-    def build_dev(self, show_dockerfile=DEFAULT_SHOW_DOCKERFILE):
+    def pull_image_from_registry(self, image):
+        try:
+            subprocess.run(self.runtime_cmd + ["pull", image], check=True)
+            return True
+        except subprocess.CalledProcessError:
+            # Do not log an error here, we are just checking if the image exists
+            # on the registry.
+            return False
+
+    def push_image_to_registry(self, image):
+        try:
+            subprocess.run(self.runtime_cmd + ["push", image], check=True)
+            return True
+        except subprocess.CalledProcessError as e:
+            print("An error occured when pulling the image: ", e)
+            return False
+
+    def build_dev(self, show_dockerfile=DEFAULT_SHOW_DOCKERFILE, sync=False):
         """Build a Linux environment and install tools for Dangerzone development."""
+        image = image_name_build_dev(self.distro, self.version)
+
+        if sync and self.pull_image_from_registry(image):
+            print("Image has been pulled from the registry, no need to build it.")
+            return
+        elif sync:
+            print("Image label not in registry, building it")
+
         if self.distro == "fedora":
             install_deps = DOCKERFILE_BUILD_DEV_FEDORA_DEPS
         else:
@@ -626,20 +708,18 @@ def build_dev(self, show_dockerfile=DEFAULT_SHOW_DOCKERFILE):
         os.makedirs(build_dir, exist_ok=True)
 
         # Populate the build context.
-        shutil.copy(git_root() / "pyproject.toml", build_dir)
-        shutil.copy(git_root() / "poetry.lock", build_dir)
-        shutil.copy(git_root() / "dev_scripts" / "storage.conf", build_dir)
-        if self.distro == "ubuntu" and self.version in ("22.04", "jammy"):
-            shutil.copy(git_root() / "dev_scripts" / "apt-tools-prod.pref", build_dir)
-            shutil.copy(
-                git_root() / "dev_scripts" / "apt-tools-prod.sources", build_dir
-            )
+        for source in get_build_dir_sources(self.distro, self.version):
+            shutil.copy(source, build_dir)
+
         with open(build_dir / "Dockerfile", mode="w") as f:
             f.write(dockerfile)
 
-        image = image_name_build(self.distro, self.version)
         self.runtime_run("build", "-t", image, build_dir)
 
+        if sync:
+            if not self.push_image_to_registry(image):
+                print("An error occured while trying to push to the container registry")
+
     def build(
         self,
         show_dockerfile=DEFAULT_SHOW_DOCKERFILE,
@@ -715,6 +795,7 @@ def build(
         # Populate the build context.
         shutil.copy(package_src, package_dst)
         shutil.copy(git_root() / "dev_scripts" / "storage.conf", build_dir)
+        shutil.copy(git_root() / "dev_scripts" / "containers.conf", build_dir)
         if self.distro == "ubuntu" and self.version in ("22.04", "jammy"):
             shutil.copy(git_root() / "dev_scripts" / "apt-tools-prod.pref", build_dir)
             shutil.copy(
@@ -723,7 +804,7 @@ def build(
         with open(build_dir / "Dockerfile", mode="w") as f:
             f.write(dockerfile)
 
-        image = image_name_install(self.distro, self.version)
+        image = image_name_build_enduser(self.distro, self.version)
         self.runtime_run("build", "-t", image, build_dir)
 
 
@@ -742,7 +823,7 @@ def env_run(args):
 def env_build_dev(args):
     """Invoke the 'build-dev' command based on the CLI args."""
     env = Env.from_args(args)
-    return env.build_dev(show_dockerfile=args.show_dockerfile)
+    return env.build_dev(show_dockerfile=args.show_dockerfile, sync=args.sync)
 
 
 def env_build(args):
@@ -828,6 +909,12 @@ def parse_args():
         action="store_true",
         help="Do not build, only show the Dockerfile",
     )
+    parser_build_dev.add_argument(
+        "--sync",
+        default=False,
+        action="store_true",
+        help="Attempt to pull the image, build it if not found and push it to the container registry",
+    )
 
     # Build a development variant of a Dangerzone environment.
     parser_build = subparsers.add_parser(

From a32522f6c87c4d5502c5e8157c00a30daf662e96 Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Tue, 1 Oct 2024 17:05:07 +0300
Subject: [PATCH 2/4] debian: Bump version to 0.7.1

Add a dummy entry in debian/changelog, to signal that the latest
Dangerzone version is 0.7.1.
---
 debian/changelog | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 86f59f6fd..1d4161811 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+dangerzone (0.7.1) unstable; urgency=low
+
+  * Released Dangerzone 0.7.1
+
+ -- Freedom of the Press Foundation   <info@freedom.press>  Tue, 1 Oct 2024 17:02:28 +0300
+
 dangerzone (0.7.0) unstable; urgency=low
 
   * Removed stdeb in favor of direct debian packaging tools

From eb2d114ea75b8ade0bf25276c5a30e7ca9eee697 Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Tue, 1 Oct 2024 17:06:59 +0300
Subject: [PATCH 3/4] install: Catch version errors when building DEBs

Make sure that the Debian package we build conforms to the expected
naming scheme else, it's possible that something is off. A scenario
we've encountered is bumping `share/version.txt`, but not
`debian/changelog`, which would create a Debian package with an older
version.
---
 install/linux/build-deb.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/install/linux/build-deb.py b/install/linux/build-deb.py
index 10d73be33..82d87a605 100755
--- a/install/linux/build-deb.py
+++ b/install/linux/build-deb.py
@@ -64,11 +64,10 @@ def main():
 
     # dpkg-buildpackage produces a .deb file in the parent folder
     # that needs to be copied to the `deb_dist` folder manually
-    for item in root.parent.glob(f"dangerzone_{version}_*.deb"):
-        arch = item.stem.split("_")[-1]
-        destination = root / "deb_dist" / f"dangerzone_{version}-{deb_ver}_{arch}.deb"
-        shutil.move(item, destination)
-        print(f"sudo dpkg -i {destination}")
+    src = root.parent / f"dangerzone_{version}_amd64.deb"
+    destination = root / "deb_dist" / f"dangerzone_{version}-{deb_ver}_amd64.deb"
+    shutil.move(src, destination)
+    print(f"sudo dpkg -i {destination}")
 
 
 if __name__ == "__main__":

From a001b5497c8be7893b0e684f965d8f43665d432f Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Tue, 1 Oct 2024 17:27:37 +0300
Subject: [PATCH 4/4] Add release note for Debian packages

---
 RELEASE.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/RELEASE.md b/RELEASE.md
index f3d1b78b0..301113cd0 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -13,6 +13,7 @@ Before making a release, all of these should be complete:
 - [ ] Update `version` in `pyproject.toml`
 - [ ] Update `share/version.txt`
 - [ ] Update the "Version" field in `install/linux/dangerzone.spec`
+- [ ] Bump the Debian version by adding a new changelog entry in `debian/changelog`
 - [ ] Update screenshot in `README.md`, if necessary
 - [ ] CHANGELOG.md should be updated to include a list of all major changes since the last release