Runs fetch-tor-packages with pinned version in CI

Adds a `tor_version` var to the fetch-tor-packages logic. This is yet another point of update when we bump versions, but pinning will help us avoid surprises. To that end, we're also running the fetch action in CI now, to help us catch version mismatches earlier. Using a separate CI job so as not to add to the serial execution of the large staging job.
freedomofpress · Mar 29, 2019 · a90f731 · a90f731
1 parent 8cd1f64
commit a90f731
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 2 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -196,6 +196,15 @@ jobs:
       - setup_remote_docker
       - run: cd admin ; make test
 
+  fetch-tor-debs:
+    docker:
+      - image: gcr.io/cloud-builders/docker
+    steps:
+      - run: apt-get install -y make virtualenv python-pip
+      - checkout
+      - setup_remote_docker
+      - run: make fetch-tor-packages
+
   updater-gui-tests:
     docker:
       - image: circleci/python:3.5
@@ -308,6 +317,12 @@ workflows:
               ignore:
                 - /docs-.*/
                 - /i18n-.*/
+      - fetch-tor-debs:
+          filters:
+            branches:
+              ignore:
+                - /docs-.*/
+                - /i18n-.*/
       - updater-gui-tests:
           filters:
             branches:

diff --git a/Makefile b/Makefile
@@ -203,7 +203,7 @@ upgrade-trusty-test-qa: ## Once an upgrade environment (Trusty) is running, forc
 
 .PHONY: fetch-tor-packages
 fetch-tor-packages: ## Retrieves the most recent Tor packages for Xenial, for apt repo
-	molecule test -s fetch-tor-packages
+	@./devops/scripts/fetch-tor-packages.sh
 
 # Explaination of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" and any make targets that might appear between : and ##

diff --git a/devops/scripts/fetch-tor-packages.sh b/devops/scripts/fetch-tor-packages.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# shellcheck disable=SC2209
+#
+# Wrapper around debian build logic to bootstrap virtualenv
+
+set -e
+set -u
+set -o pipefail
+
+. ./devops/scripts/boot-strap-venv.sh
+
+virtualenv_bootstrap
+
+molecule test -s fetch-tor-packages
diff --git a/molecule/fetch-tor-packages/playbook.yml b/molecule/fetch-tor-packages/playbook.yml
@@ -11,6 +11,8 @@
     tor_download_dest: "{{ sd_repo_root + '/build/' + ansible_distribution_release }}"
     tor_repo_pubkey: "{{ sd_repo_root + '/install_files/ansible-base/roles/tor-hidden-services/files/tor-signing-key.pub' }}"
     tor_repo_url: "deb https://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main"
+    # Used to fetch a precise version; must also be updated in the test vars
+    tor_version: "0.3.5.8-1~xenial+1"
 
   tasks:
     - name: Add Tor apt repo pubkey
@@ -29,7 +31,7 @@
         path: "{{ tor_download_dir }}"
 
     - name: Download tor debs
-      command: apt-get download "{{ item }}"
+      command: apt-get download "{{ item }}={{ tor_version }}"
       args:
         chdir: "{{ tor_download_dir }}"
         # apt module doesn't support download, so silence warnings,