Runs fetch-tor-packages with pinned version in CI

Adds a `tor_version` var to the fetch-tor-packages logic. This is yet another point of update when we bump versions, but pinning will help us avoid surprises. To that end, we're also running the fetch action in CI now, to help us catch version mismatches earlier.
freedomofpress · Mar 27, 2019 · b8b4371 · b8b4371
1 parent 455e69a
commit b8b4371
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/devops/gce-nested/gce-runner.sh b/devops/gce-nested/gce-runner.sh
@@ -59,6 +59,9 @@ if [[ "$target_platform" = "trusty" ]]; then
     ssh_gce "make build-debs-trusty-notest"
 else
     ssh_gce "make build-debs-notest"
+    # Also pull tor packages, even though they aren't used in staging.
+    # Will alert us to upstream changes in the Tor apt repo.
+    ssh_gce "make fetch-tor-packages"
 fi
 
 # The test results should be collected regardless of pass/fail,

diff --git a/molecule/fetch-tor-packages/playbook.yml b/molecule/fetch-tor-packages/playbook.yml
@@ -11,6 +11,8 @@
     tor_download_dest: "{{ sd_repo_root + '/build/' + ansible_distribution_release }}"
     tor_repo_pubkey: "{{ sd_repo_root + '/install_files/ansible-base/roles/tor-hidden-services/files/tor-signing-key.pub' }}"
     tor_repo_url: "deb https://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main"
+    # Used to fetch a precise version; must also be updated in the test vars
+    tor_version: "0.3.5.8-1~xenial+1"
 
   tasks:
     - name: Add Tor apt repo pubkey
@@ -29,7 +31,7 @@
         path: "{{ tor_download_dir }}"
 
     - name: Download tor debs
-      command: apt-get download "{{ item }}"
+      command: apt-get download "{{ item }}={{ tor_version }}"
       args:
         chdir: "{{ tor_download_dir }}"
         # apt module doesn't support download, so silence warnings,