From 21df17cf7408d3a1d97971df46ac8869a34065e6 Mon Sep 17 00:00:00 2001
From: Ivan Mincik <ivan.mincik@gmail.com>
Date: Mon, 7 Apr 2025 09:19:36 +0200
Subject: [PATCH 1/2] ci: add test-demo workflow

Closes: #698
---
 .github/workflows/test-demo.sh   | 59 ++++++++++++++++++++++++++++++++
 .github/workflows/test-demo.yaml | 38 ++++++++++++++++++++
 2 files changed, 97 insertions(+)
 create mode 100644 .github/workflows/test-demo.sh
 create mode 100644 .github/workflows/test-demo.yaml

diff --git a/.github/workflows/test-demo.sh b/.github/workflows/test-demo.sh
new file mode 100644
index 000000000..27f6caf67
--- /dev/null
+++ b/.github/workflows/test-demo.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+# nix build .#overview
+# podman run --privileged \
+#   --volume ./result/project/Cryptpad/default.nix:/default.nix \
+#   --volume .github/workflows/test-demo.sh:/test-demo.sh <DISTRO> /bin/bash \
+#   -c "bash /test-demo.sh <DISTRO>"
+
+set -euo pipefail
+
+DISTRO="$1"
+# shellcheck disable=SC2089,2026
+NIX_CONFIG='substituters = https://cache.nixos.org/ https://ngi.cachix.org/'$'\n''trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ngi.cachix.org-1:n+CAL72ROC3qQuLxIHpV+Tw5t42WhXmMhprAGkRSrOw='
+export NIX_CONFIG
+
+
+echo -e "\n-> Installing Nix ..."
+# Debian/Ubuntu
+if echo "$DISTRO" | grep --quiet "debian\|ubuntu"; then
+    apt update
+    apt install --yes curl git jq nix
+# Archlinux
+elif echo "$DISTRO" | grep --quiet archlinux; then
+    pacman --sync --refresh --noconfirm curl git jq nix
+# Other
+else
+    echo "ERROR: Unknown distro. Exiting ..."
+    exit 1
+fi
+
+echo -e "\n-> Nix version ..."
+function fver { printf '%d%02d%02d' "${1}" "${2:-0}" "${3:-0}"; }
+NIX_VERSION=$(fver $(nix --version | grep -oP '([0-9]+\.?)+' | sed  's/\./ /g'))
+echo "Nix version: $NIX_VERSION"
+
+echo -e "\n-> Building VM ..."
+# Nix versions < 2.24 don't work for our use case due to regression in
+# closureInfo.
+# https://github.com/NixOS/nix/issues/6820
+if [ "$NIX_VERSION" -ge 22400 ]; then
+    echo "Using Nix installed by Linux package manager"
+    nix-build /default.nix
+else
+    echo "Using Nix from Nixpkgs unstable"
+
+    nixpkgs_revision=$(
+        nix-instantiate --eval --attr sources.nixpkgs.rev https://github.com/ngi-nix/ngipkgs/archive/master.tar.gz \
+        | jq --raw-output
+    )
+    NIXPKGS="https://github.com/NixOS/nixpkgs/archive/$nixpkgs_revision.tar.gz"
+    
+    nix-shell --include nixpkgs="$NIXPKGS" --packages nix --run "nix-build /default.nix"
+fi
+
+echo -e "\n-> Launching VM ..."
+./result &
+
+echo -e "\n-> Running test ..."
+curl --retry 10 --retry-all-errors --fail localhost:9000 | grep CryptPad
diff --git a/.github/workflows/test-demo.yaml b/.github/workflows/test-demo.yaml
new file mode 100644
index 000000000..f99863714
--- /dev/null
+++ b/.github/workflows/test-demo.yaml
@@ -0,0 +1,38 @@
+name: Test VM demo
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        distro:
+          - "archlinux:latest"
+          - "debian:12"
+          - "debian:unstable"
+          - "ubuntu:24.04"
+          - "ubuntu:24.10"
+          - "ubuntu:devel"
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: 'actions/checkout@v4'
+      - uses: DeterminateSystems/nix-installer-action@v12
+
+      - name: Build projects overview
+        run: nix build .#overview
+
+      - name: Run and test VM
+        run: >
+          docker run
+          --privileged
+          --volume ./result/project/Cryptpad/default.nix:/default.nix
+          --volume "$(pwd)/.github/workflows/test-demo.sh:/test-demo.sh"
+          ${{ matrix.distro }}
+          /bin/bash -c "bash /test-demo.sh ${{ matrix.distro }}"

From c0a9a893f305a165d9601c4f897e68761a8dc482 Mon Sep 17 00:00:00 2001
From: Ivan Mincik <ivan.mincik@gmail.com>
Date: Mon, 12 May 2025 10:10:28 +0200
Subject: [PATCH 2/2] ci(test-demo): security hardening based on zizmor report

---
 .github/workflows/test-demo.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test-demo.yaml b/.github/workflows/test-demo.yaml
index f99863714..75724b771 100644
--- a/.github/workflows/test-demo.yaml
+++ b/.github/workflows/test-demo.yaml
@@ -1,5 +1,7 @@
 name: Test VM demo
 
+permissions: {}
+
 on:
   push:
     branches: [ main ]
@@ -23,7 +25,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: 'actions/checkout@v4'
-      - uses: DeterminateSystems/nix-installer-action@v12
+        with: { persist-credentials: false }
+
+      - uses: DeterminateSystems/nix-installer-action@21a544727d0c62386e78b4befe52d19ad12692e3  #v17
 
       - name: Build projects overview
         run: nix build .#overview