Automate tarball builds #195
Description
We currently manually build and upload tarballs as part of the release process. Per this repo’s README:
- Build tarballs, and create a detached signature with the release key
This involves two people at a minimum: one person to prepare the PR, and another to review it. As of #185, tarballs are reproducible. This means we can safely automate the creation of tarballs via a buildbot. The bot would open a PR (from a fork or branch) with the tarball artifact.
A person with signing authority would verify the build locally and push a commit with a detached signature, then merge it, reducing the number of people involved to 1.
This issue should be considered blocked on #147 to prevent accidental merges of unsigned artifacts by a reviewer.
In scope of this issue
- Investigate implementation options for a buildbot that opens PRs (cf. previous efforts such as @redshiftzero's backport bot)
- Implement a buildbot that creates tarballs and opens PRs into this repo as soon as a release tag is pushed to a SecureDrop Workstation project repo.
- Update the procedures in this repo’s README