WIP: Have CI run piuparts

.github/workflows/build.yml

@@ -119,3 +119,35 @@ jobs:
             echo "Diffoscoping $deb"
             diffoscope build-${{ matrix.debian_version }}/$deb build2-${{ matrix.debian_version }}/$deb
           done;
+
+  piuparts:
+    strategy:
+      matrix:
+        debian_version:
+          - bullseye
+          - bookworm
+    runs-on: ubuntu-latest
+    container: debian:bookworm
+    needs:
+      - build-debs
+    steps:
+      - name: Install dependencies
+        run: apt-get update && apt-get install --yes git piuparts docker.io
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: "build-${{ matrix.debian_version }}"
+      - name: Build container image
+        run: |
+          cp keyring/securedrop-keyring.gpg debian/piuparts/
+          docker build debian/piuparts --build-arg DISTRO=${{ matrix.debian_version }} -t ourimage
+      - name: Run piuparts
+        run: |
+          # TODO: get workstation-viewer to pass piuparts (pulls in grsec and qubes packages)
+          for pkg in client export keyring log proxy workstation-config;
+          do        
+            piuparts --docker-image ourimage \
+              --distribution ${{ matrix.debian_version }} \
+              --extra-repo 'deb [signed-by=/usr/share/keyrings/securedrop-keyring.gpg] https://apt.freedom.press bullseye main' \
+              "build-${{ matrix.debian_version }}/securedrop-${pkg}*.deb"
+          done

debian/piuparts/Dockerfile

@@ -0,0 +1,9 @@
+ARG DISTRO=bullseye
+FROM debian:$DISTRO
+
+RUN apt-get update && apt-get install -y ca-certificates
+# FIXME: Do this to fool piuparts into thinking we didn't remove /opt during
+# the package purge. Why does purging our packages not work properly?
+RUN rm -rf /opt
+# CI manifest will copy keyring into the build directory
+COPY securedrop-keyring.gpg /usr/share/keyrings