diff --git a/.github/workflows/flatpak.yml b/.github/workflows/flatpak.yml new file mode 100644 index 000000000..da8ce5a19 --- /dev/null +++ b/.github/workflows/flatpak.yml @@ -0,0 +1,38 @@ +name: flatpak + +# Builds and validates the Flatpak package on a Linux runner so it can be +# checked without a local Linux environment (e.g. when developing on macOS). +on: + push: + paths: + - "flatpak/**" + - ".github/workflows/flatpak.yml" + pull_request: + paths: + - "flatpak/**" + - ".github/workflows/flatpak.yml" + workflow_dispatch: + +jobs: + flatpak: + name: Build Flatpak + runs-on: ubuntu-latest + container: + # Freedesktop runtime image matching the manifest runtime-version (24.08) + image: ghcr.io/flathub-infra/flatpak-github-actions:freedesktop-24.08 + options: --privileged + steps: + - name: Checkout + uses: actions/checkout@v4 + + # The flatpak-builder action also runs `flatpak-builder-lint` on the + # manifest and the resulting repo, so no separate lint step is needed. + # NOTE: the build downloads the prebuilt tar.gz referenced in the manifest, + # so it only fully succeeds once a matching Release archive (url + sha256) + # is published. + - name: Build Flatpak + uses: flatpak/flatpak-github-actions/flatpak-builder@v6 + with: + bundle: fr.cnil.PIA.flatpak + manifest-path: flatpak/fr.cnil.PIA.yml + cache-key: flatpak-builder-${{ github.sha }} diff --git a/.github/workflows/linux-release.yml b/.github/workflows/linux-release.yml new file mode 100644 index 000000000..eed84f785 --- /dev/null +++ b/.github/workflows/linux-release.yml @@ -0,0 +1,89 @@ +name: linux-release + +# Builds the Linux packages (AppImage, tar.gz and snap) on a Linux runner. +# Publishing to the GitHub Release / Snap Store happens in a separate job that: +# 1. only runs on a tag (refs/tags/v*), and +# 2. requires a manual approval via the protected `release` environment. +# Snapcraft is pinned to the 8.x channel because electron-builder still calls the +# `snapcraft snap` command, which was removed in Snapcraft 9. +on: + push: + tags: + - "v*" + workflow_dispatch: + +jobs: + build: + name: Build Linux packages + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Setup Node.js + uses: actions/setup-node@v6 + with: + node-version: "22.20.0" + + - name: Enable Corepack + run: corepack enable + + - name: Install Snapcraft (8.x — compatible with electron-builder) + run: sudo snap install snapcraft --classic --channel=8.x + + - name: Install dependencies + run: yarn install --immutable + + - name: Build Angular (production) + run: yarn prod + + - name: Build Linux packages (no publish) + run: npx electron-builder --linux AppImage tar.gz snap --publish never + + - name: Upload build artifacts + uses: actions/upload-artifact@v4 + with: + name: pia-linux + path: | + electron/releases/*.AppImage + electron/releases/*.tar.gz + electron/releases/*.snap + if-no-files-found: error + + publish: + name: Publish Linux packages + needs: build + runs-on: ubuntu-latest + # Publish only on a tag... + if: startsWith(github.ref, 'refs/tags/v') + # ...and only after a manual approval on the protected `release` environment + # (configure required reviewers in repo Settings → Environments → release). + environment: release + permissions: + contents: write + steps: + - name: Download build artifacts + uses: actions/download-artifact@v4 + with: + name: pia-linux + path: dist-artifacts + + - name: Publish to GitHub Release + uses: softprops/action-gh-release@v2 + with: + files: | + dist-artifacts/*.AppImage + dist-artifacts/*.tar.gz + dist-artifacts/*.snap + + - name: Install Snapcraft (8.x) + if: env.SNAPCRAFT_STORE_CREDENTIALS != '' + env: + SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }} + run: sudo snap install snapcraft --classic --channel=8.x + + - name: Publish snap to Snap Store + if: env.SNAPCRAFT_STORE_CREDENTIALS != '' + env: + SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }} + run: snapcraft upload --release=stable dist-artifacts/pia_*.snap diff --git a/electron/main.js b/electron/main.js index b7d749870..03dddf251 100644 --- a/electron/main.js +++ b/electron/main.js @@ -25,6 +25,9 @@ const createWindow = () => { }; app.whenReady().then(() => { + app.setAboutPanelOptions({ + copyright: "" + }); createWindow(); setupAutoUpdater(); }); diff --git a/flatpak/README.md b/flatpak/README.md new file mode 100644 index 000000000..120c19be6 --- /dev/null +++ b/flatpak/README.md @@ -0,0 +1,59 @@ +# Flathub / Flatpak packaging + +This folder contains everything needed to publish the **PIA** software on +[Flathub](https://flathub.org), as requested in +[issue #738](https://github.com/LINCnil/pia/issues/738). + +| File | Purpose | +| -------------------------- | ------------------------------------------------------------------ | +| `fr.cnil.PIA.yml` | Flatpak manifest (app-id `fr.cnil.PIA`) | +| `fr.cnil.PIA.metainfo.xml` | AppStream metadata (required by Flathub) | +| `fr.cnil.PIA.desktop` | Desktop launcher entry | +| `pia.sh` | Sandbox launcher (uses `zypak-wrapper` from the Electron base app) | + +## How it works + +The manifest does **not** rebuild the Angular/Electron app from scratch. Instead +it downloads the `pia-X.Y.Z.tar.gz` archive produced by `electron-builder` +(`tar.gz` target, see the `linux` section in `package.json`) from the matching +[GitHub Release](https://github.com/LINCnil/pia/releases) and integrates it into +the Flatpak sandbox. + +## Building / testing in CI (no Linux needed) + +Because `flatpak-builder` only runs on Linux, a GitHub Actions workflow +([`.github/workflows/flatpak.yml`](../.github/workflows/flatpak.yml)) builds and +validates the package on a Linux runner. It runs automatically on any change +under `flatpak/`, and can also be triggered manually (`workflow_dispatch`). It: + +- lints the manifest and validates the AppStream metainfo, and +- builds a `fr.cnil.PIA.flatpak` bundle artifact (once a matching Release archive + with a valid `url`/`sha256` is available). + +This is the recommended way to verify the package when developing on macOS or +Windows. + +## Building / testing locally + +```sh +# Install the required Flathub runtimes +flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +flatpak install -y flathub org.freedesktop.Platform//24.08 org.freedesktop.Sdk//24.08 org.electronjs.Electron2.BaseApp//24.08 + +# Build & install the Flatpak (also available as `yarn electron:flatpak`) +flatpak-builder --user --install --force-clean build-dir flatpak/fr.cnil.PIA.yml + +# Run it +flatpak run fr.cnil.PIA +``` + +## Releasing a new version + +1. `yarn electron:linux` to produce `electron/releases/pia-X.Y.Z.tar.gz`. +2. Publish the archive on the GitHub Release. +3. In `fr.cnil.PIA.yml`, update the archive `url` and its `sha256` + (`sha256sum electron/releases/pia-X.Y.Z.tar.gz`). +4. Add the matching `` entry in `fr.cnil.PIA.metainfo.xml`. +5. Submit/update the manifest on https://github.com/flathub/flathub. + +See `../BUILD_LINUX.md` (section 6) for the full procedure. diff --git a/flatpak/fr.cnil.PIA.desktop b/flatpak/fr.cnil.PIA.desktop new file mode 100644 index 000000000..40f38eb98 --- /dev/null +++ b/flatpak/fr.cnil.PIA.desktop @@ -0,0 +1,14 @@ +[Desktop Entry] +Type=Application +Name=PIA +GenericName=Privacy Impact Assessment +Comment=Conduct GDPR data protection impact assessments +Comment[fr]=Réaliser des analyses d'impact relatives à la protection des données (RGPD) +Exec=pia %U +Icon=fr.cnil.PIA +Terminal=false +Categories=Office;Network;Security; +Keywords=PIA;DPIA;GDPR;RGPD;CNIL;Privacy;Data;Protection; +StartupNotify=true +StartupWMClass=pia + diff --git a/flatpak/fr.cnil.PIA.metainfo.xml b/flatpak/fr.cnil.PIA.metainfo.xml new file mode 100644 index 000000000..8ebead2f1 --- /dev/null +++ b/flatpak/fr.cnil.PIA.metainfo.xml @@ -0,0 +1,86 @@ + + + + fr.cnil.PIA + + PIA + Conduct GDPR data protection impact assessments + Réaliser des analyses d'impact relatives à la protection des données + + CC0-1.0 + GPL-3.0-or-later + + + CNIL + + + +

+ The PIA software is a free tool published by the CNIL (Commission nationale + de l'informatique et des libertés) which aims to help data controllers + build and demonstrate compliance to the General Data Protection Regulation + (GDPR). +

+

+ It guides you through the methodology recommended by the CNIL to carry out + a Data Protection Impact Assessment (DPIA / PIA) and offers, among other + features: +

+
    +
  • A user-friendly interface to create and manage your assessments
    • +
  • Customisable knowledge bases and templates (structures)
    • +
  • A clear visualisation of risks
    • +
  • Export of your assessments as PDF, JSON or ZIP files
    • +
+

+ Le logiciel PIA est un outil distribué librement par la CNIL (Commission + nationale de l'informatique et des libertés) afin de faciliter la + réalisation d'analyses d'impact sur la protection des données prévues par + le RGPD. +

+ + + fr.cnil.PIA.desktop + + https://www.cnil.fr/fr/outil-pia-telechargez-et-installez-le-logiciel-de-la-cnil + https://github.com/LINCnil/pia/issues + https://github.com/LINCnil/pia + https://github.com/LINCnil/pia/tree/master/src/assets/i18n + + + + The PIA dashboard + https://raw.githubusercontent.com/LINCnil/pia/master/src/assets/images/pia-auth-logo.png + + + + + + + #cfe8ff + #1a3a5a + + + + Office + Security + + + + PIA + DPIA + GDPR + RGPD + CNIL + Privacy + + + + + +

Latest release of the PIA software.

+ + + + + diff --git a/flatpak/fr.cnil.PIA.yml b/flatpak/fr.cnil.PIA.yml new file mode 100644 index 000000000..885ec7cb2 --- /dev/null +++ b/flatpak/fr.cnil.PIA.yml @@ -0,0 +1,54 @@ +app-id: fr.cnil.PIA +runtime: org.freedesktop.Platform +runtime-version: "24.08" +sdk: org.freedesktop.Sdk +base: org.electronjs.Electron2.BaseApp +base-version: "24.08" +command: pia +separate-locales: false + +finish-args: + # Display + - --share=ipc + - --socket=x11 + - --socket=wayland + - --socket=fallback-x11 + - --device=dri + # The PIA software needs network access for the optional client/server mode + - --share=network + # Allow the user to open / save PIA files, exports and PDF reports + - --filesystem=home + - --filesystem=xdg-download + - --filesystem=xdg-documents + # Desktop notifications + - --talk-name=org.freedesktop.Notifications + +modules: + - name: pia + buildsystem: simple + build-commands: + # Install the unpacked Electron application + - mkdir -p /app/main + - cp -a ./* /app/main + # Launcher wrapper (uses the Electron base-app zypak sandbox helper) + - install -Dm755 pia.sh /app/bin/pia + # Desktop integration files + - install -Dm644 fr.cnil.PIA.desktop /app/share/applications/fr.cnil.PIA.desktop + - install -Dm644 fr.cnil.PIA.metainfo.xml /app/share/metainfo/fr.cnil.PIA.metainfo.xml + - install -Dm644 icon.png /app/share/icons/hicolor/512x512/apps/fr.cnil.PIA.png + sources: + # Prebuilt application produced by `yarn electron:linux` (tar.gz target). + # Update the version, url and sha256 for every release. + - type: archive + url: https://github.com/LINCnil/pia/releases/download/v4.1.0/pia-4.1.0.tar.gz + sha256: 0000000000000000000000000000000000000000000000000000000000000000 + strip-components: 1 + - type: file + path: pia.sh + - type: file + path: fr.cnil.PIA.desktop + - type: file + path: fr.cnil.PIA.metainfo.xml + - type: file + path: ../electron/icons/icon.png + dest-filename: icon.png diff --git a/flatpak/pia.sh b/flatpak/pia.sh new file mode 100755 index 000000000..b6fb1035d --- /dev/null +++ b/flatpak/pia.sh @@ -0,0 +1,6 @@ +#!/bin/sh +# Launcher for the PIA Electron application inside the Flatpak sandbox. +# zypak-wrapper is provided by org.electronjs.Electron2.BaseApp and lets the +# bundled Chromium use the Flatpak sandbox instead of its own setuid sandbox. +exec zypak-wrapper /app/main/pia "$@" + diff --git a/package.json b/package.json index 15097fd48..58d04e4bb 100644 --- a/package.json +++ b/package.json @@ -23,6 +23,8 @@ "electron:mac": "electron-builder -m", "electron:win": "electron-builder -w", "electron:linux": "electron-builder -l", + "electron:snap": "electron-builder -l snap", + "electron:flatpak": "flatpak-builder --user --install --force-clean build-dir flatpak/fr.cnil.PIA.yml", "electron:publish-to-github": "electron-builder -mwl -p onTagOrDraft" }, "husky": { @@ -149,7 +151,14 @@ "verifyUpdateCodeSignature": false }, "linux": { - "category": "Network" + "category": "Network", + "target": [ + "AppImage", + "tar.gz" + ] + }, + "snap": { + "base": "core22" }, "nsis": { "oneClick": false, diff --git a/src/index.html b/src/index.html index e9ec36a0e..3a43d11e4 100644 --- a/src/index.html +++ b/src/index.html @@ -3,6 +3,7 @@ PIA - Privacy Impact Assessment +