Flatpak

.github/workflows/flatpak.yml

@@ -0,0 +1,38 @@
+name: flatpak
+
+# Builds and validates the Flatpak package on a Linux runner so it can be
+# checked without a local Linux environment (e.g. when developing on macOS).
+on:
+  push:
+    paths:
+      - "flatpak/**"
+      - ".github/workflows/flatpak.yml"
+  pull_request:
+    paths:
+      - "flatpak/**"
+      - ".github/workflows/flatpak.yml"
+  workflow_dispatch:
+
+jobs:
+  flatpak:
+    name: Build Flatpak
+    runs-on: ubuntu-latest
+    container:
+      # Freedesktop runtime image matching the manifest runtime-version (24.08)
+      image: ghcr.io/flathub-infra/flatpak-github-actions:freedesktop-24.08
+      options: --privileged
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      # The flatpak-builder action also runs `flatpak-builder-lint` on the
+      # manifest and the resulting repo, so no separate lint step is needed.
+      # NOTE: the build downloads the prebuilt tar.gz referenced in the manifest,
+      # so it only fully succeeds once a matching Release archive (url + sha256)
+      # is published.
+      - name: Build Flatpak
+        uses: flatpak/flatpak-github-actions/flatpak-builder@v6
+        with:
+          bundle: fr.cnil.PIA.flatpak
+          manifest-path: flatpak/fr.cnil.PIA.yml
+          cache-key: flatpak-builder-${{ github.sha }}

.github/workflows/linux-release.yml

@@ -0,0 +1,89 @@
+name: linux-release
+
+# Builds the Linux packages (AppImage, tar.gz and snap) on a Linux runner.
+# Publishing to the GitHub Release / Snap Store happens in a separate job that:
+#   1. only runs on a tag (refs/tags/v*), and
+#   2. requires a manual approval via the protected `release` environment.
+# Snapcraft is pinned to the 8.x channel because electron-builder still calls the
+# `snapcraft snap` command, which was removed in Snapcraft 9.
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build Linux packages
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "22.20.0"
+
+      - name: Enable Corepack
+        run: corepack enable
+
+      - name: Install Snapcraft (8.x — compatible with electron-builder)
+        run: sudo snap install snapcraft --classic --channel=8.x
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Build Angular (production)
+        run: yarn prod
+
+      - name: Build Linux packages (no publish)
+        run: npx electron-builder --linux AppImage tar.gz snap --publish never
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: pia-linux
+          path: |
+            electron/releases/*.AppImage
+            electron/releases/*.tar.gz
+            electron/releases/*.snap
+          if-no-files-found: error
+
+  publish:
+    name: Publish Linux packages
+    needs: build
+    runs-on: ubuntu-latest
+    # Publish only on a tag...
+    if: startsWith(github.ref, 'refs/tags/v')
+    # ...and only after a manual approval on the protected `release` environment
+    # (configure required reviewers in repo Settings → Environments → release).
+    environment: release
+    permissions:
+      contents: write
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: pia-linux
+          path: dist-artifacts
+
+      - name: Publish to GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            dist-artifacts/*.AppImage
+            dist-artifacts/*.tar.gz
+            dist-artifacts/*.snap
+
+      - name: Install Snapcraft (8.x)
+        if: env.SNAPCRAFT_STORE_CREDENTIALS != ''
+        env:
+          SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }}
+        run: sudo snap install snapcraft --classic --channel=8.x
+
+      - name: Publish snap to Snap Store
+        if: env.SNAPCRAFT_STORE_CREDENTIALS != ''
+        env:
+          SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }}
+        run: snapcraft upload --release=stable dist-artifacts/pia_*.snap

electron/main.js

@@ -25,6 +25,9 @@ const createWindow = () => {
 };
 
 app.whenReady().then(() => {
+  app.setAboutPanelOptions({
+    copyright: ""
+  });
   createWindow();
   setupAutoUpdater();
 });

flatpak/README.md

@@ -0,0 +1,59 @@
+# Flathub / Flatpak packaging
+
+This folder contains everything needed to publish the **PIA** software on
+[Flathub](https://flathub.org), as requested in
+[issue #738](https://github.com/LINCnil/pia/issues/738).
+
+| File                       | Purpose                                                            |
+| -------------------------- | ------------------------------------------------------------------ |
+| `fr.cnil.PIA.yml`          | Flatpak manifest (app-id `fr.cnil.PIA`)                            |
+| `fr.cnil.PIA.metainfo.xml` | AppStream metadata (required by Flathub)                           |
+| `fr.cnil.PIA.desktop`      | Desktop launcher entry                                             |
+| `pia.sh`                   | Sandbox launcher (uses `zypak-wrapper` from the Electron base app) |
+
+## How it works
+
+The manifest does **not** rebuild the Angular/Electron app from scratch. Instead
+it downloads the `pia-X.Y.Z.tar.gz` archive produced by `electron-builder`
+(`tar.gz` target, see the `linux` section in `package.json`) from the matching
+[GitHub Release](https://github.com/LINCnil/pia/releases) and integrates it into
+the Flatpak sandbox.
+
+## Building / testing in CI (no Linux needed)
+
+Because `flatpak-builder` only runs on Linux, a GitHub Actions workflow
+([`.github/workflows/flatpak.yml`](../.github/workflows/flatpak.yml)) builds and
+validates the package on a Linux runner. It runs automatically on any change
+under `flatpak/`, and can also be triggered manually (`workflow_dispatch`). It:
+
+- lints the manifest and validates the AppStream metainfo, and
+- builds a `fr.cnil.PIA.flatpak` bundle artifact (once a matching Release archive
+  with a valid `url`/`sha256` is available).
+
+This is the recommended way to verify the package when developing on macOS or
+Windows.
+
+## Building / testing locally
+
+```sh
+# Install the required Flathub runtimes
+flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
+flatpak install -y flathub org.freedesktop.Platform//24.08 org.freedesktop.Sdk//24.08 org.electronjs.Electron2.BaseApp//24.08
+
+# Build & install the Flatpak (also available as `yarn electron:flatpak`)
+flatpak-builder --user --install --force-clean build-dir flatpak/fr.cnil.PIA.yml
+
+# Run it
+flatpak run fr.cnil.PIA
+```
+
+## Releasing a new version
+
+1. `yarn electron:linux` to produce `electron/releases/pia-X.Y.Z.tar.gz`.
+2. Publish the archive on the GitHub Release.
+3. In `fr.cnil.PIA.yml`, update the archive `url` and its `sha256`
+   (`sha256sum electron/releases/pia-X.Y.Z.tar.gz`).
+4. Add the matching `<release>` entry in `fr.cnil.PIA.metainfo.xml`.
+5. Submit/update the manifest on https://github.com/flathub/flathub.
+
+See `../BUILD_LINUX.md` (section 6) for the full procedure.

flatpak/fr.cnil.PIA.desktop

@@ -0,0 +1,14 @@
+[Desktop Entry]
+Type=Application
+Name=PIA
+GenericName=Privacy Impact Assessment
+Comment=Conduct GDPR data protection impact assessments
+Comment[fr]=Réaliser des analyses d'impact relatives à la protection des données (RGPD)
+Exec=pia %U
+Icon=fr.cnil.PIA
+Terminal=false
+Categories=Office;Network;Security;
+Keywords=PIA;DPIA;GDPR;RGPD;CNIL;Privacy;Data;Protection;
+StartupNotify=true
+StartupWMClass=pia
+

flatpak/fr.cnil.PIA.metainfo.xml

@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright 2026 CNIL -->
+<component type="desktop-application">
+  <id>fr.cnil.PIA</id>
+
+  <name>PIA</name>
+  <summary>Conduct GDPR data protection impact assessments</summary>
+  <summary xml:lang="fr">Réaliser des analyses d'impact relatives à la protection des données</summary>
+
+  <metadata_license>CC0-1.0</metadata_license>
+  <project_license>GPL-3.0-or-later</project_license>
+
+  <developer id="fr.cnil">
+    <name>CNIL</name>
+  </developer>
+
+  <description>
+    <p>
+      The PIA software is a free tool published by the CNIL (Commission nationale
+      de l'informatique et des libertés) which aims to help data controllers
+      build and demonstrate compliance to the General Data Protection Regulation
+      (GDPR).
+    </p>
+    <p>
+      It guides you through the methodology recommended by the CNIL to carry out
+      a Data Protection Impact Assessment (DPIA / PIA) and offers, among other
+      features:
+    </p>
+    <ul>
+      <li>A user-friendly interface to create and manage your assessments</li>
+      <li>Customisable knowledge bases and templates (structures)</li>
+      <li>A clear visualisation of risks</li>
+      <li>Export of your assessments as PDF, JSON or ZIP files</li>
+    </ul>
+    <p xml:lang="fr">
+      Le logiciel PIA est un outil distribué librement par la CNIL (Commission
+      nationale de l'informatique et des libertés) afin de faciliter la
+      réalisation d'analyses d'impact sur la protection des données prévues par
+      le RGPD.
+    </p>
+  </description>
+
+  <launchable type="desktop-id">fr.cnil.PIA.desktop</launchable>
+
+  <url type="homepage">https://www.cnil.fr/fr/outil-pia-telechargez-et-installez-le-logiciel-de-la-cnil</url>
+  <url type="bugtracker">https://github.com/LINCnil/pia/issues</url>
+  <url type="vcs-browser">https://github.com/LINCnil/pia</url>
+  <url type="translate">https://github.com/LINCnil/pia/tree/master/src/assets/i18n</url>
+
+  <screenshots>
+    <screenshot type="default">
+      <caption>The PIA dashboard</caption>
+      <image>https://raw.githubusercontent.com/LINCnil/pia/master/src/assets/images/pia-auth-logo.png</image>
+    </screenshot>
+  </screenshots>
+
+  <content_rating type="oars-1.1" />
+
+  <branding>
+    <color type="primary" scheme_preference="light">#cfe8ff</color>
+    <color type="primary" scheme_preference="dark">#1a3a5a</color>
+  </branding>
+
+  <categories>
+    <category>Office</category>
+    <category>Security</category>
+  </categories>
+
+  <keywords>
+    <keyword>PIA</keyword>
+    <keyword>DPIA</keyword>
+    <keyword>GDPR</keyword>
+    <keyword>RGPD</keyword>
+    <keyword>CNIL</keyword>
+    <keyword>Privacy</keyword>
+  </keywords>
+
+  <releases>
+    <release version="4.1.0" date="2026-03-25">
+      <description>
+        <p>Latest release of the PIA software.</p>
+      </description>
+    </release>
+  </releases>
+</component>
+

flatpak/fr.cnil.PIA.yml

@@ -0,0 +1,54 @@
+app-id: fr.cnil.PIA
+runtime: org.freedesktop.Platform
+runtime-version: "24.08"
+sdk: org.freedesktop.Sdk
+base: org.electronjs.Electron2.BaseApp
+base-version: "24.08"
+command: pia
+separate-locales: false
+
+finish-args:
+  # Display
+  - --share=ipc
+  - --socket=x11
+  - --socket=wayland
+  - --socket=fallback-x11
+  - --device=dri
+  # The PIA software needs network access for the optional client/server mode
+  - --share=network
+  # Allow the user to open / save PIA files, exports and PDF reports
+  - --filesystem=home
+  - --filesystem=xdg-download
+  - --filesystem=xdg-documents
+  # Desktop notifications
+  - --talk-name=org.freedesktop.Notifications
+
+modules:
+  - name: pia
+    buildsystem: simple
+    build-commands:
+      # Install the unpacked Electron application
+      - mkdir -p /app/main
+      - cp -a ./* /app/main
+      # Launcher wrapper (uses the Electron base-app zypak sandbox helper)
+      - install -Dm755 pia.sh /app/bin/pia
+      # Desktop integration files
+      - install -Dm644 fr.cnil.PIA.desktop /app/share/applications/fr.cnil.PIA.desktop
+      - install -Dm644 fr.cnil.PIA.metainfo.xml /app/share/metainfo/fr.cnil.PIA.metainfo.xml
+      - install -Dm644 icon.png /app/share/icons/hicolor/512x512/apps/fr.cnil.PIA.png
+    sources:
+      # Prebuilt application produced by `yarn electron:linux` (tar.gz target).
+      # Update the version, url and sha256 for every release.
+      - type: archive
+        url: https://github.com/LINCnil/pia/releases/download/v4.1.0/pia-4.1.0.tar.gz
+        sha256: 0000000000000000000000000000000000000000000000000000000000000000
+        strip-components: 1
+      - type: file
+        path: pia.sh
+      - type: file
+        path: fr.cnil.PIA.desktop
+      - type: file
+        path: fr.cnil.PIA.metainfo.xml
+      - type: file
+        path: ../electron/icons/icon.png
+        dest-filename: icon.png

flatpak/pia.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+# Launcher for the PIA Electron application inside the Flatpak sandbox.
+# zypak-wrapper is provided by org.electronjs.Electron2.BaseApp and lets the
+# bundled Chromium use the Flatpak sandbox instead of its own setuid sandbox.
+exec zypak-wrapper /app/main/pia "$@"
+

package.json

@@ -23,6 +23,8 @@
     "electron:mac": "electron-builder -m",
     "electron:win": "electron-builder -w",
     "electron:linux": "electron-builder -l",
+    "electron:snap": "electron-builder -l snap",
+    "electron:flatpak": "flatpak-builder --user --install --force-clean build-dir flatpak/fr.cnil.PIA.yml",
     "electron:publish-to-github": "electron-builder -mwl -p onTagOrDraft"
   },
   "husky": {
@@ -149,7 +151,14 @@
       "verifyUpdateCodeSignature": false
     },
     "linux": {
-      "category": "Network"
+      "category": "Network",
+      "target": [
+        "AppImage",
+        "tar.gz"
+      ]
+    },
+    "snap": {
+      "base": "core22"
     },
     "nsis": {
       "oneClick": false,

src/index.html

@@ -3,6 +3,7 @@
   <head>
     <meta charset="utf-8" />
     <title>PIA - Privacy Impact Assessment</title>
+    <base href="./" />
     <meta name="description" content="" />
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <meta name="theme-color" content="#ffffff" />