Embed Podman and drop Docker support

.github/workflows/ci.yml

@@ -58,9 +58,28 @@ jobs:
       registry_token: ${{ secrets.GITHUB_TOKEN }}
 
   windows:
-    runs-on: windows-latest
+    needs:
+      - build-container-image
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: windows-2022
+          - runner: windows-2025
     env:
-      DUMMY_CONVERSION: 1
+      # NOTE: We have to set the encoding for this run to UTF-8, else we get an
+      # enoding error when Dangerzone attempts to display its banner, since the
+      # default seems to be CP-1252:
+      #
+      #     File "D:\a\dangerzone\dangerzone\dangerzone\cli.py", line 225, in display_banner
+      #       print(Back.BLACK + Fore.YELLOW + Style.DIM + "\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e")
+      #       ~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+      #     File "C:\hostedtoolcache\windows\Python\3.13.7\x64\Lib\encodings\cp1252.py", line 19, in encode
+      #       return codecs.charmap_encode(input,self.errors,encoding_table)[0]
+      #              ~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+      #   UnicodeEncodeError: 'charmap' codec can't encode characters in position 14-41: character maps to <undefined>
+      PYTHONIOENCODING: UTF-8
     steps:
       - uses: actions/checkout@v5
       - uses: actions/setup-python@v5
@@ -75,12 +94,25 @@ jobs:
           path: |
             share/tessdata/
             share/vendor/
+            share/machine.tar
           key: v1-mazette-windows-${{ hashFiles('./mazette.lock') }}
       - name: Install mazette assets
         if: steps.cache-mazette.outputs.cache-hit != 'true'
         run: poetry run mazette install
       - name: Check cosign is present
         run: ls share/vendor
+      - name: Restore container image
+        uses: actions/cache/restore@v4
+        with:
+          path: |-
+            share/container.tar
+            share/freedomofpress-dangerzone.pub
+            share/image-name.txt
+          enableCrossOsArchive: true
+          fail-on-cache-miss: true
+          key: v6-container-${{ needs.build-container-image.outputs.image_uri }}
+      - name: Smoke test
+        run: poetry run .\dev_scripts\dangerzone-cli.bat .\tests\test_docs\sample-pdf.pdf --ocr-lang eng --debug
       - name: Run CLI tests
         run: poetry run make test
       - name: Set up .NET CLI environment
@@ -95,6 +127,7 @@ jobs:
         # NOTE: This also builds the .exe internally.
         run: poetry run .\install\windows\build-app.bat
       - name: Upload MSI installer
+        if: matrix.runner == 'windows-2025'
         uses: actions/upload-artifact@v4
         with:
           name: Dangerzone.msi
@@ -104,16 +137,18 @@ jobs:
 
   macOS:
     name: "macOS (${{ matrix.arch }})"
+    needs:
+      - build-container-image
     runs-on: ${{ matrix.runner }}
     strategy:
+      fail-fast: false
       matrix:
         include:
-          - runner: macos-latest # CPU type: Apple Silicon (M1)
-            arch: arch64
+          # See https://github.com/abiosoft/colima/issues/970
+          - runner: macos-15
+            arch: arm64
           - runner: macos-13 # CPU type: Intel x86_64
             arch: x86_64
-    env:
-      DUMMY_CONVERSION: 1
     steps:
       - uses: actions/checkout@v5
       - uses: actions/setup-python@v5
@@ -128,12 +163,34 @@ jobs:
           path: |
             share/tessdata/
             share/vendor/
+            share/machine.tar
           key: v1-mazette-darwin-${{ matrix.arch }}-${{ hashFiles('./mazette.lock') }}
       - name: Install mazette assets
         if: steps.cache-mazette.outputs.cache-hit != 'true'
         run: poetry run mazette install
+      - name: Check cosign is present
+        run: ls share/vendor
+      - name: Restore container image
+        uses: actions/cache/restore@v4
+        with:
+          path: |-
+            share/container.tar
+            share/freedomofpress-dangerzone.pub
+            share/image-name.txt
+          enableCrossOsArchive: true
+          fail-on-cache-miss: true
+          key: v6-container-${{ needs.build-container-image.outputs.image_uri }}
+      - name: Smoke test
+        # Nested virtualization does not work on M1 CPUs.
+        continue-on-error: ${{ matrix.arch == 'arm64'}}
+        run: poetry run ./dev_scripts/dangerzone-cli ./tests/test_docs/sample-pdf.pdf --ocr-lang eng --debug
       - name: Run CLI tests
-        run: poetry run make test
+        run: |
+          # Nested virtualization does not work on M1 CPUs.
+          if [ ${{ matrix.arch }} == 'arm64' ]; then
+              export DUMMY_CONVERSION=1
+          fi
+          poetry run make test
       - name: Build macOS app
         run: poetry run python ./install/macos/build-app.py
       - name: Upload macOS app
@@ -271,7 +328,7 @@ jobs:
         run: |
           ./dev_scripts/env.py --distro ${{ matrix.distro }} \
               --version ${{ matrix.version }} \
-              run dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf --ocr-lang eng
+              run dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf --ocr-lang eng --debug
 
       - name: Check that the Dangerzone GUI imports work
         run: |
@@ -365,7 +422,7 @@ jobs:
       - name: Run a test command
         run: |
           ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
-              run dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf --ocr-lang eng
+              run dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf --ocr-lang eng --debug
 
       - name: Check that the Dangerzone GUI imports work
         run: |

.gitignore

@@ -24,6 +24,7 @@ pip-wheel-metadata/
 share/python-wheels/
 share/tessdata/
 share/vendor/
+share/machine.tar
 *.egg-info/
 .installed.cfg
 *.egg

CHANGELOG.md

@@ -12,6 +12,21 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 - Sign the sandbox/container images and automatically upgrade them to their latest version
   ([#1006](https://github.com/freedomofpress/dangerzone/issues/1006)).
   Read more about this feature [in our docs](https://github.com/freedomofpress/dangerzone/blob/main/docs/independent-container-updates.md).
+- Make Dangerzone use an embedded version of Podman under the hood
+  ([#1145](https://github.com/freedomofpress/dangerzone/issues/1145))
+- Bundle Podman images for Windows and macOS alongside our application
+  ([#1170](https://github.com/freedomofpress/dangerzone/issues/1170))
+- Introduce a new CLI helper called `dangerzone-machine` to manage the Podman
+  machine the Dangerzone uses under the hood
+  ([#1172](https://github.com/freedomofpress/dangerzone/issues/1172))
+- Capture all the command outputs in the logs ([#1236](https://github.com/freedomofpress/dangerzone/issues/1172))
+
+### Removed
+
+- Docker Desktop is no longer required to run Dangerzone. In fact, they are no
+  longer compatible, due to some changes in the bundled container image.
+  Instead, Podman Desktop is used under the hood
+  ([#118](https://github.com/freedomofpress/dangerzone/issues/118))
 
 ### Fixed
 
@@ -30,6 +45,8 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 - Improve our release instructions by splitting the large `RELEASE.md` file
   into distinct docs, whose instructions can be executed sequentially
   ([#1212](https://github.com/freedomofpress/dangerzone/pull/1212))
+- Run our full CI test suite on Windows and macOS GitHub runners
+  ([#1009](https://github.com/freedomofpress/dangerzone/issues/1009))
 
 ### Removed
 

Makefile

@@ -1,20 +1,12 @@
 LARGE_TEST_REPO_DIR:=tests/test_docs_large
 GIT_DESC=$$(git describe)
 JUNIT_FLAGS := --capture=sys -o junit_logging=all
-MYPY_ARGS := --ignore-missing-imports \
-			 --disallow-incomplete-defs \
-			 --disallow-untyped-defs \
-			 --show-error-codes \
-			 --warn-unreachable \
-			 --warn-unused-ignores \
-			 --exclude $(LARGE_TEST_REPO_DIR)/*.py
 
 .PHONY: lint
 lint: ## Check the code for linting, formatting, and typing issues with ruff and mypy
 	ruff check
 	ruff format --check
-	mypy $(MYPY_ARGS) dangerzone
-	mypy $(MYPY_ARGS) tests
+	mypy dangerzone tests
 
 .PHONY: fix
 fix: ## apply all the suggestions from ruff