fix: use manylinux to build standalone binaries

Author: agateau-gg

.github/workflows/build_release_assets.yml

@@ -42,6 +42,7 @@ jobs:
   build_os_packages:
     name: Build packages
     runs-on: ${{ matrix.os }}
+    container: ${{ matrix.os == 'ubuntu-22.04' && 'quay.io/pypa/manylinux_2_28_x86_64' || null }}
     strategy:
       fail-fast: false
       matrix:
@@ -64,12 +65,24 @@ jobs:
           # Get enough commits to run `ggshield secret scan commit-range` on ourselves
           fetch-depth: 10
 
-      - name: Set up Python 3.10
+      - name: Set up Python 3.10 (Windows 1/2)
+        if: matrix.os == 'windows-2022'
         uses: actions/setup-python@v5
-        if: "!startsWith(matrix.os, 'macos-')"
         with:
           python-version: '3.10'
 
+      - name: Set up Python 3.10 (Windows 2/2)
+        if: matrix.os == 'windows-2022'
+        run: |
+          echo PYTHON_CMD=python >> $GITHUB_ENV
+
+      - name: Set up Python 3.10 (Linux)
+        if: matrix.os == 'ubuntu-22.04'
+        # Make `python` points to python 3.10
+        run: |
+          ln -s $(which python3.10) /usr/local/bin/python
+          echo PYTHON_CMD=/usr/local/bin/python >> $GITHUB_ENV
+
       - name: Install macOS specific dependencies
         if: startsWith(matrix.os, 'macos-')
         run: |
@@ -92,6 +105,7 @@ jobs:
 
           # Make Python available
           echo PATH=$PWD/python/bin:$PATH >> $GITHUB_ENV
+          echo PYTHON_CMD=$PWD/python/bin/python >> $GITHUB_ENV
 
           # Install rcodesign
           RCODESIGN_VERSION=0.27.0
@@ -109,27 +123,33 @@ jobs:
       - name: Install dependencies
         shell: bash
         run: |
-          python -m pip install --upgrade pip
-          python -m pip install --upgrade \
-            pipenv==2023.12.1 \
-            pyinstaller==6.7.0
-          pipenv install --system --dev
+          pipx install \
+            --python "$PYTHON_CMD" \
+            pipenv==2023.12.1
+
+          pipenv install --dev
+          pipenv run pip install pyinstaller==6.7.0
         env:
           # Disable lock otherwise Windows-only dependencies like colorama are not installed
           PIPENV_SKIP_LOCK: 1
 
       - name: Install Linux specific dependencies
         if: matrix.os == 'ubuntu-22.04'
         run: |
+          # Install NFPM
           NFPM_VERSION=2.36.1
-          NFPM_CHECKSUM=05c17a1e09c470807b149fdd7bcd8f600eea044f459fc3ce81aa230103c0baf5
+          NFPM_CHECKSUM=9f8effa24bc6033b509611dbe68839542a63e825525b195672298c369051ef0b
 
           scripts/download \
-            https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_amd64.deb \
-            nfpm.deb \
+            https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz \
+            nfpm.tar.gz \
             $NFPM_CHECKSUM
 
-          sudo dpkg -i nfpm.deb
+          tar xf nfpm.tar.gz nfpm
+          cp nfpm /usr/local/bin
+
+          # Avoid "dubious permission" git error
+          git config --global --add safe.directory '*'
 
       - name: Prepare macOS secrets
         if: startsWith(matrix.os, 'macos-') && inputs.release_mode
@@ -199,7 +219,7 @@ jobs:
           else
             args="--git-version"
           fi
-          scripts/build-os-packages/build-os-packages $args
+          pipenv run scripts/build-os-packages/build-os-packages $args
 
       - name: Override base Docker image used for functional tests on Windows
         if: matrix.os == 'windows-2022'
@@ -214,7 +234,7 @@ jobs:
         # See note about steps requiring the GITGUARDIAN_API at the top of this file
         if: ${{ !github.event.pull_request.head.repo.fork }}
         run: |
-          scripts/build-os-packages/build-os-packages functests
+          pipenv run scripts/build-os-packages/build-os-packages functests
         env:
           GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
           GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}