Build securedrop core release candidate packages in CI here

[redshiftzero]

We want the following process to automate some RM tasks in SecureDrop core:

1. Release manager pushes an rc tag in SecureDrop core
2. CI builds all rc packages
3. CI commit packages to lfs repo for automatic deployment to apt-test.freedom.press

The issue is that we can't put the git commit bot credentials in Circle CI in the core SecureDrop repository. We can here though since forks don't get access to Circle CI creds (indeed forked builds are off entirely).

A proposed workaround is to add a step, which is that after a release manager pushes an rc tag in securedrop core, they then push a tag here to trigger a build called securedrop-core-$TAG where $TAG is the tag to be built. We would use CircleCI's tag filtering logic to check that tag out and build, e.g. something like in the CI config:

      - build-securedrop-core-release-candidate:
          filters:
            tags:
              only:
                - /securedrop-core-*rc*/

If you see a better solution here to trigger builds on tag that does not involve giving the SecureDrop core repo credentials, please comment.

[cfm]

#63 (comment):

If you see a better solution here to trigger builds on tag that does not involve giving the SecureDrop core repo credentials, please comment.

One possibility would be to have securedrop's -*rc* workflow trigger a run of build-securedrop-core here via the CircleCI API. That would eliminate both the presence of securedrop code in this repository's tags and the need for the Release Manager to kick off this process manually, requiring just a $CIRCLE_API_USER_TOKEN in securedrop.

I'd be happy to pick this up as a CI priority in an upcoming sprint.