add nightly tests

.github/workflows/changelog_stage.yml

@@ -0,0 +1,22 @@
+name: Changelog stage
+on:
+  workflow_call:
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    steps:
+    # If we change the output filename from `release_notes.md`, it should also be changed in tools/create_github_release.py
+    - name: checkout
+      uses: actions/checkout@v6.0.2
+    - name: Prepare changelog
+      run: |-
+        set -e
+        CERTBOT_VERSION="$(cd certbot/src && python -c "import certbot; print(certbot.__version__)" && cd ~-)"
+        tools/extract_changelog.py "${CERTBOT_VERSION}" >> "${{ runner.temp }}/release_notes.md"
+      shell: bash
+    - name: Publish changelog
+      uses: actions/upload-artifact@v7.0.0
+      with:
+        # If we change the artifact's name, it should also be changed in tools/create_github_release.py
+        name: changelog
+        path: "${{ runner.temp }}"

.github/workflows/common_deploy_jobs.yml

@@ -0,0 +1,124 @@
+name: Common deploy jobs
+on:
+  workflow_call:
+    inputs:
+      dockerTag:
+        required: true
+        description: 'docker tag to push to'
+        type: string
+      snapReleaseChannel:
+        type: choice
+        options:
+        - edge
+        - beta
+        required: true
+
+jobs:
+  # This job relies on credentials used to publish the Certbot snaps. This
+  # credential file was created by running:
+  #
+  #   snapcraft logout
+  #   snapcraft export-login --channels=beta,edge snapcraft.cfg
+  #     (provide the shared snapcraft credentials when prompted)
+  #
+  # Then the contents of the file were added as a secret in Github
+  # with the name SNAPCRAFTCFG under the Secrets and Variables -> Actions
+  # section of the settings for the certbot organization.
+  #
+  # Revoking these credentials can be done by changing the password of the
+  # account used to generate the credentials. See
+  # https://forum.snapcraft.io/t/revoking-exported-credentials/19031 for more
+  # info.
+  publish_snap:
+    name: Publish snap
+    permissions:
+      contents: read
+    runs-on:
+      - 'ubuntu-24.04'
+    strategy:
+      matrix:
+        SNAP_ARCH: [amd64, armhf, arm64]
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v6.0.2
+    - name: Install dependencies
+      run: |-
+        set -e
+        sudo apt-get update
+        sudo apt-get install -y --no-install-recommends snapd
+        sudo snap install --classic snapcraft
+      shell: bash
+    - name: Retrieve Certbot snaps
+      uses: actions/download-artifact@v8.0.1
+      with:
+        name: snaps_${{ matrix.SNAP_ARCH }}
+        path: "${{ github.workspace }}/snap"
+    - name: Publish to Snap store
+      run: |-
+        set -e
+        export SNAPCRAFT_STORE_CREDENTIALS="${{ secrets.SNAPCRAFTCFG }}"
+        for SNAP_FILE in snap/*.snap; do
+          tools/retry.sh eval snapcraft upload --release=${{ inputs.snapReleaseChannel }} "${SNAP_FILE}"
+        done
+      shell: bash
+  # The credentials used in the following jobs are for the shared
+  # certbotbot account on Docker Hub.
+  # They are located under the certbot organization settings,
+  # under Secrets and Variables -> Actions.
+  # DOCKERHUB_USERNAME is saved as a variable.
+  # DOCKERHUB_TOKEN is a secret, and it is a PAT created by
+  # following the instructions at
+  # https://docs.docker.com/security/access-tokens/
+  # with Read and Write permissions. The access token can be deleted
+  # on Docker Hub if these credentials need to be revoked.
+  # The password is a PAT following the advice given by
+  # https://github.com/docker/login-action?tab=readme-ov-file#docker-hub
+  publish_docker_by_arch:
+    name: Publish docker by arch
+    permissions:
+      contents: read
+    runs-on:
+      - 'ubuntu-24.04'
+    strategy:
+      matrix:
+        DOCKER_ARCH:
+        - arm32v6
+        - arm64v8
+        - amd64
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v6.0.2
+    - name: Retrieve Certbot snaps
+      uses: actions/download-artifact@v8.0.1
+      with:
+        name: docker_${{ matrix.DOCKER_ARCH }}
+        path: "${{ github.workspace }}"
+    - name: Load Docker images
+      run: set -e && docker load --input ${{ github.workspace }}/images.tar
+      shell: bash
+    - name: Login to Docker Hub
+      uses: docker/login-action@v4.1.0
+      with:
+        username: "${{ vars.DOCKERHUB_USERNAME }}"
+        password: "${{ secrets.DOCKERHUB_TOKEN }}"
+    - name: Deploy the Docker images by architecture
+      run: set -e && tools/docker/deploy_images.sh ${{ inputs.dockerTag }} ${{ matrix.DOCKER_ARCH }}
+      shell: bash
+  publish_docker_multiarch:
+    name: Publish docker multiarch
+    needs: publish_docker_by_arch
+    permissions:
+      contents: read
+    runs-on:
+      - 'ubuntu-24.04'
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v6.0.2
+    - name: Login to Docker Hub
+      uses: docker/login-action@v4.1.0
+      with:
+        username: "${{ vars.DOCKERHUB_USERNAME }}"
+        password: "${{ secrets.DOCKERHUB_TOKEN }}"
+    - name: Deploy the Docker multiarch manifests
+      run: set -e && tools/docker/deploy_manifests.sh ${{ inputs.dockerTag }} all
+      shell: bash

.github/workflows/extended_tests_jobs.yml

@@ -1,5 +1,5 @@
 # Environment variables defined in a calling workflow are not accessible to this reusable workflow. Refer to the documentation for further details on this limitation.
-name: extended_tests_jobs
+name: Extended tests jobs
 on:
   workflow_call:
 

.github/workflows/full-test-suite.yml

@@ -1,5 +1,5 @@
 # Advanced pipeline for running our full test suite on demand.
-name: certbot/full-test-suite
+name: Full test suite
 on:
   push:
     branches:

.github/workflows/nightly.yml

@@ -0,0 +1,25 @@
+# Nightly pipeline running each day for main.
+name: Nightly build
+on:
+  schedule:
+  - cron: 30 4 * * *
+
+jobs:
+  test_and_package_stage:
+    name: Test and Package
+    uses: "./.github/workflows/test_and_package_stage.yml"
+    with:
+      dockerTag: nightly
+      snapBuildTimeout: 19800
+    secrets: inherit
+  changelog_stage:
+    name: Create changelog
+    uses: "./.github/workflows/changelog_stage.yml"
+  nightly_deploy_stage:
+    name: Nightly deploy
+    needs: test_and_package_stage
+    uses: "./.github/workflows/common_deploy_jobs.yml"
+    secrets: inherit
+    with:
+      dockerTag: nightly
+      snapReleaseChannel: edge

.github/workflows/packaging_jobs.yml

@@ -48,7 +48,7 @@ jobs:
       run: set -e && mv images.tar ${{ runner.temp }}
       shell: bash
     - name: Store Docker artifact
-      uses: actions/upload-artifact@v4.1.0
+      uses: actions/upload-artifact@v7.0.0
       with:
         name: docker_${{ matrix.DOCKER_ARCH }}
         path: "${{ runner.temp }}"
@@ -178,7 +178,7 @@ jobs:
         mv *.snap ${{ runner.temp }}
         mv certbot-dns-*/*.snap ${{ runner.temp }}
     - name: Store snaps artifacts
-      uses: actions/upload-artifact@v4.1.0
+      uses: actions/upload-artifact@v7.0.0
       with:
         name: snaps_${{ matrix.SNAP_ARCH }}
         path: "${{ runner.temp }}"

.github/workflows/pr-test-suite.yml

@@ -1,6 +1,6 @@
 # We run the test suite on commits to main so codecov gets coverage data
 # about the main branch and can use it to track coverage changes.
-name: certbot/pr-test-suite
+name: PR test suite
 on:
   push:
     branches:

.github/workflows/standard_tests_jobs.yml

@@ -1,5 +1,5 @@
 # Environment variables defined in a calling workflow are not accessible to this reusable workflow. Refer to the documentation for further details on this limitation.
-name: standard_tests_jobs
+name: Standard tests jobs
 on:
   workflow_call:
     inputs:

.github/workflows/test_and_package_stage.yml

@@ -1,5 +1,5 @@
 # Environment variables defined in a calling workflow are not accessible to this reusable workflow. Refer to the documentation for further details on this limitation.
-name: test_and_package_stage
+name: Test and package stage
 on:
   workflow_call:
     inputs: