ci: add automated tests for reproducible builds (#1914)

* ci: reproducible builds test
* deps: upgrade actionlint to support macos-13 runners
This commit is contained in:
Malte Poll 2023-06-23 12:12:32 +02:00 committed by GitHub
parent 92cd9c1dac
commit 78fb0066e4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 131 additions and 15 deletions

View File

@ -3,7 +3,7 @@ description: Setup Bazel for CI builds and tests
inputs: inputs:
useCache: useCache:
description: "Cache Bazel artifacts. Use 'true' to enable with rw, 'readonly' to download, and 'false' to disable." description: "Cache Bazel artifacts. Use 'true' to enable with rw, 'readonly' to download, 'log' to disable cache but upload logs, and 'false' to disable."
default: "false" default: "false"
required: true required: true
buildBuddyApiKey: buildBuddyApiKey:
@ -17,11 +17,11 @@ runs:
shell: bash shell: bash
run: | run: |
echo "::group::Check inputs" echo "::group::Check inputs"
if [[ "${{ inputs.useCache }}" != "true" && "${{ inputs.useCache }}" != "readonly" && "${{ inputs.useCache }}" != "false" ]]; then if [[ "${{ inputs.useCache }}" != "true" && "${{ inputs.useCache }}" != "readonly" && "${{ inputs.useCache }}" != "logs" && "${{ inputs.useCache }}" != "false" ]]; then
echo "Invalid value for 'useCache' input: '${{ inputs.useCache }}'. Must be 'true', 'readonly', or 'false'." echo "Invalid value for 'useCache' input: '${{ inputs.useCache }}'. Must be 'true', 'readonly', or 'false'."
exit 1 exit 1
fi fi
if [[ "${{ inputs.useCache }}" == "true" || "${{ inputs.useCache }}" == "readonly" ]] && [[ -z "${{ inputs.buildBuddyApiKey }}" ]]; then if [[ "${{ inputs.useCache }}" == "true" || "${{ inputs.useCache }}" == "readonly" || "${{ inputs.useCache }}" == "logs" ]] && [[ -z "${{ inputs.buildBuddyApiKey }}" ]]; then
echo "BuildBuddy API key is required when cache is enabled." echo "BuildBuddy API key is required when cache is enabled."
exit 1 exit 1
fi fi
@ -69,6 +69,7 @@ runs:
- name: Configure Bazel (readonly) - name: Configure Bazel (readonly)
shell: bash shell: bash
if: inputs.useCache == 'readonly'
env: env:
WORKSPACE: ${{ github.workspace }} WORKSPACE: ${{ github.workspace }}
run: | run: |
@ -76,6 +77,22 @@ runs:
echo "build --remote_upload_local_results=false" >> "${WORKSPACE}/.bazeloverwriterc" echo "build --remote_upload_local_results=false" >> "${WORKSPACE}/.bazeloverwriterc"
echo "::endgroup::" echo "::endgroup::"
- name: Configure Bazel (logs)
shell: bash
if: inputs.useCache == 'logs'
env:
BUILDBUDDY_ORG_API_KEY: ${{ inputs.buildBuddyApiKey }}
WORKSPACE: ${{ github.workspace }}
run: |
echo "::group::Configure Bazel"
cat <<EOF >> "${WORKSPACE}/.bazeloverwriterc"
build --bes_results_url=https://app.buildbuddy.io/invocation/
build --bes_backend=grpcs://remote.buildbuddy.io
build --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
build --nolegacy_important_outputs
EOF
echo "::endgroup::"
- name: Disable disk cache on GitHub Actions runners - name: Disable disk cache on GitHub Actions runners
shell: bash shell: bash
env: env:

View File

@ -0,0 +1,99 @@
# Build Constellation CLI and check for reproducible builds
name: Reproducible Builds
on:
workflow_dispatch:
schedule:
- cron: "45 06 * * 1" # Every Monday at 6:45am
jobs:
build-binaries:
strategy:
fail-fast: false
matrix:
target:
- "cli_enterprise_darwin_amd64"
- "cli_enterprise_darwin_arm64"
- "cli_enterprise_linux_amd64"
- "cli_enterprise_linux_arm64"
- "cli_enterprise_windows_amd64"
runner: ["ubuntu-22.04", "macos-13"]
env:
bazel_target: "//cli:${{ matrix.target }}"
binary: "${{ matrix.target }}-${{ matrix.runner }}"
runs-on: ${{ matrix.runner }}
steps:
- name: Checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "logs"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Install current Bash on macOS
if: runner.os == 'macOS'
run: brew install bash
- name: Build
shell: bash
run: bazel build "${bazel_target}"
- name: Copy
shell: bash
run: cp "$(bazel cquery --output=files "${bazel_target}")" "${binary}"
- name: Collect hash (linux)
shell: bash
if: runner.os == 'Linux'
run: sha256sum "${binary}" | tee "${binary}.sha256"
- name: Collect hash (macOS)
shell: bash
if: runner.os == 'macOS'
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
- name: Upload binary artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "binaries-${{ matrix.target }}"
path: "${{ env.binary }}"
- name: Upload hash artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "sha256sums"
path: "${{ env.binary }}.sha256"
compare:
needs: build-binaries
strategy:
fail-fast: false
matrix:
target:
- "cli_enterprise_darwin_amd64"
- "cli_enterprise_darwin_arm64"
- "cli_enterprise_linux_amd64"
- "cli_enterprise_linux_arm64"
- "cli_enterprise_windows_amd64"
runs-on: ubuntu-22.04
steps:
- name: Download binaries
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: "binaries-${{ matrix.target }}"
- name: Hash
shell: bash
if: runner.os == 'Linux'
run: sha256sum cli_enterprise*
- name: Compare binaries
shell: bash
run: |
# shellcheck disable=SC2207,SC2116
list=($(echo "cli_enterprise*"))
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"

View File

@ -97,41 +97,41 @@ def _actionlint_deps():
name = "com_github_rhysd_actionlint_linux_amd64", name = "com_github_rhysd_actionlint_linux_amd64",
build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""", build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
urls = [ urls = [
"https://cdn.confidential.cloud/constellation/cas/sha256/3c5818744143a5d6754edd3dcc4c2b32c9dfcdd3bb30e0e108fb5e5c505262d4", "https://cdn.confidential.cloud/constellation/cas/sha256/80a54660e73ad55a0818372bdaa0dced82eb86f618e6bf1621e73f099e61c027",
"https://github.com/rhysd/actionlint/releases/download/v1.6.24/actionlint_1.6.24_linux_amd64.tar.gz", "https://github.com/rhysd/actionlint/releases/download/v1.6.25/actionlint_1.6.25_linux_amd64.tar.gz",
], ],
type = "tar.gz", type = "tar.gz",
sha256 = "3c5818744143a5d6754edd3dcc4c2b32c9dfcdd3bb30e0e108fb5e5c505262d4", sha256 = "80a54660e73ad55a0818372bdaa0dced82eb86f618e6bf1621e73f099e61c027",
) )
http_archive( http_archive(
name = "com_github_rhysd_actionlint_linux_arm64", name = "com_github_rhysd_actionlint_linux_arm64",
build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""", build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
urls = [ urls = [
"https://cdn.confidential.cloud/constellation/cas/sha256/93cc9d1f4a01f0658423b41ecf3bd8c17c619003ec683be8bac9264d0361d0d8", "https://cdn.confidential.cloud/constellation/cas/sha256/8bedeea8ed636891fd7351fa7ccbc75fdb5bee6efde5320162f712e8457e73ea",
"https://github.com/rhysd/actionlint/releases/download/v1.6.24/actionlint_1.6.24_linux_arm64.tar.gz", "https://github.com/rhysd/actionlint/releases/download/v1.6.25/actionlint_1.6.25_linux_arm64.tar.gz",
], ],
type = "tar.gz", type = "tar.gz",
sha256 = "93cc9d1f4a01f0658423b41ecf3bd8c17c619003ec683be8bac9264d0361d0d8", sha256 = "8bedeea8ed636891fd7351fa7ccbc75fdb5bee6efde5320162f712e8457e73ea",
) )
http_archive( http_archive(
name = "com_github_rhysd_actionlint_darwin_amd64", name = "com_github_rhysd_actionlint_darwin_amd64",
build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""", build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
urls = [ urls = [
"https://cdn.confidential.cloud/constellation/cas/sha256/ce9dd9653700e3ed00464dffddd3e2a61358cf96425f2f3dff840dfc1e105eab", "https://cdn.confidential.cloud/constellation/cas/sha256/30d69622ff9fbf564081515bf7d20538f2cb590150ef0c69fdcc56fa23fe85f1",
"https://github.com/rhysd/actionlint/releases/download/v1.6.24/actionlint_1.6.24_darwin_amd64.tar.gz", "https://github.com/rhysd/actionlint/releases/download/v1.6.25/actionlint_1.6.25_darwin_amd64.tar.gz",
], ],
type = "tar.gz", type = "tar.gz",
sha256 = "ce9dd9653700e3ed00464dffddd3e2a61358cf96425f2f3dff840dfc1e105eab", sha256 = "30d69622ff9fbf564081515bf7d20538f2cb590150ef0c69fdcc56fa23fe85f1",
) )
http_archive( http_archive(
name = "com_github_rhysd_actionlint_darwin_arm64", name = "com_github_rhysd_actionlint_darwin_arm64",
build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""", build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
urls = [ urls = [
"https://cdn.confidential.cloud/constellation/cas/sha256/5477f8a5a4073ef086525a2512b2bf1201641cd544034ad0c66f329590638242", "https://cdn.confidential.cloud/constellation/cas/sha256/9153ebe7be2a33c9047e60aeb0d8d7b831b22fe99bbea63d365500c68245d6df",
"https://github.com/rhysd/actionlint/releases/download/v1.6.24/actionlint_1.6.24_darwin_arm64.tar.gz", "https://github.com/rhysd/actionlint/releases/download/v1.6.25/actionlint_1.6.25_darwin_arm64.tar.gz",
], ],
type = "tar.gz", type = "tar.gz",
sha256 = "5477f8a5a4073ef086525a2512b2bf1201641cd544034ad0c66f329590638242", sha256 = "9153ebe7be2a33c9047e60aeb0d8d7b831b22fe99bbea63d365500c68245d6df",
) )
def _gofumpt_deps(): def _gofumpt_deps():