From fecb1f3e6ccd643b5bc95a5464a01f0e7e283d4c Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Mon, 11 Dec 2023 09:28:25 +0100 Subject: [PATCH] ci: reproducibility test for OS images --- .github/workflows/reproducible-builds.yml | 87 ++++++++++++++++++++++- 1 file changed, 86 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reproducible-builds.yml b/.github/workflows/reproducible-builds.yml index a5b0bf677..8fd53ba69 100644 --- a/.github/workflows/reproducible-builds.yml +++ b/.github/workflows/reproducible-builds.yml @@ -64,7 +64,63 @@ jobs: name: "sha256sums" path: "${{ env.binary }}.sha256" - compare: + build-osimages: + strategy: + fail-fast: false + matrix: + target: + - "azure_azure-sev-snp_stable" + - "aws_aws-nitro-tpm_console" + - "qemu_qemu-vtpm_debug" + - "gcp_gcp-sev-snp_nightly" + runner: ["ubuntu-22.04", "ubuntu-20.04"] + env: + bazel_target: "//image/system:${{ matrix.target }}" + binary: "osimage-${{ matrix.target }}-${{ matrix.runner }}" + runs-on: ${{ matrix.runner }} + steps: + - name: Checkout + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} + + - name: Setup bazel + uses: ./.github/actions/setup_bazel_nix + with: + useCache: "logs" + buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} + + - name: Build + shell: bash + run: bazel build "${bazel_target}" + + - name: Copy + shell: bash + run: cp "$(bazel cquery --output=files "${bazel_target}")/constellation.raw" "${binary}" + + - name: Collect hash (linux) + shell: bash + if: runner.os == 'Linux' + run: sha256sum "${binary}" | tee "${binary}.sha256" + + - name: Collect hash (macOS) + shell: bash + if: runner.os == 'macOS' + run: shasum -a 256 "${binary}" | tee "${binary}.sha256" + + - name: Upload binary artifact + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: "osimages-${{ matrix.target }}" + path: "${{ env.binary }}" + + - name: Upload hash artifact + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: "sha256sums" + path: "${{ env.binary }}.sha256" + + compare-binaries: needs: build-binaries strategy: fail-fast: false @@ -93,3 +149,32 @@ jobs: # shellcheck disable=SC2207,SC2116 list=($(echo "cli_enterprise*")) diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}" + + compare-osimages: + needs: build-osimages + strategy: + fail-fast: false + matrix: + target: + - "azure_azure-sev-snp_stable" + - "aws_aws-nitro-tpm_console" + - "qemu_qemu-vtpm_debug" + - "gcp_gcp-sev-snp_nightly" + runs-on: ubuntu-22.04 + steps: + - name: Download os images + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: "osimages-${{ matrix.target }}" + + - name: Hash + shell: bash + if: runner.os == 'Linux' + run: sha256sum osimage-* + + - name: Compare os images + shell: bash + run: | + # shellcheck disable=SC2207,SC2116 + list=($(echo "osimage-*")) + diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"