# Verify that Constellation builds are reproducible. # # The build-* jobs' matrix has two dimensions: a list of targets to build and # a list of runners to build on. The produced binaries and OS images are # expected to be bit-for-bit identical, regardless of the chosen build runner. # # The compare-* jobs only have the target dimension. They obtain the built # targets from all runners and check that there are no diffs between them. name: Reproducible Builds on: workflow_dispatch: schedule: - cron: "45 06 * * 1" # Every Monday at 6:45am jobs: build-binaries: strategy: fail-fast: false matrix: target: - "cli_enterprise_darwin_amd64" - "cli_enterprise_darwin_arm64" - "cli_enterprise_linux_amd64" - "cli_enterprise_linux_arm64" - "cli_enterprise_windows_amd64" runner: ["ubuntu-22.04", "ubuntu-20.04"] env: bazel_target: "//cli:${{ matrix.target }}" binary: "${{ matrix.target }}-${{ matrix.runner }}" runs-on: ${{ matrix.runner }} steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Setup bazel uses: ./.github/actions/setup_bazel_nix - name: Build shell: bash run: bazel build "${bazel_target}" - name: Copy shell: bash run: cp "$(bazel cquery --output=files "${bazel_target}")" "${binary}" - name: Collect hash (linux) shell: bash if: runner.os == 'Linux' run: sha256sum "${binary}" | tee "${binary}.sha256" - name: Collect hash (macOS) shell: bash if: runner.os == 'macOS' run: shasum -a 256 "${binary}" | tee "${binary}.sha256" - name: Upload binary artifact uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "binaries-${{ matrix.target }}-${{ matrix.runner }}" path: "${{ env.binary }}" - name: Upload hash artifact uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}" path: "${{ env.binary }}.sha256" build-osimages: strategy: fail-fast: false matrix: target: - "azure_azure-sev-snp_stable" - "aws_aws-nitro-tpm_console" - "qemu_qemu-vtpm_debug" - "gcp_gcp-sev-snp_nightly" runner: ["ubuntu-22.04", "ubuntu-20.04"] env: bazel_target: "//image/system:${{ matrix.target }}" binary: "osimage-${{ matrix.target }}-${{ matrix.runner }}" runs-on: ${{ matrix.runner }} steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Setup bazel uses: ./.github/actions/setup_bazel_nix - name: Build shell: bash run: bazel build "${bazel_target}" - name: Copy shell: bash run: cp "$(bazel cquery --output=files "${bazel_target}")/constellation.raw" "${binary}" - name: Collect hash (linux) shell: bash if: runner.os == 'Linux' run: sha256sum "${binary}" | tee "${binary}.sha256" - name: Collect hash (macOS) shell: bash if: runner.os == 'macOS' run: shasum -a 256 "${binary}" | tee "${binary}.sha256" - name: Upload binary artifact uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "osimages-${{ matrix.target }}-${{ matrix.runner }}" path: "${{ env.binary }}" - name: Upload hash artifact uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}" path: "${{ env.binary }}.sha256" compare-binaries: needs: build-binaries strategy: fail-fast: false matrix: target: - "cli_enterprise_darwin_amd64" - "cli_enterprise_darwin_arm64" - "cli_enterprise_linux_amd64" - "cli_enterprise_linux_arm64" - "cli_enterprise_windows_amd64" runs-on: ubuntu-22.04 steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Download binaries uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: pattern: "binaries-${{ matrix.target }}-*" merge-multiple: true - name: Hash shell: bash if: runner.os == 'Linux' run: sha256sum cli_enterprise* - name: Compare binaries shell: bash run: | # shellcheck disable=SC2207,SC2116 list=($(echo "cli_enterprise*")) diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}" compare-osimages: needs: build-osimages strategy: fail-fast: false matrix: target: - "azure_azure-sev-snp_stable" - "aws_aws-nitro-tpm_console" - "qemu_qemu-vtpm_debug" - "gcp_gcp-sev-snp_nightly" runs-on: ubuntu-22.04 steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Download os images uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: pattern: "osimages-${{ matrix.target }}-*" merge-multiple: true - name: Hash shell: bash if: runner.os == 'Linux' run: sha256sum osimage-* - name: Compare os images shell: bash run: | # shellcheck disable=SC2207,SC2116 list=($(echo "osimage-*")) diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"