mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-26 07:16:08 -05:00
224 lines
7.8 KiB
YAML
224 lines
7.8 KiB
YAML
# Verify that Constellation builds are reproducible.
|
|
#
|
|
# The build-* jobs' matrix has three dimensions: a list of targets to build, a
|
|
# list of runners to build on and a method of installing dependencies. The
|
|
# produced binaries and OS images are expected to be bit-for-bit identical,
|
|
# without any dependencies on the runtime setup details.
|
|
#
|
|
# The compare-* jobs only have the target dimension. They obtain the built
|
|
# targets from all runners and check that there are no diffs between them.
|
|
name: Reproducible Builds
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: "45 06 * * 1" # Every Monday at 6:45am
|
|
|
|
jobs:
|
|
build-binaries:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
target:
|
|
- "cli_enterprise_darwin_amd64"
|
|
- "cli_enterprise_darwin_arm64"
|
|
- "cli_enterprise_linux_amd64"
|
|
- "cli_enterprise_linux_arm64"
|
|
- "cli_enterprise_windows_amd64"
|
|
runner:
|
|
- "ubuntu-24.04"
|
|
- "ubuntu-22.04"
|
|
deps:
|
|
- conventional
|
|
- eccentric
|
|
env:
|
|
bazel_target: "//cli:${{ matrix.target }}"
|
|
binary: "${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
|
|
runs-on: ${{ matrix.runner }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Setup dependencies
|
|
uses: ./.github/actions/setup_bazel_nix
|
|
if: matrix.deps == 'conventional'
|
|
|
|
- name: Setup dependencies (eccentric)
|
|
if: matrix.deps == 'eccentric'
|
|
run: |
|
|
version=$(cat .bazelversion)
|
|
mkdir -p "$HOME/.local/bin"
|
|
curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$version/bazel-$version-linux-x86_64"
|
|
chmod a+x "$HOME/.local/bin/bazel"
|
|
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
|
|
|
|
curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v0.26.3/nix-installer-x86_64-linux # renovate:github-release
|
|
chmod a+x "$HOME/.local/bin/nix-installer"
|
|
"$HOME/.local/bin/nix-installer" install --no-confirm
|
|
|
|
- name: Build
|
|
shell: bash
|
|
run: bazel build "${bazel_target}"
|
|
|
|
- name: Copy
|
|
shell: bash
|
|
run: cp "$(bazel cquery --output=files "${bazel_target}")" "${binary}"
|
|
|
|
- name: Collect hash (linux)
|
|
shell: bash
|
|
if: runner.os == 'Linux'
|
|
run: sha256sum "${binary}" | tee "${binary}.sha256"
|
|
|
|
- name: Collect hash (macOS)
|
|
shell: bash
|
|
if: runner.os == 'macOS'
|
|
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
|
|
|
|
- name: Upload binary artifact
|
|
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
|
with:
|
|
name: "binaries-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
|
|
path: "${{ env.binary }}"
|
|
|
|
- name: Upload hash artifact
|
|
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
|
with:
|
|
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
|
|
path: "${{ env.binary }}.sha256"
|
|
|
|
build-osimages:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
target:
|
|
- "azure_azure-sev-snp_stable"
|
|
- "aws_aws-nitro-tpm_console"
|
|
- "qemu_qemu-vtpm_debug"
|
|
- "gcp_gcp-sev-snp_nightly"
|
|
runner: ["ubuntu-24.04", "ubuntu-22.04"]
|
|
env:
|
|
bazel_target: "//image/system:${{ matrix.target }}"
|
|
binary: "osimage-${{ matrix.target }}-${{ matrix.runner }}"
|
|
runs-on: ${{ matrix.runner }}
|
|
steps:
|
|
- name: Remove security hardening features
|
|
if: matrix.runner == 'ubuntu-24.04'
|
|
shell: bash
|
|
run: |
|
|
# Taken from https://github.com/systemd/mkosi/blob/fcacc94b9f72d9b6b1f03779b0c6e07209ceb54b/action.yaml#L42-L57.
|
|
sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
|
|
sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
|
|
# This command fails with a non-zero error code even though it unloads the apparmor profiles.
|
|
# https://gitlab.com/apparmor/apparmor/-/issues/403
|
|
sudo aa-teardown || true
|
|
sudo apt-get remove -y apparmor
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Setup bazel
|
|
uses: ./.github/actions/setup_bazel_nix
|
|
|
|
- name: Build
|
|
shell: bash
|
|
run: bazel build "${bazel_target}"
|
|
|
|
- name: Copy
|
|
shell: bash
|
|
run: cp "$(bazel cquery --output=files "${bazel_target}")/constellation.raw" "${binary}"
|
|
|
|
- name: Collect hash (linux)
|
|
shell: bash
|
|
if: runner.os == 'Linux'
|
|
run: sha256sum "${binary}" | tee "${binary}.sha256"
|
|
|
|
- name: Collect hash (macOS)
|
|
shell: bash
|
|
if: runner.os == 'macOS'
|
|
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
|
|
|
|
- name: Upload binary artifact
|
|
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
|
with:
|
|
name: "osimages-${{ matrix.target }}-${{ matrix.runner }}"
|
|
path: "${{ env.binary }}"
|
|
|
|
- name: Upload hash artifact
|
|
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
|
with:
|
|
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
|
|
path: "${{ env.binary }}.sha256"
|
|
|
|
compare-binaries:
|
|
needs: build-binaries
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
target:
|
|
- "cli_enterprise_darwin_amd64"
|
|
- "cli_enterprise_darwin_arm64"
|
|
- "cli_enterprise_linux_amd64"
|
|
- "cli_enterprise_linux_arm64"
|
|
- "cli_enterprise_windows_amd64"
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Download binaries
|
|
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
|
with:
|
|
pattern: "binaries-${{ matrix.target }}-*"
|
|
merge-multiple: true
|
|
|
|
- name: Hash
|
|
shell: bash
|
|
if: runner.os == 'Linux'
|
|
run: sha256sum cli_enterprise*
|
|
|
|
- name: Compare binaries
|
|
shell: bash
|
|
run: |
|
|
# shellcheck disable=SC2207,SC2116
|
|
list=($(echo "cli_enterprise*"))
|
|
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
|
|
|
|
compare-osimages:
|
|
needs: build-osimages
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
target:
|
|
- "azure_azure-sev-snp_stable"
|
|
- "aws_aws-nitro-tpm_console"
|
|
- "qemu_qemu-vtpm_debug"
|
|
- "gcp_gcp-sev-snp_nightly"
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Download os images
|
|
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
|
with:
|
|
pattern: "osimages-${{ matrix.target }}-*"
|
|
merge-multiple: true
|
|
|
|
- name: Hash
|
|
shell: bash
|
|
if: runner.os == 'Linux'
|
|
run: sha256sum osimage-*
|
|
|
|
- name: Compare os images
|
|
shell: bash
|
|
run: |
|
|
# shellcheck disable=SC2207,SC2116
|
|
list=($(echo "osimage-*"))
|
|
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
|