mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-09-20 00:06:21 +00:00
ef6f63dc48
* bootstrapper: remove obsolete log statement * ci: simplify variable usage Co-authored-by: Daniel Weiße <daniel-weisse@users.noreply.github.com> * cli: add missing formatting directive * helm: fix rm invocation * ci: document reproducible-builds workflow * constants: use variables for measurement files * constants: use variables for CDN distribution ID * ci: make Helm version explicit * api: prettify versionsapi-list output * ci: remove obsolete docstring --------- Co-authored-by: Daniel Weiße <daniel-weisse@users.noreply.github.com>
198 lines
6.4 KiB
YAML
198 lines
6.4 KiB
YAML
# Verify that Constellation builds are reproducible.
|
|
#
|
|
# The build-* jobs' matrix has two dimensions: a list of targets to build and
|
|
# a list of runners to build on. The produced binaries and OS images are
|
|
# expected to be bit-for-bit identical, regardless of the chosen build runner.
|
|
#
|
|
# The compare-* jobs only have the target dimension. They obtain the built
|
|
# targets from all runners and check that there are no diffs between them.
|
|
name: Reproducible Builds
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: "45 06 * * 1" # Every Monday at 6:45am
|
|
|
|
jobs:
|
|
build-binaries:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
target:
|
|
- "cli_enterprise_darwin_amd64"
|
|
- "cli_enterprise_darwin_arm64"
|
|
- "cli_enterprise_linux_amd64"
|
|
- "cli_enterprise_linux_arm64"
|
|
- "cli_enterprise_windows_amd64"
|
|
runner: ["ubuntu-22.04", "ubuntu-20.04"]
|
|
env:
|
|
bazel_target: "//cli:${{ matrix.target }}"
|
|
binary: "${{ matrix.target }}-${{ matrix.runner }}"
|
|
runs-on: ${{ matrix.runner }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Setup bazel
|
|
uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "logs"
|
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
|
|
|
- name: Build
|
|
shell: bash
|
|
run: bazel build "${bazel_target}"
|
|
|
|
- name: Copy
|
|
shell: bash
|
|
run: cp "$(bazel cquery --output=files "${bazel_target}")" "${binary}"
|
|
|
|
- name: Collect hash (linux)
|
|
shell: bash
|
|
if: runner.os == 'Linux'
|
|
run: sha256sum "${binary}" | tee "${binary}.sha256"
|
|
|
|
- name: Collect hash (macOS)
|
|
shell: bash
|
|
if: runner.os == 'macOS'
|
|
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
|
|
|
|
- name: Upload binary artifact
|
|
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
|
|
with:
|
|
name: "binaries-${{ matrix.target }}-${{ matrix.runner }}"
|
|
path: "${{ env.binary }}"
|
|
|
|
- name: Upload hash artifact
|
|
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
|
|
with:
|
|
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
|
|
path: "${{ env.binary }}.sha256"
|
|
|
|
build-osimages:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
target:
|
|
- "azure_azure-sev-snp_stable"
|
|
- "aws_aws-nitro-tpm_console"
|
|
- "qemu_qemu-vtpm_debug"
|
|
- "gcp_gcp-sev-snp_nightly"
|
|
runner: ["ubuntu-22.04", "ubuntu-20.04"]
|
|
env:
|
|
bazel_target: "//image/system:${{ matrix.target }}"
|
|
binary: "osimage-${{ matrix.target }}-${{ matrix.runner }}"
|
|
runs-on: ${{ matrix.runner }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Setup bazel
|
|
uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "logs"
|
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
|
|
|
- name: Build
|
|
shell: bash
|
|
run: bazel build "${bazel_target}"
|
|
|
|
- name: Copy
|
|
shell: bash
|
|
run: cp "$(bazel cquery --output=files "${bazel_target}")/constellation.raw" "${binary}"
|
|
|
|
- name: Collect hash (linux)
|
|
shell: bash
|
|
if: runner.os == 'Linux'
|
|
run: sha256sum "${binary}" | tee "${binary}.sha256"
|
|
|
|
- name: Collect hash (macOS)
|
|
shell: bash
|
|
if: runner.os == 'macOS'
|
|
run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
|
|
|
|
- name: Upload binary artifact
|
|
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
|
|
with:
|
|
name: "osimages-${{ matrix.target }}-${{ matrix.runner }}"
|
|
path: "${{ env.binary }}"
|
|
|
|
- name: Upload hash artifact
|
|
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
|
|
with:
|
|
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
|
|
path: "${{ env.binary }}.sha256"
|
|
|
|
compare-binaries:
|
|
needs: build-binaries
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
target:
|
|
- "cli_enterprise_darwin_amd64"
|
|
- "cli_enterprise_darwin_arm64"
|
|
- "cli_enterprise_linux_amd64"
|
|
- "cli_enterprise_linux_arm64"
|
|
- "cli_enterprise_windows_amd64"
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Download binaries
|
|
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
|
|
with:
|
|
pattern: "binaries-${{ matrix.target }}-*"
|
|
merge-multiple: true
|
|
|
|
- name: Hash
|
|
shell: bash
|
|
if: runner.os == 'Linux'
|
|
run: sha256sum cli_enterprise*
|
|
|
|
- name: Compare binaries
|
|
shell: bash
|
|
run: |
|
|
# shellcheck disable=SC2207,SC2116
|
|
list=($(echo "cli_enterprise*"))
|
|
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
|
|
|
|
compare-osimages:
|
|
needs: build-osimages
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
target:
|
|
- "azure_azure-sev-snp_stable"
|
|
- "aws_aws-nitro-tpm_console"
|
|
- "qemu_qemu-vtpm_debug"
|
|
- "gcp_gcp-sev-snp_nightly"
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Download os images
|
|
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
|
|
with:
|
|
pattern: "osimages-${{ matrix.target }}-*"
|
|
merge-multiple: true
|
|
|
|
- name: Hash
|
|
shell: bash
|
|
if: runner.os == 'Linux'
|
|
run: sha256sum osimage-*
|
|
|
|
- name: Compare os images
|
|
shell: bash
|
|
run: |
|
|
# shellcheck disable=SC2207,SC2116
|
|
list=($(echo "osimage-*"))
|
|
diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
|