mirror of
https://github.com/mirage/qubes-mirage-firewall.git
synced 2024-10-01 05:05:39 +00:00
ba6629f4ca
Also upload the artifact to GitHub action, and in addition use the same setup (ubuntu 20.04 image) and build directories as done on builds.robur.coop. Also use `strip` on the resulting binary to reduce it's size (since the debug section aren't mapped into the running unikernel, there's nothing we get from them -- also they are preserved (as .debug file) and uploaded to https://builds.robur.coop if one needs them). This entails binary reproducibility between the different systems: - a developer using ./build-with-docker.sh - GitHub action (run on every PR) - builds.robur.coop with the ubuntu-20.04 worker
22 lines
1.2 KiB
Docker
22 lines
1.2 KiB
Docker
# Pin the base image to a specific hash for maximum reproducibility.
|
|
# It will probably still work on newer images, though, unless an update
|
|
# changes some compiler optimisations (unlikely).
|
|
# ubuntu-20.04
|
|
FROM ubuntu@sha256:b25ef49a40b7797937d0d23eca3b0a41701af6757afca23d504d50826f0b37ce
|
|
|
|
RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip make gcc g++ libc-dev
|
|
RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.3/opam-2.1.3-i686-linux && chmod 755 /usr/bin/opam
|
|
|
|
ENV OPAMROOT=/tmp
|
|
ENV OPAMCONFIRMLEVEL=unsafe-yes
|
|
# Pin last known-good version for reproducible builds.
|
|
# Remove this line (and the base image pin above) if you want to test with the
|
|
# latest versions.
|
|
RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#685eb4efcebfa671660e55d76dea017f00fed4d9
|
|
RUN opam switch create myswitch 4.14.0
|
|
RUN opam exec -- opam install -y mirage opam-monorepo ocaml-solo5
|
|
RUN mkdir /tmp/orb-build
|
|
ADD config.ml /tmp/orb-build/config.ml
|
|
WORKDIR /tmp/orb-build
|
|
CMD opam exec -- sh -exc 'mirage configure -t xen --allocation-policy=best-fit && make depend && make tar'
|