ci: reproducibility test for OS images

edgelesssys · Dec 12, 2023 · 2f16918 · 2f16918
1 parent 618e9bd
commit 2f16918
Showing 1 changed file with 86 additions and 1 deletion.
diff --git a/.github/workflows/reproducible-builds.yml b/.github/workflows/reproducible-builds.yml
@@ -64,7 +64,63 @@ jobs:
           name: "sha256sums"
           path: "${{ env.binary }}.sha256"
 
-  compare:
+  build-osimages:
+    strategy:
+        fail-fast: false
+        matrix:
+          target:
+            - "azure_azure-sev-snp_stable"
+            - "aws_aws-nitro-tpm_console"
+            - "qemu_qemu-vtpm_debug"
+            - "gcp_gcp-sev-snp_nightly"
+          runner: ["ubuntu-22.04", "ubuntu-20.04"]
+    env:
+        bazel_target: "//image/system:${{ matrix.target }}"
+        binary: "osimage-${{ matrix.target }}-${{ matrix.runner }}"
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+      - name: Setup bazel
+        uses: ./.github/actions/setup_bazel_nix
+        with:
+          useCache: "logs"
+          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
+
+      - name: Build
+        shell: bash
+        run: bazel build "${bazel_target}"
+
+      - name: Copy
+        shell: bash
+        run: cp "$(bazel cquery --output=files "${bazel_target}")/constellation.raw" "${binary}"
+
+      - name: Collect hash (linux)
+        shell: bash
+        if: runner.os == 'Linux'
+        run: sha256sum "${binary}" | tee "${binary}.sha256"
+
+      - name: Collect hash (macOS)
+        shell: bash
+        if: runner.os == 'macOS'
+        run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
+
+      - name: Upload binary artifact
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: "osimages-${{ matrix.target }}"
+          path: "${{ env.binary }}"
+
+      - name: Upload hash artifact
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: "sha256sums"
+          path: "${{ env.binary }}.sha256"
+
+  compare-binaries:
     needs: build-binaries
     strategy:
         fail-fast: false
@@ -93,3 +149,32 @@ jobs:
             # shellcheck disable=SC2207,SC2116
             list=($(echo "cli_enterprise*"))
             diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"
+
+  compare-osimages:
+    needs: build-osimages
+    strategy:
+        fail-fast: false
+        matrix:
+            target:
+              - "azure_azure-sev-snp_stable"
+              - "aws_aws-nitro-tpm_console"
+              - "qemu_qemu-vtpm_debug"
+              - "gcp_gcp-sev-snp_nightly"
+    runs-on: ubuntu-22.04
+    steps:
+        - name: Download os images
+          uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+          with:
+            name: "osimages-${{ matrix.target }}"
+
+        - name: Hash
+          shell: bash
+          if: runner.os == 'Linux'
+          run: sha256sum osimage-*
+
+        - name: Compare os images
+          shell: bash
+          run: |
+            # shellcheck disable=SC2207,SC2116
+            list=($(echo "osimage-*"))
+            diff -s --to-file="${list[0]}" "${list[@]:1}" | tee "${GITHUB_STEP_SUMMARY}"