-
Notifications
You must be signed in to change notification settings - Fork 0
130 lines (125 loc) · 4.81 KB
/
ci-reproducibility.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# NOTE: This name appears in GitHub's Checks API and in workflow's status badge.
name: ci-reproducibility
# Trigger the workflow when:
on:
# A push occurs to one of the matched branches.
push:
branches:
- master
- stable/*
# Or every day at 00:00 UTC.
schedule:
- cron: "0 0 * * *"
# Global environment variables.
env:
CURL_CMD: curl --proto =https --tlsv1.2 --location --silent --show-error --fail
GORELEASER_URL_PREFIX: https://github.com/goreleaser/goreleaser/releases/download/
GORELEASER_VERSION: 0.152.0
JEMALLOC_URL_PREFIX: https://github.com/jemalloc/jemalloc/releases/download/
JEMALLOC_VERSION: 5.2.1
JEMALLOC_CHECKSUM: 34330e5ce276099e2e8950d9335db5a875689a4c6a56751ef3b1d8c537f887f6
jobs:
build-code:
# NOTE: This name appears in GitHub's Checks API.
name: build
runs-on: ubuntu-latest
strategy:
matrix:
build_number: [1, 2]
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
# NOTE: We make a git checkout to a unique directory for each build to
# catch reproducibility issues with code in different local paths.
path: build${{ matrix.build_number }}
- name: Set up Go 1.18
uses: actions/setup-go@v3
with:
go-version: "1.18.x"
- name: Set up Rust
working-directory: build${{ matrix.build_number }}
run: rustup show
- name: Install Oasis Node prerequisites
run: |
sudo apt-get update
sudo apt-get install make libseccomp-dev protobuf-compiler
- name: Install jemalloc
run: |
cd $(mktemp --directory /tmp/jemalloc.XXXXX)
${CURL_CMD} ${JEMALLOC_URL_PREFIX}/${JEMALLOC_VERSION}/jemalloc-${JEMALLOC_VERSION}.tar.bz2 \
--output ${JEMALLOC_TARBALL}
echo "${JEMALLOC_CHECKSUM} ${JEMALLOC_TARBALL}" | sha256sum --check
tar -xf ${JEMALLOC_TARBALL}
cd jemalloc-${JEMALLOC_VERSION}
# Ensure reproducible jemalloc build.
# https://reproducible-builds.org/docs/build-path/
EXTRA_CXXFLAGS=-ffile-prefix-map=$(pwd -L)=. \
EXTRA_CFLAGS=-ffile-prefix-map=$(pwd -L)=. \
./configure --with-jemalloc-prefix='je_' --with-malloc-conf='background_thread:true,metadata_thp:auto'
make
sudo make install
env:
JEMALLOC_TARBALL: jemalloc.tar.bz2
- name: Install GoReleaser
run: |
cd $(mktemp --directory /tmp/goreleaser.XXXXX)
${CURL_CMD} ${GORELEASER_URL_PREFIX}/v${GORELEASER_VERSION}/${GORELEASER_TARBALL} \
--output ${GORELEASER_TARBALL}
${CURL_CMD} ${GORELEASER_URL_PREFIX}/v${GORELEASER_VERSION}/goreleaser_checksums.txt \
--output CHECKSUMS
sha256sum --check --ignore-missing CHECKSUMS
tar -xf ${GORELEASER_TARBALL}
sudo mv goreleaser /usr/local/bin
env:
GORELEASER_TARBALL: goreleaser_Linux_x86_64.tar.gz
- name: Build Oasis Node with Make
run: |
cd build${{ matrix.build_number }}/go
make oasis-node
- name: Build Oasis Node with GoReleaser
run: |
cd build${{ matrix.build_number }}
make release-build
- name: Get checksums of Oasis Node builds
run: |
cd build${{ matrix.build_number }}
sha256sum ${OASIS_NODE_MAKE_PATH} ${OASIS_NODE_GORELEASER_PATH} > ../oasis-node-SHA256SUMs
env:
OASIS_NODE_MAKE_PATH: go/oasis-node/oasis-node
OASIS_NODE_GORELEASER_PATH: dist/oasis-node_linux_amd64/oasis-node
- name: Upload checksums
uses: actions/upload-artifact@v3
with:
name: oasis-node-SHA256SUMs-build${{ matrix.build_number }}
path: oasis-node-SHA256SUMs
compare-checksums:
# NOTE: This name appears in GitHub's Checks API.
name: checksums
# NOTE: Requiring a matrix job waits for all the matrix jobs to be complete.
needs: build-code
runs-on: ubuntu-latest
steps:
- name: Download checksums for build 1
uses: actions/download-artifact@v3
with:
name: oasis-node-SHA256SUMs-build1
path: oasis-node-SHA256SUMs-build1
- name: Download checksum for build 2
uses: actions/download-artifact@v3
with:
name: oasis-node-SHA256SUMs-build2
path: oasis-node-SHA256SUMs-build2
- name: Check if checksums are the same
shell: bash
run: |
for i in 1 2; do
echo "Checksums for build $i are: "
cat oasis-node-SHA256SUMs-build$i/oasis-node-SHA256SUMs
echo
done
if ! DIFF=$(diff --unified=0 oasis-node-SHA256SUMs-build{1,2}/oasis-node-SHA256SUMs); then
echo "Error: Checksums for builds 1 and 2 differ: "
echo -e "$DIFF"
exit 1
fi