Skip to content

ci-reproducibility #4448

ci-reproducibility

ci-reproducibility #4448

# NOTE: This name appears in GitHub's Checks API and in workflow's status badge.
name: ci-reproducibility
# Trigger the workflow when:
on:
# A push occurs to one of the matched branches.
push:
branches:
- master
- stable/*
# Or every day at 00:00 UTC.
schedule:
- cron: "0 0 * * *"
# Global environment variables.
env:
CURL_CMD: curl --proto =https --tlsv1.2 --location --silent --show-error --fail
GORELEASER_URL_PREFIX: https://github.com/goreleaser/goreleaser/releases/download/
GORELEASER_VERSION: 0.152.0
JEMALLOC_URL_PREFIX: https://github.com/jemalloc/jemalloc/releases/download/
JEMALLOC_VERSION: 5.2.1
JEMALLOC_CHECKSUM: 34330e5ce276099e2e8950d9335db5a875689a4c6a56751ef3b1d8c537f887f6
jobs:
build-code:
# NOTE: This name appears in GitHub's Checks API.
name: build
runs-on: ubuntu-latest
strategy:
matrix:
build_number: [1, 2]
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
# NOTE: We make a git checkout to a unique directory for each build to
# catch reproducibility issues with code in different local paths.
path: build${{ matrix.build_number }}
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.23.2"
- name: Set up Rust
working-directory: build${{ matrix.build_number }}
run: rustup show
- name: Install Oasis Node prerequisites
run: |
sudo apt-get update
sudo apt-get install make libseccomp-dev protobuf-compiler
- name: Install jemalloc
run: |
cd $(mktemp --directory /tmp/jemalloc.XXXXX)
${CURL_CMD} ${JEMALLOC_URL_PREFIX}/${JEMALLOC_VERSION}/jemalloc-${JEMALLOC_VERSION}.tar.bz2 \
--output ${JEMALLOC_TARBALL}
echo "${JEMALLOC_CHECKSUM} ${JEMALLOC_TARBALL}" | sha256sum --check
tar -xf ${JEMALLOC_TARBALL}
cd jemalloc-${JEMALLOC_VERSION}
# Ensure reproducible jemalloc build.
# https://reproducible-builds.org/docs/build-path/
EXTRA_CXXFLAGS=-ffile-prefix-map=$(pwd -L)=. \
EXTRA_CFLAGS=-ffile-prefix-map=$(pwd -L)=. \
./configure --with-jemalloc-prefix='je_' --with-malloc-conf='background_thread:true,metadata_thp:auto'
make
sudo make install
env:
JEMALLOC_TARBALL: jemalloc.tar.bz2
- name: Install GoReleaser
run: |
cd $(mktemp --directory /tmp/goreleaser.XXXXX)
${CURL_CMD} ${GORELEASER_URL_PREFIX}/v${GORELEASER_VERSION}/${GORELEASER_TARBALL} \
--output ${GORELEASER_TARBALL}
${CURL_CMD} ${GORELEASER_URL_PREFIX}/v${GORELEASER_VERSION}/goreleaser_checksums.txt \
--output CHECKSUMS
sha256sum --check --ignore-missing CHECKSUMS
tar -xf ${GORELEASER_TARBALL}
sudo mv goreleaser /usr/local/bin
env:
GORELEASER_TARBALL: goreleaser_Linux_x86_64.tar.gz
- name: Build Oasis Node with Make
run: |
cd build${{ matrix.build_number }}/go
make oasis-node
- name: Build Oasis Node with GoReleaser
run: |
cd build${{ matrix.build_number }}
make release-build
- name: Get checksums of Oasis Node builds
run: |
cd build${{ matrix.build_number }}
sha256sum ${OASIS_NODE_MAKE_PATH} ${OASIS_NODE_GORELEASER_PATH} > ../oasis-node-SHA256SUMs
env:
OASIS_NODE_MAKE_PATH: go/oasis-node/oasis-node
OASIS_NODE_GORELEASER_PATH: dist/oasis-node_linux_amd64/oasis-node
- name: Upload checksums
uses: actions/upload-artifact@v4
with:
name: oasis-node-SHA256SUMs-build${{ matrix.build_number }}
path: oasis-node-SHA256SUMs
compare-checksums:
# NOTE: This name appears in GitHub's Checks API.
name: checksums
# NOTE: Requiring a matrix job waits for all the matrix jobs to be complete.
needs: build-code
runs-on: ubuntu-latest
steps:
- name: Download checksums for build 1
uses: actions/download-artifact@v4
with:
name: oasis-node-SHA256SUMs-build1
path: oasis-node-SHA256SUMs-build1
- name: Download checksum for build 2
uses: actions/download-artifact@v4
with:
name: oasis-node-SHA256SUMs-build2
path: oasis-node-SHA256SUMs-build2
- name: Check if checksums are the same
shell: bash
run: |
for i in 1 2; do
echo "Checksums for build $i are: "
cat oasis-node-SHA256SUMs-build$i/oasis-node-SHA256SUMs
echo
done
if ! DIFF=$(diff --unified=0 oasis-node-SHA256SUMs-build{1,2}/oasis-node-SHA256SUMs); then
echo "Error: Checksums for builds 1 and 2 differ: "
echo -e "$DIFF"
exit 1
fi