ci-reproducibility #4442
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# NOTE: This name appears in GitHub's Checks API and in workflow's status badge. | |
name: ci-reproducibility | |
# Trigger the workflow when: | |
on: | |
# A push occurs to one of the matched branches. | |
push: | |
branches: | |
- master | |
- stable/* | |
# Or every day at 00:00 UTC. | |
schedule: | |
- cron: "0 0 * * *" | |
# Global environment variables. | |
env: | |
CURL_CMD: curl --proto =https --tlsv1.2 --location --silent --show-error --fail | |
GORELEASER_URL_PREFIX: https://github.com/goreleaser/goreleaser/releases/download/ | |
GORELEASER_VERSION: 0.152.0 | |
JEMALLOC_URL_PREFIX: https://github.com/jemalloc/jemalloc/releases/download/ | |
JEMALLOC_VERSION: 5.2.1 | |
JEMALLOC_CHECKSUM: 34330e5ce276099e2e8950d9335db5a875689a4c6a56751ef3b1d8c537f887f6 | |
jobs: | |
build-code: | |
# NOTE: This name appears in GitHub's Checks API. | |
name: build | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
build_number: [1, 2] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
# NOTE: We make a git checkout to a unique directory for each build to | |
# catch reproducibility issues with code in different local paths. | |
path: build${{ matrix.build_number }} | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: "1.23.2" | |
- name: Set up Rust | |
working-directory: build${{ matrix.build_number }} | |
run: rustup show | |
- name: Install Oasis Node prerequisites | |
run: | | |
sudo apt-get update | |
sudo apt-get install make libseccomp-dev protobuf-compiler | |
- name: Install jemalloc | |
run: | | |
cd $(mktemp --directory /tmp/jemalloc.XXXXX) | |
${CURL_CMD} ${JEMALLOC_URL_PREFIX}/${JEMALLOC_VERSION}/jemalloc-${JEMALLOC_VERSION}.tar.bz2 \ | |
--output ${JEMALLOC_TARBALL} | |
echo "${JEMALLOC_CHECKSUM} ${JEMALLOC_TARBALL}" | sha256sum --check | |
tar -xf ${JEMALLOC_TARBALL} | |
cd jemalloc-${JEMALLOC_VERSION} | |
# Ensure reproducible jemalloc build. | |
# https://reproducible-builds.org/docs/build-path/ | |
EXTRA_CXXFLAGS=-ffile-prefix-map=$(pwd -L)=. \ | |
EXTRA_CFLAGS=-ffile-prefix-map=$(pwd -L)=. \ | |
./configure --with-jemalloc-prefix='je_' --with-malloc-conf='background_thread:true,metadata_thp:auto' | |
make | |
sudo make install | |
env: | |
JEMALLOC_TARBALL: jemalloc.tar.bz2 | |
- name: Install GoReleaser | |
run: | | |
cd $(mktemp --directory /tmp/goreleaser.XXXXX) | |
${CURL_CMD} ${GORELEASER_URL_PREFIX}/v${GORELEASER_VERSION}/${GORELEASER_TARBALL} \ | |
--output ${GORELEASER_TARBALL} | |
${CURL_CMD} ${GORELEASER_URL_PREFIX}/v${GORELEASER_VERSION}/goreleaser_checksums.txt \ | |
--output CHECKSUMS | |
sha256sum --check --ignore-missing CHECKSUMS | |
tar -xf ${GORELEASER_TARBALL} | |
sudo mv goreleaser /usr/local/bin | |
env: | |
GORELEASER_TARBALL: goreleaser_Linux_x86_64.tar.gz | |
- name: Build Oasis Node with Make | |
run: | | |
cd build${{ matrix.build_number }}/go | |
make oasis-node | |
- name: Build Oasis Node with GoReleaser | |
run: | | |
cd build${{ matrix.build_number }} | |
make release-build | |
- name: Get checksums of Oasis Node builds | |
run: | | |
cd build${{ matrix.build_number }} | |
sha256sum ${OASIS_NODE_MAKE_PATH} ${OASIS_NODE_GORELEASER_PATH} > ../oasis-node-SHA256SUMs | |
env: | |
OASIS_NODE_MAKE_PATH: go/oasis-node/oasis-node | |
OASIS_NODE_GORELEASER_PATH: dist/oasis-node_linux_amd64/oasis-node | |
- name: Upload checksums | |
uses: actions/upload-artifact@v4 | |
with: | |
name: oasis-node-SHA256SUMs-build${{ matrix.build_number }} | |
path: oasis-node-SHA256SUMs | |
compare-checksums: | |
# NOTE: This name appears in GitHub's Checks API. | |
name: checksums | |
# NOTE: Requiring a matrix job waits for all the matrix jobs to be complete. | |
needs: build-code | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download checksums for build 1 | |
uses: actions/download-artifact@v4 | |
with: | |
name: oasis-node-SHA256SUMs-build1 | |
path: oasis-node-SHA256SUMs-build1 | |
- name: Download checksum for build 2 | |
uses: actions/download-artifact@v4 | |
with: | |
name: oasis-node-SHA256SUMs-build2 | |
path: oasis-node-SHA256SUMs-build2 | |
- name: Check if checksums are the same | |
shell: bash | |
run: | | |
for i in 1 2; do | |
echo "Checksums for build $i are: " | |
cat oasis-node-SHA256SUMs-build$i/oasis-node-SHA256SUMs | |
echo | |
done | |
if ! DIFF=$(diff --unified=0 oasis-node-SHA256SUMs-build{1,2}/oasis-node-SHA256SUMs); then | |
echo "Error: Checksums for builds 1 and 2 differ: " | |
echo -e "$DIFF" | |
exit 1 | |
fi |