Reproducible Docker Builds #297
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Reproducible Docker Builds | |
# Simulates end users verifying builds published by Dfinity: | |
# - Runs docker builds on various different operating systems, with an empty docker cache. | |
# Note: This makes builds slow but is more representative of the end user experience. | |
# - Verifies that all these builds yield the same artifacts. | |
# - NOT DONE: Verify that these builds match our release artifacts. This would correspond to third | |
# party verifiers getting consistent hashes that differ from our release. | |
on: | |
push: | |
branches: | |
# This is the recommended development branch for this workflow; pushing it will trigger a build. | |
- reproducible | |
tags: | |
# The tag used when preparing a release. | |
- release-candidate | |
schedule: | |
# Nightly test. | |
- cron: "0 0 * * *" | |
workflow_dispatch: | |
inputs: | |
jobs: | |
docker_build: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: | |
# - macos-11 | |
# - macos-12 | |
- ubuntu-20.04 | |
- ubuntu-22.04 | |
steps: | |
- name: Unbork mac | |
run: | | |
if command -v brew ; then | |
brew install bash | |
brew install coreutils | |
echo "/usr/local/bin" >> $GITHUB_PATH | |
echo "$(brew --prefix)/opt/gnu-sed/libexec/gnubin" >> $GITHUB_PATH | |
fi | |
- uses: docker-practice/actions-setup-docker@master | |
timeout-minutes: 12 | |
- name: Checkout | |
uses: actions/checkout@v4 | |
# Helps with debugging | |
- name: Show versions | |
run: | | |
echo bash --version | |
bash --version | |
echo docker --version | |
docker --version | |
- name: Build | |
run: ./scripts/docker-build | |
- name: 'Upload nns-dapp wasm module' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: nns-dapp-mainnet-wasm-${{ matrix.os }} | |
path: nns-dapp.wasm.gz | |
retention-days: 3 | |
- name: 'Upload assets' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: nns-dapp-assets-${{ matrix.os }} | |
path: assets.tar.xz | |
retention-days: 3 | |
- name: 'Output the wasm hash' | |
run: | | |
mkdir -p hashes | |
sha256sum nns-dapp.wasm.gz > "hashes/nns-dapp-wasm_sha256_${{ matrix.os }}_${{ matrix.time }}.txt" | |
- name: 'Output the assets hash' | |
run: | | |
sha256sum assets.tar.xz > "hashes/assets_sha256_${{ matrix.os }}_${{ matrix.time }}.txt" | |
- name: 'Upload hashes' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: hashes_${{ matrix.os }}_${{ matrix.time }} | |
path: hashes/*.txt | |
compare_hashes: | |
runs-on: ubuntu-latest | |
needs: [docker_build] | |
steps: | |
- name: Merge Hashes | |
uses: actions/upload-artifact/merge@v4 | |
with: | |
name: hashes | |
pattern: hashes_* | |
- name: Get hashes | |
uses: actions/download-artifact@v4 | |
with: | |
name: hashes | |
path: hashes | |
- name: Print hashes | |
run: | | |
echo Hashes: | |
grep -r . hashes/ | awk -F: '{printf "%s: %s\n", $2, $1}' | sort | |
# If the assets hashes differ, the Wasm hashes will also | |
# differ, so we only check the Wasm hashes. | |
(( $(cat hashes/nns-dapp-wasm_*.txt | sort | uniq | wc -l) == 1 )) | |
check_passes: | |
needs: ["docker_build", "compare_hashes"] | |
if: ${{ always() }} | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/needs_success | |
with: | |
needs: '${{ toJson(needs) }}' | |
- name: Notify Slack on failure | |
uses: dfinity/internet-identity/.github/actions/slack@release-2023-08-28 | |
if: ${{ failure() }} | |
with: | |
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
MESSAGE: "Reproducible docker build test failed for ${{ github.ref_name }}" |