Skip to content

Reproducible Docker Builds #403

Reproducible Docker Builds

Reproducible Docker Builds #403

Workflow file for this run

name: Reproducible Docker Builds
# Simulates end users verifying builds published by Dfinity:
# - Runs docker builds on various different operating systems, with an empty docker cache.
# Note: This makes builds slow but is more representative of the end user experience.
# - Verifies that all these builds yield the same artifacts.
# - NOT DONE: Verify that these builds match our release artifacts. This would correspond to third
# party verifiers getting consistent hashes that differ from our release.
on:
push:
branches:
# This is the recommended development branch for this workflow; pushing it will trigger a build.
- reproducible
tags:
# The tag used when preparing a release.
- release-candidate
schedule:
# Nightly test.
- cron: "0 0 * * *"
workflow_dispatch:
inputs:
jobs:
docker_build:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
# - macos-11
# - macos-12
- ubuntu-20.04
- ubuntu-22.04
steps:
- name: Unbork mac
run: |
if command -v brew ; then
brew install bash
brew install coreutils
echo "/usr/local/bin" >> $GITHUB_PATH
echo "$(brew --prefix)/opt/gnu-sed/libexec/gnubin" >> $GITHUB_PATH
fi
- uses: docker-practice/actions-setup-docker@master
timeout-minutes: 12
- name: Checkout
uses: actions/checkout@v4
# Helps with debugging
- name: Show versions
run: |
echo bash --version
bash --version
echo docker --version
docker --version
- name: Build
run: ./scripts/docker-build
- name: 'Upload nns-dapp wasm module'
uses: actions/upload-artifact@v4
with:
name: nns-dapp-mainnet-wasm-${{ matrix.os }}
path: nns-dapp.wasm.gz
retention-days: 3
- name: 'Upload assets'
uses: actions/upload-artifact@v4
with:
name: nns-dapp-assets-${{ matrix.os }}
path: assets.tar.xz
retention-days: 3
- name: 'Output the wasm hash'
run: |
mkdir -p hashes
sha256sum nns-dapp.wasm.gz > "hashes/nns-dapp-wasm_sha256_${{ matrix.os }}_${{ matrix.time }}.txt"
- name: 'Output the assets hash'
run: |
sha256sum assets.tar.xz > "hashes/assets_sha256_${{ matrix.os }}_${{ matrix.time }}.txt"
- name: 'Upload hashes'
uses: actions/upload-artifact@v4
with:
name: hashes_${{ matrix.os }}_${{ matrix.time }}
path: hashes/*.txt
compare_hashes:
runs-on: ubuntu-latest
needs: [docker_build]
steps:
- name: Merge Hashes
uses: actions/upload-artifact/merge@v4
with:
name: hashes
pattern: hashes_*
- name: Get hashes
uses: actions/download-artifact@v4
with:
name: hashes
path: hashes
- name: Print hashes
run: |
echo Hashes:
grep -r . hashes/ | awk -F: '{printf "%s: %s\n", $2, $1}' | sort
# If the assets hashes differ, the Wasm hashes will also
# differ, so we only check the Wasm hashes.
(( $(cat hashes/nns-dapp-wasm_*.txt | sort | uniq | wc -l) == 1 ))
check_passes:
needs: ["docker_build", "compare_hashes"]
if: ${{ always() }}
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/needs_success
with:
needs: '${{ toJson(needs) }}'
- name: Notify Slack on failure
uses: dfinity/internet-identity/.github/actions/slack@release-2023-08-28
if: ${{ failure() }}
with:
WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
MESSAGE: "Reproducible docker build test failed for ${{ github.ref_name }}"