Merge pull request #1784 from freedomofpress/docs-build-debs #133
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package builds | |
on: [push, pull_request] | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
verify-builder-sync: | |
strategy: | |
matrix: | |
debian_version: | |
- bullseye | |
- bookworm | |
runs-on: ubuntu-latest | |
container: debian:${{ matrix.debian_version }} | |
steps: | |
- run: | | |
apt-get update && apt-get install --yes git git-lfs sudo make | |
- uses: actions/checkout@v4 | |
- uses: actions/checkout@v4 | |
with: | |
repository: "freedomofpress/securedrop-builder" | |
path: "securedrop-builder" | |
lfs: true | |
- name: Install dependencies | |
run: | | |
cd securedrop-builder | |
make install-deps | |
- name: Check differences | |
run: | | |
source ./securedrop-builder/.venv/bin/activate | |
PKG_DIR=../client make -C securedrop-builder requirements | |
PKG_DIR=../export make -C securedrop-builder requirements | |
PKG_DIR=../log make -C securedrop-builder requirements | |
PKG_DIR=../proxy make -C securedrop-builder requirements | |
git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
git diff --ignore-matching-lines=# --exit-code | |
build-debs: | |
strategy: | |
matrix: | |
debian_version: | |
- bullseye | |
- bookworm | |
runs-on: ubuntu-latest | |
outputs: | |
artifact_id: ${{ steps.upload.outputs.artifact-id }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/checkout@v4 | |
with: | |
repository: "freedomofpress/securedrop-builder" | |
path: "securedrop-builder" | |
lfs: true | |
- name: Build packages | |
run: | | |
DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder ./scripts/build-debs.sh | |
- uses: actions/upload-artifact@v4 | |
id: upload | |
with: | |
name: build-${{ matrix.debian_version }} | |
path: build | |
if-no-files-found: error | |
# Second round of builds (in parallel) for diffoscoping | |
build-debs2: | |
strategy: | |
matrix: | |
debian_version: | |
- bullseye | |
- bookworm | |
runs-on: ubuntu-latest | |
outputs: | |
artifact_id: ${{ steps.upload.outputs.artifact-id }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/checkout@v4 | |
with: | |
repository: "freedomofpress/securedrop-builder" | |
path: "securedrop-builder" | |
lfs: true | |
- name: Build packages | |
run: | | |
DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder ./scripts/build-debs.sh | |
- uses: actions/upload-artifact@v4 | |
id: upload | |
with: | |
name: build2-${{ matrix.debian_version }} | |
path: build | |
if-no-files-found: error | |
reproducible-debs: | |
strategy: | |
matrix: | |
debian_version: | |
- bullseye | |
- bookworm | |
runs-on: ubuntu-latest | |
container: debian:bookworm | |
needs: | |
- build-debs | |
- build-debs2 | |
steps: | |
- name: Install dependencies | |
run: | | |
apt-get update && apt-get install --yes diffoscope-minimal \ | |
--no-install-recommends | |
- uses: actions/download-artifact@v4 | |
with: | |
pattern: "*${{ matrix.debian_version }}" | |
- name: diffoscope | |
run: | | |
find . -name '*.deb' -exec sha256sum {} \; | |
# TODO: Ideally we'd just be able to diff the .changes files and let diffoscope find | |
# all the individual debs, but the source packages are not identical. When they are, | |
for deb in `find build-${{ matrix.debian_version }} -name '*.deb' -exec basename {} \;`; do | |
echo "Diffoscoping $deb" | |
diffoscope build-${{ matrix.debian_version }}/$deb build2-${{ matrix.debian_version }}/$deb | |
done; |