-
Notifications
You must be signed in to change notification settings - Fork 42
121 lines (115 loc) · 3.71 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: Package builds
on: [push, pull_request]
defaults:
run:
shell: bash
jobs:
verify-builder-sync:
strategy:
matrix:
debian_version:
- bullseye
- bookworm
runs-on: ubuntu-latest
container: debian:${{ matrix.debian_version }}
steps:
- run: |
apt-get update && apt-get install --yes git git-lfs sudo make
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: "freedomofpress/securedrop-builder"
path: "securedrop-builder"
lfs: true
- name: Install dependencies
run: |
cd securedrop-builder
make install-deps
- name: Check differences
run: |
source ./securedrop-builder/.venv/bin/activate
PKG_DIR=../client make -C securedrop-builder requirements
PKG_DIR=../export make -C securedrop-builder requirements
PKG_DIR=../log make -C securedrop-builder requirements
PKG_DIR=../proxy make -C securedrop-builder requirements
git config --global --add safe.directory "$GITHUB_WORKSPACE"
git diff --ignore-matching-lines=# --exit-code
build-debs:
strategy:
matrix:
debian_version:
- bullseye
- bookworm
runs-on: ubuntu-latest
outputs:
artifact_id: ${{ steps.upload.outputs.artifact-id }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: "freedomofpress/securedrop-builder"
path: "securedrop-builder"
lfs: true
- name: Build packages
run: |
DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder ./scripts/build-debs.sh
- uses: actions/upload-artifact@v4
id: upload
with:
name: build-${{ matrix.debian_version }}
path: build
if-no-files-found: error
# Second round of builds (in parallel) for diffoscoping
build-debs2:
strategy:
matrix:
debian_version:
- bullseye
- bookworm
runs-on: ubuntu-latest
outputs:
artifact_id: ${{ steps.upload.outputs.artifact-id }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: "freedomofpress/securedrop-builder"
path: "securedrop-builder"
lfs: true
- name: Build packages
run: |
DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder ./scripts/build-debs.sh
- uses: actions/upload-artifact@v4
id: upload
with:
name: build2-${{ matrix.debian_version }}
path: build
if-no-files-found: error
reproducible-debs:
strategy:
matrix:
debian_version:
- bullseye
- bookworm
runs-on: ubuntu-latest
container: debian:bookworm
needs:
- build-debs
- build-debs2
steps:
- name: Install dependencies
run: |
apt-get update && apt-get install --yes diffoscope-minimal \
--no-install-recommends
- uses: actions/download-artifact@v4
with:
pattern: "*${{ matrix.debian_version }}"
- name: diffoscope
run: |
find . -name '*.deb' -exec sha256sum {} \;
# TODO: Ideally we'd just be able to diff the .changes files and let diffoscope find
# all the individual debs, but the source packages are not identical. When they are,
for deb in `find build-${{ matrix.debian_version }} -name '*.deb' -exec basename {} \;`; do
echo "Diffoscoping $deb"
diffoscope build-${{ matrix.debian_version }}/$deb build2-${{ matrix.debian_version }}/$deb
done;