diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7a13fb7ea7..b5583da8e3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -45,6 +45,8 @@ jobs: - bullseye - bookworm runs-on: ubuntu-latest + outputs: + artifact_id: ${{ steps.upload.outputs.artifact-id }} steps: - uses: actions/checkout@v4 - uses: actions/checkout@v4 @@ -56,7 +58,60 @@ jobs: run: | DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder ./scripts/build-debs.sh - uses: actions/upload-artifact@v4 + id: upload with: name: build-${{ matrix.debian_version }} path: build if-no-files-found: error + + # Second round of builds (in parallel) for diffoscoping + build-debs2: + strategy: + matrix: + debian_version: + - bullseye + - bookworm + runs-on: ubuntu-latest + outputs: + artifact_id: ${{ steps.upload.outputs.artifact-id }} + steps: + - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + with: + repository: "freedomofpress/securedrop-builder" + path: "securedrop-builder" + lfs: true + - name: Build packages + run: | + DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder ./scripts/build-debs.sh + - uses: actions/upload-artifact@v4 + id: upload + with: + name: build2-${{ matrix.debian_version }} + path: build + if-no-files-found: error + + reproducible-debs: + strategy: + matrix: + debian_version: + - bullseye + - bookworm + runs-on: ubuntu-latest + container: debian:bookworm + needs: + - build-debs + - build-debs2 + steps: + - name: Install dependencies + run: | + apt-get update && apt-get install --yes diffoscope-minimal \ + --no-install-recommends + - uses: actions/download-artifact@v4 + with: + pattern: "*${{ matrix.debian_version }}" + - run: | + for deb in `find build-${{ matrix.debian_version }} -name '*.deb' -exec basename {} \;`; do + echo "Diffoscoping $deb" + diffoscope build-*/$deb build2-*/$deb --output-empty + done; diff --git a/scripts/build-debs-real.sh b/scripts/build-debs-real.sh index 95fabba41d..f1251bc8a3 100755 --- a/scripts/build-debs-real.sh +++ b/scripts/build-debs-real.sh @@ -23,6 +23,6 @@ dpkg-buildpackage --no-sign ls ../ # Copy the built artifacts back and print checksums mkdir -p /src/build/ -mv -v ../*.{buildinfo,changes,deb,tar.gz} /src/build/ +mv -v ../*.{buildinfo,changes,deb,dsc,tar.gz} /src/build/ cd /src/build/ sha256sum ./*