hashi/.github/workflows/deterministic-build.yml at main · MystenLabs/hashi · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: Deterministic Docker Builds

on:
  pull_request:
    paths:
      # for now don't run on every change
      # - 'crates/**'
      - 'docker/hashi/**'
      - 'docker/hashi-screener/**'
      - 'Cargo.toml'
      - 'Cargo.lock'
      - '.github/workflows/deterministic-build.yml'
  workflow_dispatch:
  schedule: [cron: "20 3 * * *"]

permissions:
  contents: read

jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        image: [hashi, hashi-screener]
        os: [ubuntu-latest, ubuntu-22.04]
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Build ${{ matrix.image }} image
        env:
          GIT_REVISION: ${{ github.sha }}
          IMAGE_NAME: ${{ matrix.image }}
        run: bash docker/${{ matrix.image }}/build.sh --no-cache

      - name: Compute sha256
        id: hash
        run: |
          BIN="out/${{ matrix.image }}"
          HASH=$(sha256sum "${BIN}" | awk '{print $1}')
          echo "sha256=${HASH}" >> "$GITHUB_OUTPUT"
          echo "${HASH}  ${{ matrix.image }}" > "out/${{ matrix.image }}.sha256"

      - name: Upload sha256
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.image }}-${{ matrix.os }}-sha256
          path: out/${{ matrix.image }}.sha256

      - name: Upload binary
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.image }}-${{ matrix.os }}-binary
          path: out/${{ matrix.image }}

  verify:
    needs: build
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        image: [hashi, hashi-screener]
    steps:
      - name: Download ubuntu-latest hash
        uses: actions/download-artifact@v4
        with:
          name: ${{ matrix.image }}-ubuntu-latest-sha256
          path: hash-latest

      - name: Download ubuntu-22.04 hash
        uses: actions/download-artifact@v4
        with:
          name: ${{ matrix.image }}-ubuntu-22.04-sha256
          path: hash-22

      - name: Compare hashes
        id: compare
        run: |
          LATEST=$(awk '{print $1}' "hash-latest/${{ matrix.image }}.sha256")
          OLDER=$(awk '{print $1}' "hash-22/${{ matrix.image }}.sha256")
          echo "latest=${LATEST}" >> "$GITHUB_OUTPUT"
          echo "older=${OLDER}" >> "$GITHUB_OUTPUT"
          if [ "${LATEST}" = "${OLDER}" ]; then
            echo "match=true" >> "$GITHUB_OUTPUT"
          else
            echo "match=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Write summary
        run: |
          {
            echo "## ${{ matrix.image }} reproducibility"
            echo ""
            echo "| Runner | SHA-256 |"
            echo "|--------|---------|"
            echo "| ubuntu-latest | \`${{ steps.compare.outputs.latest }}\` |"
            echo "| ubuntu-22.04  | \`${{ steps.compare.outputs.older }}\` |"
            echo ""
            echo "**Result**: ${{ steps.compare.outputs.match == 'true' && 'Reproducible' || 'MISMATCH' }}"
          } >> "$GITHUB_STEP_SUMMARY"

      - name: Fail if hashes differ
        if: steps.compare.outputs.match != 'true'
        run: |
          echo "${{ matrix.image }} binary hashes differ across runners!"
          exit 1