Migrate to GitHub Actions

reprotest doesn't seem very happy under GHA, so just emulate it in the same way we do in securedrop-client: run two jobs in parallel and then diffoscope the output. This is useful since it verifies our securedrop-grsec package and packaging infrastructure are reproducible, even though our actual patched kernels aren't. So also drop the broken and unused reprotest-sd job entirely, leave a more accurate comment explaining why.
freedomofpress · Feb 23, 2024 · a75bfbc · a75bfbc
1 parent 017b79e
commit a75bfbc
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 44 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,70 @@
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  vanilla:
+    runs-on: ubuntu-latest
+    outputs:
+      artifact_id: ${{ steps.upload.outputs.artifact-id }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y make build-essential
+
+      - name: Build vanilla kernel
+        run: make vanilla
+
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          name: build1
+          path: build
+          if-no-files-found: error
+
+  vanilla2:
+    runs-on: ubuntu-latest
+    outputs:
+      artifact_id: ${{ steps.upload.outputs.artifact-id }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y make build-essential
+
+      - name: Build vanilla kernel
+        run: make vanilla
+
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          name: build2
+          path: build
+          if-no-files-found: error
+
+  reproducible:
+    runs-on: ubuntu-latest
+    container: debian:bookworm
+    needs:
+      - vanilla
+      - vanilla2
+    steps:
+      - name: Install dependencies
+        run: |
+          apt-get update && apt-get install --yes diffoscope-minimal python3-debian \
+            --no-install-recommends
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: "*"
+      - name: diffoscope
+        run: |
+          find . -name '*.deb' -exec sha256sum {} \;
+          # TODO: Ideally we'd just be able to diff the .changes files and let diffoscope find
+          # all the individual debs, but the source packages are not identical. When they are,
+          for deb in `find build1/ -name '*.deb' -exec basename {} \;`; do
+            echo "Diffoscoping $deb"
+            diffoscope build1/$deb build2/$deb
+          done;
diff --git a/scripts/reproducibility-test b/scripts/reproducibility-test
@@ -26,5 +26,4 @@ reprotest_build_cmd="${1:-make vanilla}"
 
 echo "Running reprotest with cmd: '$reprotest_build_cmd'"
 reprotest -c "$reprotest_build_cmd" \
-    --vary "+all, -fileordering, -aslr, -time, -domain_host" \
     "." "build/linux-image*.deb"