From a75bfbc67055f2c188e187960f016744a091c549 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Wed, 21 Feb 2024 16:28:45 -0500
Subject: [PATCH] Migrate to GitHub Actions

reprotest doesn't seem very happy under GHA, so just emulate it in the
same way we do in securedrop-client: run two jobs in parallel and then
diffoscope the output. This is useful since it verifies our
securedrop-grsec package and packaging infrastructure are reproducible,
even though our actual patched kernels aren't.

So also drop the broken and unused reprotest-sd job entirely, leave a
more accurate comment explaining why.
---
 .circleci/config.yml         | 43 ----------------------
 .github/dependabot.yml       |  6 ++++
 .github/workflows/ci.yml     | 70 ++++++++++++++++++++++++++++++++++++
 scripts/reproducibility-test |  1 -
 4 files changed, 76 insertions(+), 44 deletions(-)
 delete mode 100644 .circleci/config.yml
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/ci.yml

diff --git a/.circleci/config.yml b/.circleci/config.yml
deleted file mode 100644
index 0451aca..0000000
--- a/.circleci/config.yml
+++ /dev/null
@@ -1,43 +0,0 @@
----
-version: 2
-jobs:
-  # Build Linux kernel, with no patches
-  vanilla:
-    machine:
-      image: ubuntu-2004:202010-01
-    # Can't use volume mounts in CircleCI with docker driver
-    # docker:
-    #   - image: circleci/python:buster
-    steps:
-      - checkout
-      - run: sudo apt-get update && sudo apt-get install -y make build-essential
-      - run: make vanilla
-  # Run reprotest to confirm reproducible builds
-  reproducibility:
-    machine:
-      image: ubuntu-2004:202010-01
-    steps:
-      - checkout
-      - run: sudo apt-get update && sudo apt-get install -y make build-essential reprotest
-      - run: make reprotest
-
-  reproducibility-securedrop:
-    machine:
-      image: ubuntu-2004:202010-01
-    steps:
-      - checkout
-      - run: sudo apt-get update && sudo apt-get install -y make build-essential reprotest
-      - run:
-          name: Build SecureDrop kernel reproducibly
-          command: make reprotest-sd
-          # The linux-image-debug package step takes >30m
-          no_output_timeout: 60m
-workflows:
-  version: 2
-  build:
-    jobs:
-      - vanilla
-      - reproducibility
-      # SD test build exceeds CircleCI timeout of 5h (~2.5h x2 for reproducibility),
-      # so it'll never pass. With a leaner config, it likely would.
-      # - reproducibility-securedrop
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..5ace460
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..cfde264
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,70 @@
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  vanilla:
+    runs-on: ubuntu-latest
+    outputs:
+      artifact_id: ${{ steps.upload.outputs.artifact-id }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y make build-essential
+
+      - name: Build vanilla kernel
+        run: make vanilla
+
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          name: build1
+          path: build
+          if-no-files-found: error
+
+  vanilla2:
+    runs-on: ubuntu-latest
+    outputs:
+      artifact_id: ${{ steps.upload.outputs.artifact-id }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y make build-essential
+
+      - name: Build vanilla kernel
+        run: make vanilla
+
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          name: build2
+          path: build
+          if-no-files-found: error
+
+  reproducible:
+    runs-on: ubuntu-latest
+    container: debian:bookworm
+    needs:
+      - vanilla
+      - vanilla2
+    steps:
+      - name: Install dependencies
+        run: |
+          apt-get update && apt-get install --yes diffoscope-minimal python3-debian \
+            --no-install-recommends
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: "*"
+      - name: diffoscope
+        run: |
+          find . -name '*.deb' -exec sha256sum {} \;
+          # TODO: Ideally we'd just be able to diff the .changes files and let diffoscope find
+          # all the individual debs, but the source packages are not identical. When they are,
+          for deb in `find build1/ -name '*.deb' -exec basename {} \;`; do
+            echo "Diffoscoping $deb"
+            diffoscope build1/$deb build2/$deb
+          done;
diff --git a/scripts/reproducibility-test b/scripts/reproducibility-test
index 98760af..f67d3f8 100755
--- a/scripts/reproducibility-test
+++ b/scripts/reproducibility-test
@@ -26,5 +26,4 @@ reprotest_build_cmd="${1:-make vanilla}"
 
 echo "Running reprotest with cmd: '$reprotest_build_cmd'"
 reprotest -c "$reprotest_build_cmd" \
-    --vary "+all, -fileordering, -aslr, -time, -domain_host" \
     "." "build/linux-image*.deb"