WIP

freedomofpress · Jan 3, 2024 · 00e114a · 00e114a
1 parent 7d6c3b8
commit 00e114a
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 1 deletion.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -45,6 +45,8 @@ jobs:
           - bullseye
           - bookworm
     runs-on: ubuntu-latest
+    outputs:
+      artifact_id: ${{ steps.upload.outputs.artifact-id }}
     steps:
       - uses: actions/checkout@v4
       - uses: actions/checkout@v4
@@ -56,7 +58,64 @@ jobs:
         run: |
           DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder ./scripts/build-debs.sh
       - uses: actions/upload-artifact@v4
+        id: upload
         with:
           name: build-${{ matrix.debian_version }}
           path: build
           if-no-files-found: error
+
+  # Second round of builds (in parallel) for diffoscoping
+  build-debs2:
+    strategy:
+      matrix:
+        debian_version:
+          - bullseye
+          - bookworm
+    runs-on: ubuntu-latest
+    outputs:
+      artifact_id: ${{ steps.upload.outputs.artifact-id }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          repository: "freedomofpress/securedrop-builder"
+          path: "securedrop-builder"
+          lfs: true
+      - name: Build packages
+        run: |
+          DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder ./scripts/build-debs.sh
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          name: build2-${{ matrix.debian_version }}
+          path: build
+          if-no-files-found: error
+
+  reproducible-debs:
+    strategy:
+      matrix:
+        debian_version:
+          - bullseye
+          - bookworm
+    runs-on: ubuntu-latest
+    container: debian:bookworm
+    needs:
+      - build-debs
+      - build-debs2
+    steps:
+      - name: Install dependencies
+        run: |
+          apt-get update && apt-get install --yes diffoscope-minimal \
+            --no-install-recommends
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: "*${{ matrix.debian_version }}"
+      - name: diffoscope
+        run: |
+          find . -name '*.deb' -exec sha256sum {} \;
+          # TODO: Ideally we'd just be able to diff the .changes files and let diffoscope find
+          # all the individual debs, but the source packages are not identical. When they are,
+          for deb in `find build-${{ matrix.debian_version }} -name '*.deb' -exec basename {} \;`; do
+            echo "Diffoscoping $deb"
+            diffoscope build-${{ matrix.debian_version }}/$deb build2-${{ matrix.debian_version }}/$deb
+          done;
diff --git a/scripts/build-debs-real.sh b/scripts/build-debs-real.sh
@@ -23,6 +23,6 @@ dpkg-buildpackage --no-sign
 ls ../
 # Copy the built artifacts back and print checksums
 mkdir -p /src/build/
-mv -v ../*.{buildinfo,changes,deb,tar.gz} /src/build/
+mv -v ../*.{buildinfo,changes,deb,dsc,tar.gz} /src/build/
 cd /src/build/
 sha256sum ./*