Skip to content

Add reproducible build testing ci on main for flashbox images #119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pablin-10 merged 7 commits into from
Mar 18, 2026
Merged

Add reproducible build testing ci on main for flashbox images #119

Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6eaf1b4
Improve build workflow to also test reproducibility if asked
pablin-10 Mar 13, 2026
d18709c
Make both builds to run in parallel
pablin-10 Mar 13, 2026
9fc5661
Compare only EFI images
pablin-10 Mar 13, 2026
5270277
Merge branch 'main' into pablo/box-49-add-repro-test-ci-on-main-for-f…
pablin-10 Mar 18, 2026
1bb5084
Fix yml
pablin-10 Mar 18, 2026
ce1c65c
Adapt comments to new naming
pablin-10 Mar 18, 2026
60364b1
Adjust path for image conf file
pablin-10 Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 99 additions & 6 deletions .github/workflows/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# - "bob-l1" → builds only bob-l1
# - "bob-l2" → builds only bob-l2
# - "bob-l1,bob-l2" → builds both
# - Reproducibility test (default: false)
# - Adds a second build on a separate runner and compares SHA256 hashes

name: Build mkosi images

Expand All @@ -29,6 +31,11 @@ on:
required: false
default: 'bob-l1'
type: string
reprotest:
description: 'Run reproducibility test (builds on 2 machines and compares hashes)'
required: false
default: false
type: boolean

jobs:
validate:
Expand Down Expand Up @@ -122,9 +129,95 @@ jobs:

- name: Generate SHA256 checksums
run: |
cd build/
TIMESTAMP=$(git show -s --format=%ct HEAD)
SHORT_SHA="${GITHUB_SHA::8}"
CHECKSUM_FILE="${{ matrix.image }}_${TIMESTAMP}_${SHORT_SHA}.sha256"
sha256sum ${{ matrix.image }}_* > "$CHECKSUM_FILE"
cat "$CHECKSUM_FILE"
sha256sum build/${{ matrix.image }}_*.efi | tee build/checksum.sha256

- name: Upload checksum for reprotest
if: inputs.reprotest == true
uses: actions/upload-artifact@v4
with:
name: checksum-${{ matrix.image }}-build-1
path: build/checksum.sha256
retention-days: 1

reprotest-build:
needs: validate
if: inputs.reprotest == true
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.validate.outputs.matrix) }}
name: reprotest ${{ matrix.image }}
runs-on: warp-ubuntu-latest-x64-32x
steps:
- uses: actions/checkout@v5
with:
ref: ${{ inputs.branch || github.ref }}

- name: Install tools
run: |
sudo apt-get update && sudo apt-get install -y debian-archive-keyring
Copy link
Copy Markdown

@bakhtin bakhtin Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how this package should be handled when using Nix. Will Nix pick it up from the host system? Or maybe Nix has its own package with a similar purpose?

Copy link
Copy Markdown
Member

@alexhulbert alexhulbert Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not needed anymore on main, but i did things differently


- name: Install Nix
uses: cachix/install-nix-action@v27
with:
extra_nix_config: |
experimental-features = nix-command flakes

- name: Enable user namespaces
run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

- name: Build ${{ matrix.image }} image
run: |
umask 022
Copy link
Copy Markdown

@bakhtin bakhtin Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was needed when building without Nix to match Debian's default umask while building on Ubuntu. With Nix I'm not sure if it is needed.

nix develop --command mkosi --force -I ${{ matrix.image }}.conf --image-id=${{ matrix.image }}
sudo chown -R $(id -u):$(id -g) build/

- name: Generate SHA256 checksum
run: |
sha256sum build/${{ matrix.image }}_*.efi | tee build/checksum.sha256

- name: Upload checksum
uses: actions/upload-artifact@v4
with:
name: checksum-${{ matrix.image }}-build-2
path: build/checksum.sha256
retention-days: 1

reprotest-compare:
needs: [validate, build, reprotest-build]
if: inputs.reprotest == true
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.validate.outputs.matrix) }}
name: reprotest compare ${{ matrix.image }}
runs-on: ubuntu-latest
steps:
- name: Download checksums
uses: actions/download-artifact@v4
with:
pattern: checksum-${{ matrix.image }}-*
path: checksums/

- name: Compare SHA256 hashes
run: |
echo "=== Reproducibility Check for ${{ matrix.image }} ==="
echo "Build 1 (all artifacts):"
cat checksums/checksum-${{ matrix.image }}-build-1/*.sha256
echo "Build 2 (EFI only):"
cat checksums/checksum-${{ matrix.image }}-build-2/checksum.sha256

# Extract only the .efi hash from build-1 to compare with build-2
hash1=$(grep '\.efi$' checksums/checksum-${{ matrix.image }}-build-1/*.sha256 | awk '{print $1}')
hash2=$(awk '{print $1}' checksums/checksum-${{ matrix.image }}-build-2/checksum.sha256)

echo ""
echo "EFI hash build-1: $hash1"
echo "EFI hash build-2: $hash2"

if [ "$hash1" = "$hash2" ]; then
echo "✅ SUCCESS: ${{ matrix.image }} images are identical (reproducible build verified)"
else
echo "❌ FAILURE: ${{ matrix.image }} images differ (reproducible build failed)"
exit 1
fi
Loading