WIP: Avoid reprotest

freedomofpress · Feb 23, 2024 · 1210c9d · 1210c9d
1 parent 67d33d7
commit 1210c9d
Showing 1 changed file with 48 additions and 8 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,7 +4,9 @@ on: [push, pull_request]
 
 jobs:
   vanilla:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
+    outputs:
+      artifact_id: ${{ steps.upload.outputs.artifact-id }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -15,16 +17,54 @@ jobs:
       - name: Build vanilla kernel
         run: make vanilla
 
-  reproducibility:
-    runs-on: ubuntu-20.04
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          name: build1
+          path: build
+          if-no-files-found: error
+
+  vanilla2:
+    runs-on: ubuntu-latest
+    outputs:
+      artifact_id: ${{ steps.upload.outputs.artifact-id }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Install dependencies
-        run: sudo apt-get update && sudo apt-get install -y make build-essential reprotest
+        run: sudo apt-get update && sudo apt-get install -y make build-essential
+
+      - name: Build vanilla kernel
+        run: make vanilla
+
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          name: build2
+          path: build
+          if-no-files-found: error
 
-      - name: Run reprotest
-        # n.b. we don't run reprotest-sd because our kernels are not reproducible yet
-        # and also very slow. See <https://github.com/freedomofpress/kernel-builder/issues/3>.
-        run: make reprotest
+  reproducible:
+    runs-on: ubuntu-latest
+    container: debian:bookworm
+    needs:
+      - vanilla
+      - vanilla2
+    steps:
+      - name: Install dependencies
+        run: |
+          apt-get update && apt-get install --yes diffoscope-minimal \
+            --no-install-recommends
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: "*"
+      - name: diffoscope
+        run: |
+          find . -name '*.deb' -exec sha256sum {} \;
+          # TODO: Ideally we'd just be able to diff the .changes files and let diffoscope find
+          # all the individual debs, but the source packages are not identical. When they are,
+          for deb in `find build1/ -name '*.deb' -exec basename {} \;`; do
+            echo "Diffoscoping $deb"
+            diffoscope build1/$deb build2/$deb
+          done;