Migrate to GitHub Actions from CircleCI

.circleci/config.yml

@@ -18,6 +18,7 @@ jobs:
       image: ubuntu-2004:202010-01
     steps:
       - checkout
+      - run: env
       - run: sudo apt-get update && sudo apt-get install -y make build-essential reprotest
       - run: make reprotest
 

.github/workflows/ci.yml

@@ -0,0 +1,30 @@
+---
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  vanilla:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: sudo apt-get update && sudo apt-get install -y make build-essential
+      - run: make vanilla
+  reproducibility:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: env
+      - run: |
+          sudo mkdir /nonexistent
+          sudo mkdir /nonexistent/second-build
+      - run: |
+          ACTIONS_RUNNER=$USER sudo chown -R $ACTIONS_RUNNER: /nonexistent
+      - run: sudo apt-get update && sudo apt-get install -y make build-essential reprotest
+      - run: make reprotest
+  # reproducibility-securedrop:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v3
+  #     - run: sudo apt-get update && sudo apt-get install -y make build-essential reprotest
+  #     - run: make reprotest-sd

Dockerfile

@@ -1,13 +1,17 @@
 # debian:buster 2021-12-20
 FROM debian@sha256:94ccfd1c5115a6903cbb415f043a0b04e307be3f37b768cf6d6d3edff0021da3
 
+RUN echo "XKCD DOCKERFILE 1"
+
 ARG UID=1000
 ARG GID=1000
 ARG USERNAME=securedrop
 ENV KBUILD_BUILD_USER "$USERNAME"
 ENV KBUILD_BUILD_HOST "freedom.press"
 ENV DEBFULLNAME "SecureDrop Team"
 
+RUN echo "XKCD DOCKERFILE 2"
+
 RUN apt-get update && \
     apt-get install -y \
     bc \
@@ -31,22 +35,37 @@ RUN apt-get update && \
     wget \
     xz-utils
 
+RUN echo "XKCD DOCKERFILE 3"
+
 RUN groupadd -g ${GID} ${USERNAME} && useradd -m -d /home/${USERNAME} -g ${GID} -u ${UID} ${USERNAME}
 
+RUN echo "XKCD DOCKERFILE 4"
+
 COPY build-kernel.sh /usr/local/bin/build-kernel.sh
 COPY grsecurity-urls.py /usr/local/bin/grsecurity-urls.py
 COPY scripts/mkdebian /usr/local/bin/mkdebian
 
+RUN echo "XKCD DOCKERFILE 5"
+
 COPY securedrop-grsec /securedrop-grsec
 COPY securedrop-workstation-grsec /securedrop-workstation-grsec
 
+RUN echo "XKCD DOCKERFILE 6"
+
 RUN mkdir -p -m 0755 /kernel /patches-grsec /output
 RUN chown ${USERNAME}:${USERNAME} /kernel /patches-grsec /output
 WORKDIR /kernel
 
+RUN echo "XKCD DOCKERFILE 7"
+
+
 # VOLUME ["/kernel"]
 
 USER ${USERNAME}
 COPY pubkeys/ /pubkeys
 
+
+RUN echo "XKCD DOCKERFILE 8"
+
+
 CMD ["/usr/local/bin/build-kernel.sh"]

scripts/build-kernel-wrapper

@@ -1,9 +1,12 @@
 #!/bin/bash
 
+echo "XKCD scripts/build-kernel-wrapper 1"
+
 set -e
 set -u
 set -o pipefail
 
+echo "XKCD scripts/build-kernel-wrapper 2"
 
 # SOURCE_DATE_EPOCH="$(git log -1 --pretty=%ct)"
 # DEBUG: setting constant value to make eval easier
@@ -13,27 +16,48 @@ export KBUILD_BUILD_TIMESTAMP="@${SOURCE_DATE_EPOCH}"
 export DEB_BUILD_TIMESTAMP="${SOURCE_DATE_EPOCH}"
 export TERM=dumb  # to omit control characters from "script" transcripts
 
+echo "XKCD scripts/build-kernel-wrapper 3"
+echo $PWD
+env
+
 # Build container image for kernel dependencies
 IMG_NAME="fpf.local/kernel-builder"
 docker build -t "$IMG_NAME" \
     --build-arg UID="$(id -u)" \
     --build-arg GID="$(id -g)" \
     .
 
+echo "XKCD scripts/build-kernel-wrapper 4"
+echo $PWD
+env
+
 # Configure local customizations
 local_config_volume_opt=""
 if [[ -n "${LINUX_LOCAL_CONFIG_PATH:-}" ]]; then
     local_config_volume_opt="-v ${LINUX_LOCAL_CONFIG_PATH}:/config:ro"
 fi
+
+echo "XKCD scripts/build-kernel-wrapper 5"
+
 local_patches_volume_opt=""
 if [[ -n "${LINUX_LOCAL_PATCHES_PATH:-}" ]]; then
     local_patches_volume_opt="-v ${LINUX_LOCAL_PATCHES_PATH}:/patches:ro"
 fi
 
+echo "XKCD scripts/build-kernel-wrapper 6"
+
+echo $PWD
+env
+
 # Create output dir
 kernel_dir="$PWD/build"
 mkdir -p -m 755 "$kernel_dir"
 
+echo "XKCD scripts/build-kernel-wrapper 7"
+
+echo $PWD
+env
+
 # TODO: It'd be great to pass `-i` here so the builds can be cancelled,
 # but that breaks reprotest. Pass it conditionally, depending on whether
 # there's an interactive session available.
@@ -53,5 +77,8 @@ docker run --rm -t \
     $local_patches_volume_opt \
     "$IMG_NAME"
 
+echo "XKCD scripts/build-kernel-wrapper 8"
+
+
 echo "Build complete. Packages can be found at:"
 find "$kernel_dir" -type f | sort

scripts/reproducibility-test

@@ -4,6 +4,7 @@ set -u
 set -o pipefail
 set -x
 
+echo "XKCD scripts/reproducibility-test 1"
 
 # Full list of reprotest options, for reference
 # "+environment, +build_path, +kernel, +aslr, +num_cpus, +time,
@@ -15,15 +16,20 @@ set -x
 #   - time
 #   - domain_host
 
+echo "XKCD scripts/reproducibility-test 2"
 
 # If TERM is not set, diffoscope will fail with "setupterm: could not find terminfo database".
 # Set TERM to someting if it's unset, mostly useful for CI.
 TERM="${TERM:-xterm-256color}"
 export TERM
 
+echo "XKCD scripts/reproducibility-test 3"
+
 # Support overriding the build command
 reprotest_build_cmd="${1:-make vanilla}"
 
+echo "XKCD scripts/reproducibility-test 4"
+
 echo "Running reprotest with cmd: '$reprotest_build_cmd'"
 reprotest -c "$reprotest_build_cmd" \
     --vary "+all, -fileordering, -aslr, -time, -domain_host" \