From 6eaf1b412b3fc263c8494d0592790e07a7fbc2a2 Mon Sep 17 00:00:00 2001 From: pablin-10 <118397961+pablin-10@users.noreply.github.com> Date: Fri, 13 Mar 2026 01:28:38 -0300 Subject: [PATCH 1/6] Improve build workflow to also test reproducibility if asked --- .github/workflows/build.yaml | 74 ++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index db57d955..244c703e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -10,6 +10,8 @@ # - "bob-l1" → builds only bob-l1 # - "bob-l2" → builds only bob-l2 # - "bob-l1,bob-l2" → builds both +# - Reproducibility test (default: false) +# - Adds a second build on a separate runner and compares SHA256 hashes name: Build mkosi images @@ -29,6 +31,11 @@ on: required: false default: 'bob-l1' type: string + reprotest: + description: 'Run reproducibility test (builds on 2 machines and compares hashes)' + required: false + default: false + type: boolean jobs: validate: @@ -121,6 +128,7 @@ jobs: fi - name: Generate SHA256 checksums + id: checksum run: | cd build/ TIMESTAMP=$(git show -s --format=%ct HEAD) @@ -128,3 +136,69 @@ jobs: CHECKSUM_FILE="${{ matrix.image }}_${TIMESTAMP}_${SHORT_SHA}.sha256" sha256sum ${{ matrix.image }}_* > "$CHECKSUM_FILE" cat "$CHECKSUM_FILE" + + - name: Upload checksum for reprotest + if: inputs.reprotest == true + uses: actions/upload-artifact@v4 + with: + name: checksum-${{ matrix.image }}-build-1 + path: build/*.sha256 + retention-days: 1 + + reprotest-build: + needs: [validate, build] + if: inputs.reprotest == true + strategy: + fail-fast: false + matrix: + image: ${{ fromJSON(needs.validate.outputs.matrix) }} + name: reprotest ${{ matrix.image }} + runs-on: warp-ubuntu-latest-x64-32x + steps: + - uses: actions/checkout@v5 + with: + ref: ${{ inputs.branch || github.ref }} + + - name: Install tools + run: | + sudo apt-get update && sudo apt-get install -y debian-archive-keyring + + - name: Install Nix + uses: cachix/install-nix-action@v27 + with: + extra_nix_config: | + experimental-features = nix-command flakes + + - name: Enable user namespaces + run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 + + - name: Build ${{ matrix.image }} image + run: | + umask 022 + nix develop --command mkosi --force -I ${{ matrix.image }}.conf --image-id=${{ matrix.image }} + sudo chown -R $(id -u):$(id -g) build/ + sha256sum build/${{ matrix.image }}_*.efi | tee checksum.sha256 + + - name: Download checksum from build-1 + uses: actions/download-artifact@v4 + with: + name: checksum-${{ matrix.image }}-build-1 + path: build-1/ + + - name: Compare SHA256 hashes + run: | + echo "=== Reproducibility Check for ${{ matrix.image }} ===" + echo "Build 1 (original):" + cat build-1/*.sha256 + echo "Build 2 (reprotest):" + cat checksum.sha256 + + hash1=$(awk '{print $1}' build-1/*.sha256) + hash2=$(awk '{print $1}' checksum.sha256) + + if [ "$hash1" = "$hash2" ]; then + echo "✅ SUCCESS: ${{ matrix.image }} images are identical (reproducible build verified)" + else + echo "❌ FAILURE: ${{ matrix.image }} images differ (reproducible build failed)" + exit 1 + fi From d18709c764af17b66ef84891f82cab7dd4b941e3 Mon Sep 17 00:00:00 2001 From: pablin-10 <118397961+pablin-10@users.noreply.github.com> Date: Fri, 13 Mar 2026 01:32:47 -0300 Subject: [PATCH 2/6] Make both builds to run in parallel --- .github/workflows/build.yaml | 42 ++++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 244c703e..d907c958 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -146,7 +146,7 @@ jobs: retention-days: 1 reprotest-build: - needs: [validate, build] + needs: validate if: inputs.reprotest == true strategy: fail-fast: false @@ -177,24 +177,44 @@ jobs: umask 022 nix develop --command mkosi --force -I ${{ matrix.image }}.conf --image-id=${{ matrix.image }} sudo chown -R $(id -u):$(id -g) build/ - sha256sum build/${{ matrix.image }}_*.efi | tee checksum.sha256 - - name: Download checksum from build-1 + - name: Generate SHA256 checksum + run: | + sha256sum build/${{ matrix.image }}_*.efi | tee build/checksum.sha256 + + - name: Upload checksum + uses: actions/upload-artifact@v4 + with: + name: checksum-${{ matrix.image }}-build-2 + path: build/checksum.sha256 + retention-days: 1 + + reprotest-compare: + needs: [validate, build, reprotest-build] + if: inputs.reprotest == true + strategy: + fail-fast: false + matrix: + image: ${{ fromJSON(needs.validate.outputs.matrix) }} + name: reprotest compare ${{ matrix.image }} + runs-on: ubuntu-latest + steps: + - name: Download checksums uses: actions/download-artifact@v4 with: - name: checksum-${{ matrix.image }}-build-1 - path: build-1/ + pattern: checksum-${{ matrix.image }}-* + path: checksums/ - name: Compare SHA256 hashes run: | echo "=== Reproducibility Check for ${{ matrix.image }} ===" - echo "Build 1 (original):" - cat build-1/*.sha256 - echo "Build 2 (reprotest):" - cat checksum.sha256 + echo "Build 1:" + cat checksums/checksum-${{ matrix.image }}-build-1/*.sha256 + echo "Build 2:" + cat checksums/checksum-${{ matrix.image }}-build-2/checksum.sha256 - hash1=$(awk '{print $1}' build-1/*.sha256) - hash2=$(awk '{print $1}' checksum.sha256) + hash1=$(awk '{print $1}' checksums/checksum-${{ matrix.image }}-build-1/*.sha256) + hash2=$(awk '{print $1}' checksums/checksum-${{ matrix.image }}-build-2/checksum.sha256) if [ "$hash1" = "$hash2" ]; then echo "✅ SUCCESS: ${{ matrix.image }} images are identical (reproducible build verified)" From 9fc5661d75e3f7ecae65f1478fb521a4bd571b80 Mon Sep 17 00:00:00 2001 From: pablin-10 <118397961+pablin-10@users.noreply.github.com> Date: Fri, 13 Mar 2026 01:49:54 -0300 Subject: [PATCH 3/6] Compare only EFI images --- .github/workflows/build.yaml | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d907c958..8f616c77 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -128,21 +128,15 @@ jobs: fi - name: Generate SHA256 checksums - id: checksum run: | - cd build/ - TIMESTAMP=$(git show -s --format=%ct HEAD) - SHORT_SHA="${GITHUB_SHA::8}" - CHECKSUM_FILE="${{ matrix.image }}_${TIMESTAMP}_${SHORT_SHA}.sha256" - sha256sum ${{ matrix.image }}_* > "$CHECKSUM_FILE" - cat "$CHECKSUM_FILE" + sha256sum build/${{ matrix.image }}_*.efi | tee build/checksum.sha256 - name: Upload checksum for reprotest if: inputs.reprotest == true uses: actions/upload-artifact@v4 with: name: checksum-${{ matrix.image }}-build-1 - path: build/*.sha256 + path: build/checksum.sha256 retention-days: 1 reprotest-build: @@ -208,14 +202,19 @@ jobs: - name: Compare SHA256 hashes run: | echo "=== Reproducibility Check for ${{ matrix.image }} ===" - echo "Build 1:" + echo "Build 1 (all artifacts):" cat checksums/checksum-${{ matrix.image }}-build-1/*.sha256 - echo "Build 2:" + echo "Build 2 (EFI only):" cat checksums/checksum-${{ matrix.image }}-build-2/checksum.sha256 - hash1=$(awk '{print $1}' checksums/checksum-${{ matrix.image }}-build-1/*.sha256) + # Extract only the .efi hash from build-1 to compare with build-2 + hash1=$(grep '\.efi$' checksums/checksum-${{ matrix.image }}-build-1/*.sha256 | awk '{print $1}') hash2=$(awk '{print $1}' checksums/checksum-${{ matrix.image }}-build-2/checksum.sha256) + echo "" + echo "EFI hash build-1: $hash1" + echo "EFI hash build-2: $hash2" + if [ "$hash1" = "$hash2" ]; then echo "✅ SUCCESS: ${{ matrix.image }} images are identical (reproducible build verified)" else From 1bb5084cc3548e0f32dcf5cf8aeaf44d71c2c419 Mon Sep 17 00:00:00 2001 From: Pablo <118397961+pablin-10@users.noreply.github.com> Date: Wed, 18 Mar 2026 14:59:33 -0300 Subject: [PATCH 4/6] Fix yml --- .github/workflows/build.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f99bed62..1315fc50 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -5,7 +5,6 @@ # # - Manual dispatch: Allows specifying: # - Branch to build from (default: main) -<<<<<<< pablo/box-49-add-repro-test-ci-on-main-for-flashbox-images # - Images to build (default: bob-l1) # - "all" → builds bob-l1 and bob-l2 # - "bob-l1" → builds only bob-l1 @@ -13,13 +12,11 @@ # - "bob-l1,bob-l2" → builds both # - Reproducibility test (default: false) # - Adds a second build on a separate runner and compares SHA256 hashes -======= # - Images to build (default: flashbox-l1) # - "all" → builds flashbox-l1 and flashbox-l2 # - "flashbox-l1" → builds only flashbox-l1 # - "flashbox-l2" → builds only flashbox-l2 # - "flashbox-l1,flashbox-l2" → builds both ->>>>>>> main name: Build mkosi images From ce1c65cadf6b1dea1788e6266a2cdebf1b3c7107 Mon Sep 17 00:00:00 2001 From: Pablo <118397961+pablin-10@users.noreply.github.com> Date: Wed, 18 Mar 2026 15:00:18 -0300 Subject: [PATCH 5/6] Adapt comments to new naming --- .github/workflows/build.yaml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1315fc50..0b62ca8f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -5,18 +5,14 @@ # # - Manual dispatch: Allows specifying: # - Branch to build from (default: main) -# - Images to build (default: bob-l1) -# - "all" → builds bob-l1 and bob-l2 -# - "bob-l1" → builds only bob-l1 -# - "bob-l2" → builds only bob-l2 -# - "bob-l1,bob-l2" → builds both -# - Reproducibility test (default: false) -# - Adds a second build on a separate runner and compares SHA256 hashes # - Images to build (default: flashbox-l1) # - "all" → builds flashbox-l1 and flashbox-l2 # - "flashbox-l1" → builds only flashbox-l1 # - "flashbox-l2" → builds only flashbox-l2 # - "flashbox-l1,flashbox-l2" → builds both +# - Reproducibility test (default: false) +# - Adds a second build on a separate runner and compares SHA256 hashes + name: Build mkosi images From 60364b1376a9fa1c4fa74dfd25e4f9a5835769cf Mon Sep 17 00:00:00 2001 From: pablin-10 <118397961+pablin-10@users.noreply.github.com> Date: Wed, 18 Mar 2026 15:11:41 -0300 Subject: [PATCH 6/6] Adjust path for image conf file --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0b62ca8f..a72f0f87 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -170,7 +170,7 @@ jobs: - name: Build ${{ matrix.image }} image run: | umask 022 - nix develop --command mkosi --force -I ${{ matrix.image }}.conf --image-id=${{ matrix.image }} + nix develop --command mkosi --force -I images/${{ matrix.image }}.conf --image-id=${{ matrix.image }} sudo chown -R $(id -u):$(id -g) build/ - name: Generate SHA256 checksum