From 279322bf438a9344bc6c5e52881870dbb0cea15e Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Tue, 14 Jan 2025 10:51:33 +0200 Subject: [PATCH] ci: Add a CI job that enforces image reproducibility Add a CI job that uses the `reproduce.py` dev script to enforce image reproducibility, for every PR that we send to the repo. Fixes #1047 --- .github/workflows/ci.yml | 38 +++++++++++++++++++++++++++++++ docs/developer/reproducibility.md | 14 ++++++++++++ 2 files changed, 52 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b6bb54d..fc92043 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -471,3 +471,41 @@ jobs: # file successfully. xvfb-run -s '-ac' ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} run --dev \ bash -c 'cd dangerzone; poetry run make test' + + reproduce-image: + needs: + - build-container-image + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install dev. dependencies + run: |- + sudo apt-get update + sudo apt-get install -y git python3-poetry --no-install-recommends + poetry install --only package + + - name: Verify that the Dockerfile matches the commited template and params + run: |- + poetry run jinja2 Dockerfile.in Dockerfile.env > out + diff Dockerfile out + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Restore container cache + uses: actions/cache/restore@v4 + with: + key: v3-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container/*', 'install/common/build-image.py') }} + path: |- + share/container.tar.gz + share/image-id.txt + fail-on-cache-miss: true + + - name: Reproduce the same container image + run: | + podman load -i share/container.tar.gz + ./dev_scripts/reproduce.py --source podman://dangerzone.rocks/dangerzone:$(cat share/image-id.txt) diff --git a/docs/developer/reproducibility.md b/docs/developer/reproducibility.md index bd099b7..4146526 100644 --- a/docs/developer/reproducibility.md +++ b/docs/developer/reproducibility.md @@ -109,3 +109,17 @@ with: ``` poetry run jinja2 Dockerfile.in Dockerfile.env > Dockerfile ``` + +### Reproducing the image + +For a simple way to reproduce a Dangerzone container image, either local or +pushed to a container registry, you can run the following command in a Linux +environment: + +``` +./dev_scripts/reproduce.py +``` + +This command will download the `diffoci` helper, build a container image from +the current Git commit, and ensure that the built image matches the source one, +with the exception of image names and file timestamps.