almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-05-17 18:51:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

ci: Add a CI job that enforces image reproducibility

Browse source 
Add a CI job that uses the `reproduce.py` dev script to enforce image
reproducibility, for every PR that we send to the repo.

Fixes #1047
This commit is contained in:
Alex Pyrgiotis 2025-01-14 10:51:33 +02:00
parent 7a59940493
commit 279322bf43
No known key found for this signature in database
GPG key ID: B6C15EBA0357C9AA
2 changed files with 52 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
.github/workflows/ci.yml vendored
View file

@ -471,3 +471,41 @@ jobs:
# file successfully. # file successfully.
xvfb-run -s '-ac' ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} run --dev \ xvfb-run -s '-ac' ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} run --dev \
bash -c 'cd dangerzone; poetry run make test' bash -c 'cd dangerzone; poetry run make test'
reproduce-image:
needs:
- build-container-image
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install dev. dependencies
run: |-
sudo apt-get update
sudo apt-get install -y git python3-poetry --no-install-recommends
poetry install --only package
- name: Verify that the Dockerfile matches the commited template and params
run: |-
poetry run jinja2 Dockerfile.in Dockerfile.env > out
diff Dockerfile out
- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
- name: Restore container cache
uses: actions/cache/restore@v4
with:
key: v3-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/*.py', 'dangerzone/container/*', 'install/common/build-image.py') }}
path: |-
share/container.tar.gz
share/image-id.txt
fail-on-cache-miss: true
- name: Reproduce the same container image
run: |
podman load -i share/container.tar.gz
./dev_scripts/reproduce.py --source podman://dangerzone.rocks/dangerzone:$(cat share/image-id.txt)

14
docs/developer/reproducibility.md
View file

@ -109,3 +109,17 @@ with:
``` ```
poetry run jinja2 Dockerfile.in Dockerfile.env > Dockerfile poetry run jinja2 Dockerfile.in Dockerfile.env > Dockerfile
``` ```
### Reproducing the image
For a simple way to reproduce a Dangerzone container image, either local or
pushed to a container registry, you can run the following command in a Linux
environment:
```
./dev_scripts/reproduce.py <image>
```
This command will download the `diffoci` helper, build a container image from
the current Git commit, and ensure that the built image matches the source one,
with the exception of image names and file timestamps.