diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 12f9127..0c32c9c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -497,4 +497,4 @@ jobs: - name: Reproduce the same container image run: | - ./dev_scripts/reproduce.py --source podman://dangerzone.rocks/dangerzone:$(cat share/image-id.txt) + ./dev_scripts/reproduce-image.py diff --git a/dev_scripts/reproduce.py b/dev_scripts/reproduce-image.py similarity index 87% rename from dev_scripts/reproduce.py rename to dev_scripts/reproduce-image.py index 4cc51f5..b9f2625 100755 --- a/dev_scripts/reproduce.py +++ b/dev_scripts/reproduce-image.py @@ -16,6 +16,7 @@ DIFFOCI_CHECKSUM = "01d25fe690196945a6bd510d30559338aa489c034d3a1b895a0d82a4b860 DIFFOCI_PATH = ( pathlib.Path.home() / ".local" / "share" / "dangerzone-dev" / "helpers" / "diffoci" ) +IMAGE_NAME = "dangerzone.rocks/dangerzone" def run(*args): @@ -32,6 +33,10 @@ def git_commit_get(): return run("git", "rev-parse", "--short", "HEAD").decode().strip() +def git_determine_tag(): + return run("git", "describe", "--long", "--first-parent").decode().strip() + + def git_verify(commit, source): if not commit in source: raise RuntimeError( @@ -108,6 +113,11 @@ def build_image(tag, use_cache=False): def parse_args(): + image_tag = git_determine_tag() + # TODO: Remove the local "podman://" prefix once we have started pushing images to a + # remote. + default_image_name = "podman://" + IMAGE_NAME + ":" + image_tag + parser = argparse.ArgumentParser( prog=sys.argv[0], description="Dev script for verifying container image reproducibility", @@ -115,7 +125,12 @@ def parse_args(): parser.add_argument( "--source", required=True, - help="The source image name that you want to reproduce (in diffoci format)", + default=default_image_name, + help=( + "The name of the image that you want to reproduce. If the image resides in" + " the local Docker / Podman engine, you can prefix it with podman:// or" + f" docker:// accordingly (default: {default_image_name})" + ), ) parser.add_argument( "--use-cache", diff --git a/docs/developer/reproducibility.md b/docs/developer/reproducibility.md index df68e58..6d37087 100644 --- a/docs/developer/reproducibility.md +++ b/docs/developer/reproducibility.md @@ -45,15 +45,23 @@ trigger a CI error. ### Reproducing the image -For a simple way to reproduce a Dangerzone container image, either local or -pushed to a container registry, you can checkout the commit this image was built -from (you can find it from the image tag in its `g` portion), and run -the following command in a Linux environment: +For a simple way to reproduce a Dangerzone container image, you can checkout the +commit this image was built from (you can find it from the image tag in its +`g` portion), and run the following command in a Linux environment: ``` -./dev_scripts/reproduce.py +./dev_scripts/reproduce-image.py --source ``` This command will download the `diffoci` helper, build a container image from the current Git commit, and ensure that the built image matches the source one, with the exception of image names and file timestamps. + +> [!TIP] +> If the source image is not pushed to a registry, and is local instead, you +> can prefix it with `docker://` or `podman://` accordingly, so that `diffoci` +> can load it from the local Docker / Podman container engine. For example: +> +> ``` +> ./dev_scripts/reproduce.py --source podman://dangerzone.rocks/dangerzone:0.8.0-125-g725ce3b +> ```