Merge 2b6736f978 into 9ba95b5c20

FIXUP: Proxy job outputs
fixup! FIXUP: Change digest with manifest_type
2025-05-11 07:51:49 +02:00 · 2025-03-19 10:14:39 +00:00 · 2025-03-19 12:14:25 +02:00 · 2025-03-19 11:44:20 +02:00 · 2025-03-19 11:44:20 +02:00 · 2025-03-19 11:44:20 +02:00
2 changed files with 14 additions and 10 deletions
--- a/.github/workflows/build-push-image.yml
+++ b/.github/workflows/build-push-image.yml
@ -69,6 +69,10 @@ jobs:
    runs-on: ${{ matrix.platform.runs-on }}
    needs:
      - prepare
+    outputs:
+      debian_archive_date: ${{ needs.prepare.outputs.debian_archive_date }}
+      source_date_epoch: ${{ needs.prepare.outputs.source_date_epoch }}
+      image: ${{ needs.prepare.outputs.image }}
    strategy:
      fail-fast: false
      matrix:
@ -131,9 +135,11 @@ jobs:
  merge:
    runs-on: ubuntu-latest
    needs:
-      - prepare  # implied by build, but required here to access image params
      - build
    outputs:
+      debian_archive_date: ${{ needs.build.outputs.debian_archive_date }}
+      source_date_epoch: ${{ needs.build.outputs.source_date_epoch }}
+      image: ${{ needs.build.outputs.image }}
      digest_root: ${{ steps.image.outputs.digest_root }}
      digest_amd64: ${{ steps.image.outputs.digest_amd64 }}
      digest_arm64: ${{ steps.image.outputs.digest_arm64 }}
@ -162,15 +168,15 @@ jobs:
      - name: Create manifest list and push
        working-directory: ${{ runner.temp }}/digests
        run: |
-          DIGESTS=$(printf '${{ needs.prepare.outputs.image }}@sha256:%s ' *)
-          docker buildx imagetools create -t ${{ needs.prepare.outputs.image }} ${DIGESTS}
+          DIGESTS=$(printf '${{ needs.build.outputs.image }}@sha256:%s ' *)
+          docker buildx imagetools create -t ${{ needs.build.outputs.image }} ${DIGESTS}

      - name: Inspect image
        id: image
        run: |
          # Inspect the image
-          docker buildx imagetools inspect ${{ needs.prepare.outputs.image }}
-          docker buildx imagetools inspect ${{ needs.prepare.outputs.image }} --format "{{json .Manifest}}" > manifest
+          docker buildx imagetools inspect ${{ needs.build.outputs.image }}
+          docker buildx imagetools inspect ${{ needs.build.outputs.image }} --format "{{json .Manifest}}" > manifest

          # Calculate and print the digests
          digest_root=$(jq -r .digest manifest)
@ -192,7 +198,6 @@ jobs:
  # the container registry.
  provenance:
    needs:
-      - prepare  # implied by merge, but required here to access image params
      - merge
    strategy:
      matrix:
@ -207,7 +212,7 @@ jobs:
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      digest: ${{ needs.merge.outputs[format('digest_{0}', matrix.manifest_type)] }}
-      image: ${{ needs.prepare.outputs.image }}
+      image: ${{ needs.merge.outputs.image }}
      registry-username: ${{ inputs.registry_user }}
    secrets:
      registry-password: ${{ secrets.registry_token }}
@ -216,7 +221,6 @@ jobs:
  check-reproducibility:
    if: ${{ inputs.reproduce }}
    needs:
-      - prepare  # implied by merge, but required here to access image params
      - merge
    runs-on: ${{ matrix.platform.runs-on }}
    strategy:
@ -238,7 +242,7 @@ jobs:
            --runtime \
            docker \
            --debian-archive-date \
-            ${{ needs.prepare.outputs.debian_archive_date }} \
+            ${{ needs.merge.outputs.debian_archive_date }} \
            --platform \
            linux/${{ matrix.platform.name }} \
            ${{ needs.merge.outputs[format('digest_{0}', matrix.platform.name)] }}
--- a/tests/test_docs_large
+++ b/tests/test_docs_large
@ -1 +1 @@
-Subproject commit 9e95f7e1b7fbf904a76078715485e4fdba495676
+Subproject commit 0faa21eb4e33ec1a3212468dcb6db3a668cf8fc8
Author	SHA1	Message	Date
Alex Pyrgiotis	fc508f03b4	Merge `2b6736f978` into `9ba95b5c20`	2025-03-19 10:14:39 +00:00
Alex Pyrgiotis	2b6736f978	FIXUP: Proxy job outputs Some checks are pending Build dev environments / build-container-image (push) Waiting to run Details Tests / run-lint (push) Waiting to run Details Tests / build-container-image (push) Waiting to run Details Tests / Download and cache Tesseract data (push) Waiting to run Details Tests / windows (push) Blocked by required conditions Details Tests / macOS (arch64) (push) Blocked by required conditions Details Tests / macOS (x86_64) (push) Blocked by required conditions Details Tests / build-deb (debian bookworm) (push) Blocked by required conditions Details Tests / build-deb (debian bullseye) (push) Blocked by required conditions Details Tests / build-deb (debian trixie) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / install-deb (debian bookworm) (push) Blocked by required conditions Details Tests / install-deb (debian bullseye) (push) Blocked by required conditions Details Tests / install-deb (debian trixie) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions Details Tests / run tests (debian bookworm) (push) Blocked by required conditions Details Tests / run tests (debian bullseye) (push) Blocked by required conditions Details Tests / run tests (debian trixie) (push) Blocked by required conditions Details Tests / run tests (fedora 40) (push) Blocked by required conditions Details Tests / run tests (fedora 41) (push) Blocked by required conditions Details Tests / run tests (ubuntu 22.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.10) (push) Blocked by required conditions Details Release multi-arch container image / build-push-image (push) Waiting to run Details	2025-03-19 12:14:25 +02:00
Alex Pyrgiotis	b301bf07ea	fixup! FIXUP: Change digest with manifest_type	2025-03-19 11:44:20 +02:00
Alex Pyrgiotis	c4bd9b3701	FIXUP: Make tests work after 'podman load -i'	2025-03-19 11:44:20 +02:00
Alex Pyrgiotis	9d92fa1f12	FIXUP: Rename XXX to NOTE	2025-03-19 11:44:20 +02:00
Alex Pyrgiotis	606fbb7abb	FIXUP: Add comment for needs: prepare	2025-03-19 11:44:20 +02:00
Alex Pyrgiotis	410fb754ea	FIXUP: Remove extraneous comments	2025-03-19 11:44:20 +02:00
Alex Pyrgiotis	635c4433e4	FIXUP: Specify platform by full name	2025-03-19 11:44:20 +02:00
Alex Pyrgiotis	d5ffbbbe93	FIXUP: Handle tarballs with ./ prefix	2025-03-19 11:44:20 +02:00
Alex Pyrgiotis	44f0ea5149	FIXUP: Rename repro-build to repro-build.py	2025-03-19 11:44:20 +02:00
Alex Pyrgiotis	29cb046f17	FIXUP: Rename compressed_container_path envvar	2025-03-19 11:44:20 +02:00
Alex Pyrgiotis	e903cf377f	FIXUP: Use 'load -i'	2025-03-19 11:44:20 +02:00
Alex Pyrgiotis	a7006287cc	FIXUP: Document removal of resolv.conf	2025-03-19 11:44:20 +02:00
Alex Pyrgiotis	ba621d3bea	FIXUP: Change digest with manifest_type	2025-03-19 11:44:20 +02:00
Alex Pyrgiotis	eafbf98ca8	FIXUP: Move buildkit image alongw with other envvars	2025-03-19 11:44:19 +02:00
Alex Pyrgiotis	167379790c	FIXUP: Remove command that checks github token	2025-03-19 11:44:19 +02:00
Alex Pyrgiotis	e7576fe78b	FIXUP: Make release image job reusable	2025-03-19 11:44:19 +02:00
Alex Pyrgiotis	67092b87e5	ci: Create a CI job that does the following 1. Create a multi-architecture container image for Dangerzone, instead of having two different tarballs (or no option at all) 2. Build the Dangerzone container image on our supported architectures (linux/amd64 and linux/arm64). It so happens that GitHub also offers ARM machine runners, which speeds up the build. 3. Combine the images from these two architectures into one, multi-arch image. 4. Generate provenance info for each manifest, and the root manifest list. 5. Check the image's reproduciblity. Also, remove an older CI action, that is now obsolete. Fixes #1035	2025-03-19 11:44:19 +02:00
Alex Pyrgiotis	2e59d889b8	Completely overhaul the `reproduce-image.py` script Make a major change to the `reproduce-image.py` script: drop `diffoci`, build the container image, and ensure it has the exact same hash as the source image. We can drop the `diffoci` script when comparing the two images, because we are now able build bit-for-bit reproducible images.	2025-03-19 11:44:19 +02:00
Alex Pyrgiotis	ad70d3b1d5	Fix a Podman regression regarding Buildkit images Loading an image built with Buildkit in Podman 3.4 messes up its name. The tag somehow becomes the name of the loaded image. We know that older Podman versions are not generally affected, since Podman v3.0.1 on Debian Bullseye works properly. Also, Podman v4.0 is not affected, so it makes sense to target only Podman v3.4 for a fix. The fix is simple, tag the image properly based on the expected tag from `share/image-id.txt` and delete the incorrect tag. Refs containers/podman/#16490	2025-03-19 11:44:19 +02:00
Alex Pyrgiotis	c6c7c14f12	Fix references to container.tar.gz Find all references to the `container.tar.gz` file, and replace them with references to `container.tar`. Moreover, remove the `--no-save` argument of `build-image.py` since we now always save the image. Finally, fix some stale references to Poetry, which are not necessary anymore.	2025-03-19 11:44:19 +02:00
Alex Pyrgiotis	12a87617b5	Build container image using `repro-build` Invoke the `repro-build` script when building a container image, instead of the underlying Docker/Podman commands. The `repro-build` script handles the underlying complexity to call Docker/Podman in a manner that makes the image reproducible. Moreover, mirror some arguments from the `repro-build` script, so that consumers of `build-image.py` can pass them to it. Important: the resulting image will be in .tar format, not .tar.gz, starting from this commit. This means that our tests will be broken for the next few commits. Fixes #1074	2025-03-19 11:44:19 +02:00
Alex Pyrgiotis	6074bb6a36	Vendor `repro-build` script Vendor the `repro-build` script in our codebase, which will be used to build our container image in a reproducible manner. We prefer to copy it verbatim for the time-being, since its interface is not stable enough, and the repro-build repo is not reviewed after all. In the future, we want to store this script in a separate place, and pull it when necessary. Refs #1085	2025-03-19 11:44:19 +02:00
Alex Pyrgiotis	ddf1c27bcd	Remove sources of non-determinism from our image Make our container image more reproducible, by changing the following in our Dockerfile: 1. Touch `/etc/apt/sources.list` with a UTC timestamp. Else, builds on different countries (!?) may result to different Unix epochs for the same date, and therefore different modification time for the file. 2. Turn the third column of `/etc/shadow` (date of last password change) for the `dangerzone` user into a constant number. 3. Fix r-s file permissions in some copied files, due to inconsistent COPY behavior in containerized vs non-containerized Buildkit. This requires creating a full file hierarchy in a separate directory (see new_root/). 4. Set a specific modification time for the entrypoint script, because rewrite-timestamp=true does not overwrite it.	2025-03-19 11:44:19 +02:00
Alex Pyrgiotis	0bae29a265	Bump container image parameters Bump all the values in Dockerfile.env, since there are new releases out for all of them.	2025-03-19 11:44:19 +02:00