Merge abeab4b0fd into 9ba95b5c20

fixup! FIXUP: Change digest with manifest_type
FIXUP: Make tests work after 'podman load -i'
2025-05-12 00:11:49 +02:00 · 2025-03-17 16:04:01 +02:00 · 2025-03-11 19:39:34 +02:00 · 2025-03-11 17:40:37 +02:00 · 2025-03-11 17:33:05 +02:00 · 2025-03-11 17:33:05 +02:00
2 changed files with 10 additions and 14 deletions
--- a/.github/workflows/build-push-image.yml
+++ b/.github/workflows/build-push-image.yml
@ -69,10 +69,6 @@ jobs:
    runs-on: ${{ matrix.platform.runs-on }}
    needs:
      - prepare
-    outputs:
-      debian_archive_date: ${{ needs.prepare.outputs.debian_archive_date }}
-      source_date_epoch: ${{ needs.prepare.outputs.source_date_epoch }}
-      image: ${{ needs.prepare.outputs.image }}
    strategy:
      fail-fast: false
      matrix:
@ -135,11 +131,9 @@ jobs:
  merge:
    runs-on: ubuntu-latest
    needs:
+      - prepare  # implied by build, but required here to access image params
      - build
    outputs:
-      debian_archive_date: ${{ needs.build.outputs.debian_archive_date }}
-      source_date_epoch: ${{ needs.build.outputs.source_date_epoch }}
-      image: ${{ needs.build.outputs.image }}
      digest_root: ${{ steps.image.outputs.digest_root }}
      digest_amd64: ${{ steps.image.outputs.digest_amd64 }}
      digest_arm64: ${{ steps.image.outputs.digest_arm64 }}
@ -168,15 +162,15 @@ jobs:
      - name: Create manifest list and push
        working-directory: ${{ runner.temp }}/digests
        run: |
-          DIGESTS=$(printf '${{ needs.build.outputs.image }}@sha256:%s ' *)
-          docker buildx imagetools create -t ${{ needs.build.outputs.image }} ${DIGESTS}
+          DIGESTS=$(printf '${{ needs.prepare.outputs.image }}@sha256:%s ' *)
+          docker buildx imagetools create -t ${{ needs.prepare.outputs.image }} ${DIGESTS}

      - name: Inspect image
        id: image
        run: |
          # Inspect the image
-          docker buildx imagetools inspect ${{ needs.build.outputs.image }}
-          docker buildx imagetools inspect ${{ needs.build.outputs.image }} --format "{{json .Manifest}}" > manifest
+          docker buildx imagetools inspect ${{ needs.prepare.outputs.image }}
+          docker buildx imagetools inspect ${{ needs.prepare.outputs.image }} --format "{{json .Manifest}}" > manifest

          # Calculate and print the digests
          digest_root=$(jq -r .digest manifest)
@ -198,6 +192,7 @@ jobs:
  # the container registry.
  provenance:
    needs:
+      - prepare  # implied by merge, but required here to access image params
      - merge
    strategy:
      matrix:
@ -212,7 +207,7 @@ jobs:
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      digest: ${{ needs.merge.outputs[format('digest_{0}', matrix.manifest_type)] }}
-      image: ${{ needs.merge.outputs.image }}
+      image: ${{ needs.prepare.outputs.image }}
      registry-username: ${{ inputs.registry_user }}
    secrets:
      registry-password: ${{ secrets.registry_token }}
@ -221,6 +216,7 @@ jobs:
  check-reproducibility:
    if: ${{ inputs.reproduce }}
    needs:
+      - prepare  # implied by merge, but required here to access image params
      - merge
    runs-on: ${{ matrix.platform.runs-on }}
    strategy:
@ -242,7 +238,7 @@ jobs:
            --runtime \
            docker \
            --debian-archive-date \
-            ${{ needs.merge.outputs.debian_archive_date }} \
+            ${{ needs.prepare.outputs.debian_archive_date }} \
            --platform \
            linux/${{ matrix.platform.name }} \
            ${{ needs.merge.outputs[format('digest_{0}', matrix.platform.name)] }}
--- a/tests/test_docs_large
+++ b/tests/test_docs_large
@ -1 +1 @@
-Subproject commit 0faa21eb4e33ec1a3212468dcb6db3a668cf8fc8
+Subproject commit 9e95f7e1b7fbf904a76078715485e4fdba495676
Author	SHA1	Message	Date
Alex Pyrgiotis	dbaafa8422	Merge `abeab4b0fd` into `9ba95b5c20`	2025-03-17 16:04:01 +02:00
Alex Pyrgiotis	abeab4b0fd	fixup! FIXUP: Change digest with manifest_type Some checks failed Tests / Download and cache Tesseract data (push) Has been cancelled Details Release multi-arch container image / build-push-image (push) Has been cancelled Details Tests / windows (push) Has been cancelled Details Tests / macOS (arch64) (push) Has been cancelled Details Tests / build-deb (ubuntu 22.04) (push) Has been cancelled Details Tests / macOS (x86_64) (push) Has been cancelled Details Tests / build-deb (debian bookworm) (push) Has been cancelled Details Tests / build-deb (debian bullseye) (push) Has been cancelled Details Tests / build-deb (debian trixie) (push) Has been cancelled Details Tests / build-deb (ubuntu 20.04) (push) Has been cancelled Details Tests / build-deb (ubuntu 24.04) (push) Has been cancelled Details Tests / build-deb (ubuntu 24.10) (push) Has been cancelled Details Tests / install-deb (debian bookworm) (push) Has been cancelled Details Tests / install-deb (debian bullseye) (push) Has been cancelled Details Tests / install-deb (debian trixie) (push) Has been cancelled Details Tests / install-deb (ubuntu 20.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 22.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 24.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 24.10) (push) Has been cancelled Details Tests / build-install-rpm (fedora 40) (push) Has been cancelled Details Tests / build-install-rpm (fedora 41) (push) Has been cancelled Details Tests / run tests (debian bookworm) (push) Has been cancelled Details Tests / run tests (debian bullseye) (push) Has been cancelled Details Tests / run tests (debian trixie) (push) Has been cancelled Details Tests / run tests (fedora 40) (push) Has been cancelled Details Tests / run tests (fedora 41) (push) Has been cancelled Details Tests / run tests (ubuntu 20.04) (push) Has been cancelled Details Tests / run tests (ubuntu 22.04) (push) Has been cancelled Details Tests / run tests (ubuntu 24.04) (push) Has been cancelled Details Tests / run tests (ubuntu 24.10) (push) Has been cancelled Details	2025-03-11 19:39:34 +02:00
Alex Pyrgiotis	f9dfbe9fe1	FIXUP: Make tests work after 'podman load -i' Some checks are pending Tests / run tests (ubuntu 20.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 22.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.10) (push) Blocked by required conditions Details Tests / run-lint (push) Waiting to run Details Tests / build-container-image (push) Waiting to run Details Tests / Download and cache Tesseract data (push) Waiting to run Details Tests / windows (push) Blocked by required conditions Details Tests / macOS (arch64) (push) Blocked by required conditions Details Tests / macOS (x86_64) (push) Blocked by required conditions Details Tests / build-deb (debian bookworm) (push) Blocked by required conditions Details Tests / build-deb (debian bullseye) (push) Blocked by required conditions Details Tests / build-deb (debian trixie) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / install-deb (debian bookworm) (push) Blocked by required conditions Details Tests / install-deb (debian bullseye) (push) Blocked by required conditions Details Tests / install-deb (debian trixie) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions Details Tests / run tests (debian bookworm) (push) Blocked by required conditions Details Tests / run tests (debian bullseye) (push) Blocked by required conditions Details Tests / run tests (debian trixie) (push) Blocked by required conditions Details Release multi-arch container image / build-push-image (push) Waiting to run Details	2025-03-11 17:40:37 +02:00
Alex Pyrgiotis	49d454693e	FIXUP: Rename XXX to NOTE	2025-03-11 17:33:05 +02:00
Alex Pyrgiotis	31b04b6556	FIXUP: Add comment for needs: prepare	2025-03-11 17:33:05 +02:00
Alex Pyrgiotis	0972542ae3	FIXUP: Remove extraneous comments	2025-03-11 17:33:05 +02:00
Alex Pyrgiotis	222169d7fe	FIXUP: Specify platform by full name	2025-03-11 17:33:05 +02:00
Alex Pyrgiotis	b2ab898843	FIXUP: Handle tarballs with ./ prefix	2025-03-11 17:33:05 +02:00
Alex Pyrgiotis	ee95e86508	FIXUP: Rename repro-build to repro-build.py	2025-03-11 17:33:05 +02:00
Alex Pyrgiotis	542fe93d1f	FIXUP: Rename compressed_container_path envvar	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	92267c723c	FIXUP: Use 'load -i'	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	b8ef87a7fc	FIXUP: Document removal of resolv.conf	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	79d9ae7ee2	FIXUP: Change digest with manifest_type	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	3c90ad9d0b	FIXUP: Move buildkit image alongw with other envvars	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	d9f23170cf	FIXUP: Remove command that checks github token	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	f33b3851d5	FIXUP: Make release image job reusable	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	553b0047c6	ci: Create a CI job that does the following 1. Create a multi-architecture container image for Dangerzone, instead of having two different tarballs (or no option at all) 2. Build the Dangerzone container image on our supported architectures (linux/amd64 and linux/arm64). It so happens that GitHub also offers ARM machine runners, which speeds up the build. 3. Combine the images from these two architectures into one, multi-arch image. 4. Generate provenance info for each manifest, and the root manifest list. 5. Check the image's reproduciblity. Also, remove an older CI action, that is now obsolete. Fixes #1035	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	18ec4758bb	Completely overhaul the `reproduce-image.py` script Make a major change to the `reproduce-image.py` script: drop `diffoci`, build the container image, and ensure it has the exact same hash as the source image. We can drop the `diffoci` script when comparing the two images, because we are now able build bit-for-bit reproducible images.	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	038e95b513	Fix a Podman regression regarding Buildkit images Loading an image built with Buildkit in Podman 3.4 messes up its name. The tag somehow becomes the name of the loaded image. We know that older Podman versions are not generally affected, since Podman v3.0.1 on Debian Bullseye works properly. Also, Podman v4.0 is not affected, so it makes sense to target only Podman v3.4 for a fix. The fix is simple, tag the image properly based on the expected tag from `share/image-id.txt` and delete the incorrect tag. Refs containers/podman/#16490	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	d3d04b22ec	Fix references to container.tar.gz Find all references to the `container.tar.gz` file, and replace them with references to `container.tar`. Moreover, remove the `--no-save` argument of `build-image.py` since we now always save the image. Finally, fix some stale references to Poetry, which are not necessary anymore.	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	0042e131f6	Build container image using `repro-build` Invoke the `repro-build` script when building a container image, instead of the underlying Docker/Podman commands. The `repro-build` script handles the underlying complexity to call Docker/Podman in a manner that makes the image reproducible. Moreover, mirror some arguments from the `repro-build` script, so that consumers of `build-image.py` can pass them to it. Important: the resulting image will be in .tar format, not .tar.gz, starting from this commit. This means that our tests will be broken for the next few commits. Fixes #1074	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	a2acbeff53	Vendor `repro-build` script Vendor the `repro-build` script in our codebase, which will be used to build our container image in a reproducible manner. We prefer to copy it verbatim for the time-being, since its interface is not stable enough, and the repro-build repo is not reviewed after all. In the future, we want to store this script in a separate place, and pull it when necessary. Refs #1085	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	be8005f72b	Remove sources of non-determinism from our image Make our container image more reproducible, by changing the following in our Dockerfile: 1. Touch `/etc/apt/sources.list` with a UTC timestamp. Else, builds on different countries (!?) may result to different Unix epochs for the same date, and therefore different modification time for the file. 2. Turn the third column of `/etc/shadow` (date of last password change) for the `dangerzone` user into a constant number. 3. Fix r-s file permissions in some copied files, due to inconsistent COPY behavior in containerized vs non-containerized Buildkit. This requires creating a full file hierarchy in a separate directory (see new_root/). 4. Set a specific modification time for the entrypoint script, because rewrite-timestamp=true does not overwrite it.	2025-03-11 17:33:04 +02:00
Alex Pyrgiotis	712b309dbf	Bump container image parameters Bump all the values in Dockerfile.env, since there are new releases out for all of them.	2025-03-11 17:33:03 +02:00