Compare with Garnix artifact #2585
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Compare with Garnix artifact | |
| on: | |
| check_run: | |
| types: [completed] | |
| jobs: | |
| verifyReproducible: | |
| name: Compare with Garnix artifact | |
| if: >- | |
| github.event.check_run.app.name == 'Garnix CI' | |
| && contains(github.event.check_run.name, 'package default') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc # v1.3.4 | |
| with: | |
| ref: ${{github.event.check_run.head_sha}} | |
| check-name: 'Build' | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Sleep | |
| run: sleep 15s | |
| shell: bash | |
| - name: Fetch Sources | |
| uses: actions/checkout@v4 | |
| - uses: dawidd6/action-download-artifact@v7 | |
| with: | |
| workflow: build.yml | |
| commit: ${{github.event.check_run.head_sha}} | |
| name: ".+[Ss]urveyor-\\d.+" | |
| name_is_regexp: true | |
| path: gha-artifact | |
| - uses: cachix/install-nix-action@v30 | |
| with: | |
| extra_nix_config: | | |
| extra-substituters = https://cache.garnix.io | |
| extra-trusted-public-keys = cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= | |
| - run: | | |
| set -o errexit -o nounset -o pipefail -o xtrace | |
| if cat <<- 'EOF' | grep --perl-regexp --only-matching '\/nix\/store\/\K\S+(?=-gradleBuild)' | tail --lines=1 | curl "https://cache.garnix.io/$(cat).narinfo" | tee _narinfo; then | |
| ${{ github.event.check_run.output.text }} | |
| EOF | |
| curl --output _artifact.nar "https://cache.garnix.io/$(grep --perl-regexp --only-matching 'URL:\s*\K\S+' <_narinfo)" | |
| nix-store --restore ./artifact <_artifact.nar && rm _* | |
| if [[ -f ./artifact ]]; then | |
| # Received a .drv file instead of an out artifact directory | |
| grep --perl-regexp --only-matching '\/nix\/store\/\K\S+(?=-gradleBuild)' <./artifact | tail --lines=1 | curl "https://cache.garnix.io/$(cat).narinfo" | tee _narinfo | |
| curl --verbose --output _artifact.nar "https://cache.garnix.io/$(grep --perl-regexp --only-matching 'URL:\s*\K\S+' <_narinfo)" | |
| rm ./artifact | |
| nix-store --restore ./artifact <_artifact.nar && rm _* | |
| fi | |
| else | |
| # Failed to get a valid NAR URL, so trying the long way for getting an artifact | |
| nix build --max-jobs 0 --print-build-logs .#default | |
| # upload-artifact doesn't accept links | |
| cp --dereference --recursive ./result ./artifact | |
| fi | |
| ls --almost-all --format=long --recursive . | |
| [[ -d ./artifact ]] | |
| - name: Compute sha256sum for the artifact from Garnix | |
| run: | | |
| echo 'sha256sum of the artifact built in Garnix:' | |
| find artifact/* -type f -exec sha256sum -b {} + | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: artifact-from-garnix | |
| path: ./artifact/* | |
| - name: Verify same (i.e. reproducible) | |
| run: | | |
| cmp -b gha-artifact/*/*.zip artifact/*.zip | |
| pushd ci/generated/project/ | |
| for f in *.kt; do \ | |
| cmp -b "$f" "$GITHUB_WORKSPACE/artifact/$f"; | |
| done; | |
| popd |