ci-reproducibility #80
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# NOTE: This name appears in GitHub's Checks API and in workflow's status badge. | |
name: ci-reproducibility | |
# Trigger the workflow when: | |
on: | |
push: | |
branches: | |
- ci | |
- dev | |
- main | |
pull_request: | |
branches: [ main ] | |
workflow_dispatch: | |
# Besides pushes on the branches above, also check every day at 00:00 UTC. | |
schedule: | |
- cron: "0 14 * * 4" | |
jobs: | |
check-reproducible-build: | |
# NOTE: This name appears in GitHub's Checks API. | |
name: check-reproducibility | |
runs-on: ubuntu-latest | |
env: | |
sgx_detect: "86e4c58a469373807b433cfa8fb03f5ea24996bcae243656779bed2f4661b52f" | |
sgxs_append: "a7b10a8f4d599210d9f284243f834816afa32b954eea23c3aa5d8e4920ef495a" | |
sgxs_build: "2d82dc195a933b12063f904bb8cb98d735df1566b9da8691b879e3d6d7f3f060" | |
sgxs_info: "3d95559ae4225a22eda8d8c5852b3356f8cfd5ed83dcb3fb34d88cb79147a4fd" | |
sgxs_load: "c6f434eb2dfb9090bd02fea46986ffa2a76470b5b197d5ddd573e5b61b4b2429" | |
sgxs_sign: "733d48f2c480562798107d5b6cfd09e5a8092616116ecdf0a3ee776f9835d9d3" | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Install Nix | |
uses: cachix/install-nix-action@v21 | |
with: | |
nix_path: nixpkgs=channel:23.05 | |
- name: Install cachix | |
uses: cachix/cachix-action@v12 | |
with: | |
name: initc3 | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- run: nix --version | |
- run: nix build | |
- run: nix build --rebuild | |
- run: nix flake check | |
- run: nix flake metadata | |
- run: nix flake show | |
- run: ls -l result | |
# TODO: Implement action to check the hash | |
- run: sha256sum result/bin/* | |
- name: Shasum check sgxs-detect | |
run: | | |
echo "$sgx_detect *result/bin/sgx-detect" | \ | |
shasum --algorithm 512256 --binary --strict --check | |
- name: Shasum check sgxs-append | |
run: | | |
echo "$sgxs_append *result/bin/sgxs-append" | \ | |
shasum --algorithm 512256 --binary --strict --check | |
- name: Shasum check sgxs-build | |
run: | | |
echo "$sgxs_build *result/bin/sgxs-build" | \ | |
shasum --algorithm 512256 --binary --strict --check | |
- name: Shasum check sgxs-info | |
run: | | |
echo "$sgxs_info *result/bin/sgxs-info" | \ | |
shasum --algorithm 512256 --binary --strict --check | |
- name: Shasum check sgxs-load | |
run: | | |
echo "$sgxs_load *result/bin/sgxs-load" | \ | |
shasum --algorithm 512256 --binary --strict --check | |
- name: Shasum check sgxs-sign | |
run: | | |
echo "$sgxs_sign *result/bin/sgxs-sign" | \ | |
shasum --algorithm 512256 --binary --strict --check |