Skip to content
Nix Reproducible Builds

Multi-tenant migration and APIs #19

Sign in to view logs

Multi-tenant migration and APIs

Multi-tenant migration and APIs #19

Workflow file for this run

.github/workflows/build.yml at b1a7b4e
# This workflow handles Nix-based reproducible builds for opensecret
# It requires a custom ARM64 runner for AWS Nitro Enclave compatibility
name: "Nix Reproducible Builds"
on:
push:
branches:
- master
pull_request:
branches:
- master
workflow_dispatch:
jobs:
dev:
name: "Development Reproducible Build"
# Run on all PRs and master pushes
if: github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' || github.event_name == 'push'
# Custom runner required: ARM64 architecture needed for AWS Nitro Enclaves
# 4 cores needed for efficient builds and PCR verification
runs-on: ubuntu-22.04-arm64-4core
steps:
- name: Check out repository
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 0
# Setup Nix with caching for faster builds
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v16
- name: Enable Magic Nix Cache
uses: DeterminateSystems/magic-nix-cache-action@v8
- name: Check flake.lock health
uses: DeterminateSystems/flake-checker-action@v9
with:
flake-lock-path: flake.lock
# Build development EIF directly using Nix package
- name: Build dev EIF
id: build-dev
run: |
set -euo pipefail
nix build .?submodules=1#eif-dev
echo "Build completed successfully"
# Verify PCR values match the reference
- name: Verify dev PCR
id: verify-dev
run: |
set -euo pipefail
if [ ! -f "./pcrDev.json" ]; then
echo "❌ No pcrDev.json found. This file must be checked into version control."
exit 1
fi
if diff -q "./pcrDev.json" result/pcr.json > /dev/null; then
echo "✅ Dev PCR values match!"
else
echo "❌ Dev PCR values do not match!"
echo "Expected (./pcrDev.json):"
cat "./pcrDev.json"
echo "Got (result/pcr.json):"
cat result/pcr.json
exit 1
fi
# Store artifacts for 7 days
- name: Upload dev artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: dev-artifacts
path: result/
retention-days: 7
prod:
name: "Production Reproducible Build"
# Only run on master pushes or manual triggers for production safety
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref == 'refs/heads/master')
# Same custom runner requirements as dev build
runs-on: ubuntu-22.04-arm64-4core
steps:
- name: Check out repository
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 0
# Setup Nix with caching for faster builds
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v16
- name: Enable Magic Nix Cache
uses: DeterminateSystems/magic-nix-cache-action@v8
- name: Check flake.lock health
uses: DeterminateSystems/flake-checker-action@v9
with:
flake-lock-path: flake.lock
# Build production EIF directly using Nix package
- name: Build prod EIF
id: build-prod
run: |
set -euo pipefail
nix build .?submodules=1#eif-prod
echo "Build completed successfully"
# Verify PCR values match the reference
- name: Verify prod PCR
id: verify-prod
run: |
set -euo pipefail
if [ ! -f "./pcrProd.json" ]; then
echo "❌ No pcrProd.json found. This file must be checked into version control."
exit 1
fi
if diff -q "./pcrProd.json" result/pcr.json > /dev/null; then
echo "✅ Production PCR values match!"
else
echo "❌ Production PCR values do not match!"
echo "Expected (./pcrProd.json):"
cat "./pcrProd.json"
echo "Got (result/pcr.json):"
cat result/pcr.json
exit 1
fi
# Store production artifacts for 30 days
- name: Upload prod artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: prod-artifacts
path: result/
retention-days: 30