-
Notifications
You must be signed in to change notification settings - Fork 1
140 lines (123 loc) · 4.3 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# This workflow handles Nix-based reproducible builds for opensecret
# It requires a custom ARM64 runner for AWS Nitro Enclave compatibility
name: "Nix Reproducible Builds"
on:
push:
branches:
- master
pull_request:
branches:
- master
workflow_dispatch:
jobs:
dev:
name: "Development Reproducible Build"
# Run on all PRs and master pushes
if: github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' || github.event_name == 'push'
# Custom runner required: ARM64 architecture needed for AWS Nitro Enclaves
# 4 cores needed for efficient builds and PCR verification
runs-on: ubuntu-22.04-arm64-4core
steps:
- name: Check out repository
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 0
# Setup Nix with caching for faster builds
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v16
- name: Enable Magic Nix Cache
uses: DeterminateSystems/magic-nix-cache-action@v8
- name: Check flake.lock health
uses: DeterminateSystems/flake-checker-action@v9
with:
flake-lock-path: flake.lock
# Build development EIF directly using Nix package
- name: Build dev EIF
id: build-dev
run: |
set -euo pipefail
nix build .?submodules=1#eif-dev
echo "Build completed successfully"
# Verify PCR values match the reference
- name: Verify dev PCR
id: verify-dev
run: |
set -euo pipefail
if [ ! -f "./pcrDev.json" ]; then
echo "❌ No pcrDev.json found. This file must be checked into version control."
exit 1
fi
if diff -q "./pcrDev.json" result/pcr.json > /dev/null; then
echo "✅ Dev PCR values match!"
else
echo "❌ Dev PCR values do not match!"
echo "Expected (./pcrDev.json):"
cat "./pcrDev.json"
echo "Got (result/pcr.json):"
cat result/pcr.json
exit 1
fi
# Store artifacts for 7 days
- name: Upload dev artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: dev-artifacts
path: result/
retention-days: 7
prod:
name: "Production Reproducible Build"
# Only run on master pushes or manual triggers for production safety
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref == 'refs/heads/master')
# Same custom runner requirements as dev build
runs-on: ubuntu-22.04-arm64-4core
steps:
- name: Check out repository
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 0
# Setup Nix with caching for faster builds
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v16
- name: Enable Magic Nix Cache
uses: DeterminateSystems/magic-nix-cache-action@v8
- name: Check flake.lock health
uses: DeterminateSystems/flake-checker-action@v9
with:
flake-lock-path: flake.lock
# Build production EIF directly using Nix package
- name: Build prod EIF
id: build-prod
run: |
set -euo pipefail
nix build .?submodules=1#eif-prod
echo "Build completed successfully"
# Verify PCR values match the reference
- name: Verify prod PCR
id: verify-prod
run: |
set -euo pipefail
if [ ! -f "./pcrProd.json" ]; then
echo "❌ No pcrProd.json found. This file must be checked into version control."
exit 1
fi
if diff -q "./pcrProd.json" result/pcr.json > /dev/null; then
echo "✅ Production PCR values match!"
else
echo "❌ Production PCR values do not match!"
echo "Expected (./pcrProd.json):"
cat "./pcrProd.json"
echo "Got (result/pcr.json):"
cat result/pcr.json
exit 1
fi
# Store production artifacts for 30 days
- name: Upload prod artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: prod-artifacts
path: result/
retention-days: 30