Merge pull request #88 from Dstack-TEE/vk/d9b5-dstack-ingress-2 #5
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Reproducible Build | |
| on: | |
| push: | |
| paths: | |
| - 'tutorial/01a-reproducible-builds/**' | |
| pull_request: | |
| paths: | |
| - 'tutorial/01a-reproducible-builds/**' | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }}/tutorial-01a-oracle | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| defaults: | |
| run: | |
| working-directory: tutorial/01a-reproducible-builds | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Install skopeo | |
| run: sudo apt-get update && sudo apt-get install -y skopeo | |
| - name: Build reproducible image | |
| run: | | |
| docker buildx create --name repro-builder --driver docker-container || true | |
| docker buildx build \ | |
| --builder repro-builder \ | |
| --build-arg SOURCE_DATE_EPOCH=0 \ | |
| --no-cache \ | |
| --output type=oci,dest=image.tar,rewrite-timestamp=true \ | |
| . | |
| - name: Compute and display hash | |
| id: hash | |
| run: | | |
| HASH=$(sha256sum image.tar | awk '{print $1}') | |
| DIGEST=$(skopeo inspect oci-archive:image.tar | jq -r .Digest) | |
| echo "image_hash=$HASH" >> $GITHUB_OUTPUT | |
| echo "image_digest=$DIGEST" >> $GITHUB_OUTPUT | |
| echo "## Reproducible Build Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Property | Value |" >> $GITHUB_STEP_SUMMARY | |
| echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Image Hash** | \`$HASH\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Image Digest** | \`$DIGEST\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Compare with your local build:" >> $GITHUB_STEP_SUMMARY | |
| echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY | |
| echo "cd tutorial/01a-reproducible-builds && ./build-reproducible.sh" >> $GITHUB_STEP_SUMMARY | |
| echo "cat build-manifest.json" >> $GITHUB_STEP_SUMMARY | |
| echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
| - name: Verify against committed manifest | |
| run: | | |
| if [[ -f build-manifest.json ]]; then | |
| EXPECTED=$(jq -r .image_hash build-manifest.json) | |
| ACTUAL="${{ steps.hash.outputs.image_hash }}" | |
| echo "Expected: $EXPECTED" | |
| echo "Actual: $ACTUAL" | |
| if [[ "$EXPECTED" == "$ACTUAL" ]]; then | |
| echo "✓ Build matches committed manifest" | |
| else | |
| echo "✗ Build differs from committed manifest" | |
| exit 1 | |
| fi | |
| else | |
| echo "No build-manifest.json found - skipping verification" | |
| fi | |
| - name: Upload OCI image | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: reproducible-image | |
| path: tutorial/01a-reproducible-builds/image.tar | |
| retention-days: 7 | |
| - name: Login to GHCR | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push to GHCR | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| IMAGE_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}" | |
| skopeo copy oci-archive:image.tar docker://$IMAGE_TAG | |
| echo "Pushed: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY | |
| if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then | |
| LATEST_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest" | |
| skopeo copy oci-archive:image.tar docker://$LATEST_TAG | |
| echo "Pushed: $LATEST_TAG" >> $GITHUB_STEP_SUMMARY | |
| fi |