Reproducible build #167
Reproducible build #167
Conversation
…ADME, flake.nix, and rust-toolchain.toml with detailed instructions and fixed versions
…ows target and updating README with detailed build instructions for multiple platforms
…ompilation support - Added a description field to Cargo.toml for better project clarity. - Updated reqwest dependency to disable default features and enable rustls-tls. - Consolidated secp256k1 and tokio dependencies for cleaner formatting. - Introduced release profile settings in Cargo.toml for deterministic builds. - Refactored flake.nix to streamline cross-compilation setup for multiple target systems. - Enhanced Windows cross-compilation support with proper linker and environment configurations. - Improved development shell setup in flake.nix for easier access to build tools and dependencies.
…p instructions in README.md
…nhanced platform support - Moved detailed reproducible builds instructions from contrib/reproducible/README.md to docs/reproducible-builds.md for better organization. - Updated flake.nix to include additional target platforms: ARMv7, RISC-V, and PowerPC64, with appropriate configurations for cross-compilation. - Added a new script, update-hashes.sh, to assist in updating git dependency hashes in flake.nix, improving the build process.
…tform support and remove PowerPC64 references
* Add reproducible builds verification workflow and update related scripts * Enhance reproducibility verification workflow for Windows and macOS builds * Update Nix installation action to version 31 in reproducible builds workflow * Enhance reproducibility verification by adding platform matrix support and updating hash verification logic * Refactor output messages in reproducibility scripts for consistency and clarity * Update hash values for reproducible builds across platforms * Update build hash verification by excluding non-build-affecting files from source * Update hash values for aarch64, arm, riscv, and win64 platforms in reproducible builds documentation * Refactor hash verification jobs for reproducible builds to separate Linux/Windows and macOS documentation checks * Update hash values for x86_64 and arm64 platforms in reproducible builds documentation * Update reproducible builds workflow to trigger on pull requests and ensure jobs only run for non-draft PRs * Refactor reproducible builds documentation for clarity and conciseness * Refactor reproducible builds workflow to simplify build steps * Update available targets in flake.nix to remove unsupported macOS platforms for Linux builds * Refactor reproducible builds workflow by removing Linux verification job and consolidating hash verification steps for Linux and macOS
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Verify Reproducible Windows Build (Native) | ||
| runs-on: windows-latest | ||
| if: github.event.pull_request.draft == false | ||
|
|
||
| steps: | ||
| - name: Collect Workflow Telemetry | ||
| uses: catchpoint/workflow-telemetry-action@v2 | ||
| with: | ||
| comment_on_pr: false | ||
|
|
||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Rust toolchain | ||
| uses: actions-rust-lang/setup-rust-toolchain@v1 | ||
| with: | ||
| toolchain: "1.89.0" | ||
| components: rustfmt, rust-src | ||
|
|
||
| - name: Build | ||
| shell: bash | ||
| env: | ||
| SOURCE_DATE_EPOCH: "1" | ||
| RUSTFLAGS: "-C debuginfo=0 -C opt-level=3 -C codegen-units=1 -C strip=none -C link-arg=/PDBALTPATH:clementine-cli.pdb -C link-arg=/Brepro" | ||
| run: | | ||
| echo "Building for Windows native (x86_64-pc-windows-msvc) with reproducible settings..." | ||
| cargo build --release | ||
| echo "Build complete" | ||
|
|
||
| - name: Calculate build hash | ||
| id: hash | ||
| shell: bash | ||
| run: | | ||
| HASH=$(sha256sum target/release/clementine-cli.exe | awk '{print $1}') | ||
| echo "hash=$HASH" >> $GITHUB_OUTPUT | ||
| echo "Build hash: $HASH" | ||
|
|
||
| - name: Upload binary artifact | ||
| if: success() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: clementine-cli-windows-native | ||
| path: target/release/clementine-cli.exe | ||
| retention-days: 7 | ||
|
|
||
| verify-hash-documentation-linux: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
To fix this issue, we should add a permissions: block to the workflow to restrict the GITHUB_TOKEN to the minimum required privileges. In this workflow, read-only access to repository contents is sufficient for the listed actions and steps (checkout, build, hash calculation, and uploading artifacts). No steps indicate a need for write-access to issues or pull requests.
The minimal fix is to insert at the workflow root a block:
permissions:
contents: readThis will apply the restriction to all jobs in the workflow unless overridden within a job. The block should be added after the name: and before the on: key to conform to GitHub Actions workflow conventions.
No imports or additional definitions are required.
Files/regions/lines to change:
- File: .github/workflows/reproducible-builds.yml
- Line to insert after
name: Reproducible Builds Verification(line 1).
| @@ -1,4 +1,6 @@ | ||
| name: Reproducible Builds Verification | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # Platform coverage: | ||
| # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix) |
| name: Build & Verify Documented Hashes (Linux/Windows-Nix) | ||
| runs-on: ubuntu-latest | ||
| if: github.event.pull_request.draft == false | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| platform: | ||
| - x86_64-linux-gnu | ||
| - aarch64-linux-gnu | ||
| - arm-linux-gnueabihf | ||
| - riscv64-linux-gnu | ||
| - win64 | ||
|
|
||
| steps: | ||
| - name: Collect Workflow Telemetry | ||
| uses: catchpoint/workflow-telemetry-action@v2 | ||
| with: | ||
| comment_on_pr: false | ||
|
|
||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Nix | ||
| uses: cachix/install-nix-action@v31 | ||
| with: | ||
| extra_nix_config: | | ||
| experimental-features = nix-command flakes | ||
|
|
||
| - name: Setup Cachix (optional binary cache) | ||
| uses: cachix/cachix-action@v13 | ||
| with: | ||
| name: clementine-cli | ||
| skipPush: true | ||
| continue-on-error: true | ||
|
|
||
| - name: Build ${{ matrix.platform }} | ||
| run: | | ||
| echo "Building ${{ matrix.platform }} to verify documented hash..." | ||
| nix build .#${{ matrix.platform }} | ||
| echo "Build complete" | ||
|
|
||
| - name: Upload binary artifact | ||
| if: success() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: clementine-cli-${{ matrix.platform }} | ||
| path: result/bin/* | ||
| retention-days: 7 | ||
|
|
||
| - name: Verify documented hash for ${{ matrix.platform }} | ||
| run: | | ||
| ACTUAL_HASH=$(nix hash path ./result) | ||
|
|
||
| # Extract documented hash from reproducible-builds.md | ||
| # Platform names are in bold (**platform**) in the markdown table | ||
| # Table format: | **platform** | `hash` | | ||
| DOCUMENTED_HASH=$(grep "\*\*${{ matrix.platform }}\*\*" docs/reproducible-builds.md | sed 's/.*`\(sha256-[^`]*\)`.*/\1/') | ||
|
|
||
| echo "Platform: ${{ matrix.platform }}" | ||
| echo "Documented hash: $DOCUMENTED_HASH" | ||
| echo "Actual hash: $ACTUAL_HASH" | ||
| echo "" | ||
|
|
||
| if [ -z "$DOCUMENTED_HASH" ]; then | ||
| echo "ERROR: No documented hash found for ${{ matrix.platform }}" | ||
| echo "Please add the hash to docs/reproducible-builds.md Expected Hashes table:" | ||
| echo " $ACTUAL_HASH" | ||
| exit 1 | ||
| elif [ "$DOCUMENTED_HASH" != "$ACTUAL_HASH" ]; then | ||
| echo "ERROR: Documented hash does not match actual build hash!" | ||
| echo "The hash in docs/reproducible-builds.md is outdated." | ||
| echo "" | ||
| echo "Please update docs/reproducible-builds.md with the new hash:" | ||
| echo " Platform: ${{ matrix.platform }}" | ||
| echo " Old hash: $DOCUMENTED_HASH" | ||
| echo " New hash: $ACTUAL_HASH" | ||
| exit 1 | ||
| else | ||
| echo "OK: Documented hash matches actual build for ${{ matrix.platform }}" | ||
| fi | ||
|
|
||
| verify-hash-documentation-macos: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
The best way to fix this problem is to add a root-level permissions: block to the workflow file. This sets the minimal required GITHUB_TOKEN permission for all jobs in the workflow, unless overridden per job. Since this workflow does not modify repository contents or issues, the minimal recommended setting is contents: read. This should be inserted just after the workflow name: (on line 2), before the on: settings, following GitHub Actions best practices. No new imports or functionality changes are required; the only edit is to add the permissions block.
| @@ -1,4 +1,6 @@ | ||
| name: Reproducible Builds Verification | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # Platform coverage: | ||
| # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix) |
| name: Build & Verify Documented Hashes (macOS) | ||
| runs-on: macos-latest | ||
| if: github.event.pull_request.draft == false | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| platform: | ||
| - x86_64-apple-darwin | ||
| - arm64-apple-darwin | ||
|
|
||
| steps: | ||
| - name: Collect Workflow Telemetry | ||
| uses: catchpoint/workflow-telemetry-action@v2 | ||
| with: | ||
| comment_on_pr: false | ||
|
|
||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Nix | ||
| uses: cachix/install-nix-action@v31 | ||
| with: | ||
| extra_nix_config: | | ||
| experimental-features = nix-command flakes | ||
|
|
||
| - name: Setup Cachix (optional binary cache) | ||
| uses: cachix/cachix-action@v13 | ||
| with: | ||
| name: clementine-cli | ||
| skipPush: true | ||
| continue-on-error: true | ||
|
|
||
| - name: Build ${{ matrix.platform }} | ||
| run: | | ||
| echo "Building ${{ matrix.platform }} to verify documented hash..." | ||
| nix build .#${{ matrix.platform }} | ||
| echo "Build complete" | ||
|
|
||
| - name: Upload binary artifact | ||
| if: success() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: clementine-cli-${{ matrix.platform }} | ||
| path: result/bin/* | ||
| retention-days: 7 | ||
|
|
||
| - name: Verify documented hash for ${{ matrix.platform }} | ||
| run: | | ||
| ACTUAL_HASH=$(nix hash path ./result) | ||
|
|
||
| # Extract documented hash from reproducible-builds.md | ||
| # Platform names are in bold (**platform**) in the markdown table | ||
| # Table format: | **platform** | `hash` | | ||
| DOCUMENTED_HASH=$(grep "\*\*${{ matrix.platform }}\*\*" docs/reproducible-builds.md | sed 's/.*`\(sha256-[^`]*\)`.*/\1/') | ||
|
|
||
| echo "Platform: ${{ matrix.platform }}" | ||
| echo "Documented hash: $DOCUMENTED_HASH" | ||
| echo "Actual hash: $ACTUAL_HASH" | ||
| echo "" | ||
|
|
||
| if [ -z "$DOCUMENTED_HASH" ]; then | ||
| echo "ERROR: No documented hash found for ${{ matrix.platform }}" | ||
| echo "Please add the hash to docs/reproducible-builds.md Expected Hashes table:" | ||
| echo " $ACTUAL_HASH" | ||
| exit 1 | ||
| elif [ "$DOCUMENTED_HASH" != "$ACTUAL_HASH" ]; then | ||
| echo "ERROR: Documented hash does not match actual build hash!" | ||
| echo "The hash in docs/reproducible-builds.md is outdated." | ||
| echo "" | ||
| echo "Please update docs/reproducible-builds.md with the new hash:" | ||
| echo " Platform: ${{ matrix.platform }}" | ||
| echo " Old hash: $DOCUMENTED_HASH" | ||
| echo " New hash: $ACTUAL_HASH" | ||
| exit 1 | ||
| else | ||
| echo "OK: Documented hash matches actual build for ${{ matrix.platform }}" | ||
| fi | ||
|
|
||
| build-summary: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
To resolve this issue, add an explicit permissions key at the root level of the workflow file .github/workflows/reproducible-builds.yml, immediately below the name field and above the on: trigger. This permissions block should grant only the minimum necessary access to the GITHUB_TOKEN. For the provided workflow, none of the jobs require write access to contents, but uploading artifacts is permitted with minimal read permissions.
The ideal fix is to add:
permissions:
contents: readdirectly after the name: ... line as a minimal starting point. If the jobs later require additional scopes (e.g., pull-requests: write), those can be added, but for now, restricting to read access on repository contents satisfies the least-privilege principle and the CodeQL guidance.
No other code, methods, or imports need to be added to implement this change.
| @@ -1,4 +1,6 @@ | ||
| name: Reproducible Builds Verification | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # Platform coverage: | ||
| # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix) |
| name: Build Summary | ||
| runs-on: ubuntu-latest | ||
| needs: [verify-reproducibility-windows, verify-hash-documentation-linux, verify-hash-documentation-macos] | ||
| if: always() | ||
|
|
||
| steps: | ||
| - name: Check results | ||
| run: | | ||
| WINDOWS_RESULT="${{ needs.verify-reproducibility-windows.result }}" | ||
| DOCS_LINUX_RESULT="${{ needs.verify-hash-documentation-linux.result }}" | ||
| DOCS_MACOS_RESULT="${{ needs.verify-hash-documentation-macos.result }}" | ||
|
|
||
| echo "Build Results Summary:" | ||
| echo " Windows (native): $WINDOWS_RESULT" | ||
| echo " Nix Builds & Docs (Linux/Win): $DOCS_LINUX_RESULT" | ||
| echo " Nix Builds & Docs (macOS): $DOCS_MACOS_RESULT" | ||
| echo "" | ||
|
|
||
| # All jobs must succeed | ||
| if [ "$WINDOWS_RESULT" = "success" ] && [ "$DOCS_LINUX_RESULT" = "success" ] && [ "$DOCS_MACOS_RESULT" = "success" ]; then | ||
| echo "OK: All verifications passed!" | ||
| echo "" | ||
| echo "Reproducible builds completed and verified:" | ||
| echo " - Windows (x86_64-pc-windows-msvc) native via cargo" | ||
| echo " - All Nix platforms (Linux, Windows-cross, macOS)" | ||
| echo "" | ||
| echo "Documentation verified:" | ||
| echo " - All platform hashes match docs/reproducible-builds.md" | ||
| exit 0 | ||
| else | ||
| echo "ERROR: Verification failed on one or more checks" | ||
| echo "" | ||
| if [ "$DOCS_LINUX_RESULT" != "success" ] || [ "$DOCS_MACOS_RESULT" != "success" ]; then | ||
| echo " Documentation hash mismatch detected!" | ||
| echo " This means the code/dependencies changed and docs need updating." | ||
| echo " Please update docs/reproducible-builds.md with new hashes." | ||
| echo "" | ||
| fi | ||
| echo "Check the individual job logs for details" | ||
| exit 1 | ||
| fi No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
To fix the problem, we need to explicitly set the permissions key in the workflow file. The permissions can be set globally (at the workflow level), or individually per job. In this case, since the error is flagged for the build-summary job, and none of the jobs have the permissions key, it is best to add a permissions block at the workflow root level just after the workflow name, before the on key. This will set minimal permissions (usually contents: read) for all jobs in the workflow. If specific jobs require more permissions, they can add a permissions block with broader scopes, but from the provided jobs, this does not seem necessary.
Required changes:
- Add at the root of the workflow (near the top, after
name:), the block:permissions: contents: read
This restricts the access of the GITHUB_TOKEN to read-only for repository contents for all jobs.
No methods, imports, or definitions are necessary for this YAML change.
| @@ -1,4 +1,6 @@ | ||
| name: Reproducible Builds Verification | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # Platform coverage: | ||
| # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix) |
No description provided.