@@ -19,142 +19,169 @@ jobs:
1919 steps :
2020 - uses : actions/checkout@v4
2121
22- - uses : dtolnay/rust-toolchain@stable
22+ - name : Set up Docker Buildx
23+ uses : docker/setup-buildx-action@v3
2324 with :
24- target : x86_64-unknown-linux-gnu
25+ driver : docker # Use docker driver instead of docker-container for reproducibility
2526
26- - name : Install build dependencies
27+ - name : Build first reproducible Docker image
2728 run : |
28- sudo apt-get update
29- sudo apt-get install -y libclang-dev cmake
29+ echo "=== Building first Docker image (x86_64) ==="
30+ docker build -f Dockerfile.reproducible \
31+ --build-arg RUST_TARGET="x86_64-unknown-linux-gnu" \
32+ --build-arg RUST_IMAGE="rust:1.86-bullseye@sha256:1110399f568f1dbe838e58f15b4162d899cb95f450f5f0ffa739614f3a4c32f1" \
33+ -t build-lighthouse-1 .
34+
35+ echo "=== Extracting binary from first build ==="
36+ docker create --name extract-lighthouse-1 build-lighthouse-1
37+ docker cp extract-lighthouse-1:/lighthouse ./lighthouse-build-1
38+ docker rm extract-lighthouse-1
39+
40+ echo "=== First build info ==="
41+ ls -la lighthouse-build-1
42+ sha256sum lighthouse-build-1
43+ file lighthouse-build-1
44+
45+ name : Clean Docker state completely
46+ run : |
47+ echo "=== Cleaning Docker state ==="
48+ # Remove the first image
49+ docker rmi build-lighthouse-1 || true
3050
31- name : Install cargo-cache
32- run : cargo install cargo-cache
51+ # Remove all build cache (important for reproducibility testing)
52+ docker buildx prune -f || true
53+ docker system prune -f || true
3354
34- - uses : Swatinem/rust-cache@v2
35- with :
36- cache-on-failure : true
37- key : reproducible-build-x86_64
55+ # Clear any remaining containers
56+ docker container prune -f || true
3857
39- - name : Build Lighthouse (first build)
40- run : |
41- make build-reproducible \
42- RUST_TARGET=x86_64-unknown-linux-gnu
43- cp target/x86_64-unknown-linux-gnu/release/lighthouse \
44- lighthouse-build-1
45- sha256sum lighthouse-build-1 > lighthouse-build-1.sha256
58+ echo "=== Docker state cleaned ==="
59+ docker images
60+ docker ps -a
4661
47- name : Clean build artifacts and cache
62+ name : Build second reproducible Docker image
4863 run : |
49- make clean
50- cargo cache -a
51- rm -rf target/
52-
53- name : Build Lighthouse (second build)
64+ echo "=== Building second Docker image (x86_64) ==="
65+ docker build -f Dockerfile.reproducible \
66+ --build-arg RUST_TARGET="x86_64-unknown-linux-gnu" \
67+ --build-arg RUST_IMAGE="rust:1.86-bullseye@sha256:1110399f568f1dbe838e58f15b4162d899cb95f450f5f0ffa739614f3a4c32f1" \
68+ -t build-lighthouse-2 .
69+
70+ echo "=== Extracting binary from second build ==="
71+ docker create --name extract-lighthouse-2 build-lighthouse-2
72+ docker cp extract-lighthouse-2:/lighthouse ./lighthouse-build-2
73+ docker rm extract-lighthouse-2
74+
75+ echo "=== Second build info ==="
76+ ls -la lighthouse-build-2
77+ sha256sum lighthouse-build-2
78+ file lighthouse-build-2
79+
80+ name : Compare Docker-built binaries
5481 run : |
55- make build-reproducible \
56- RUST_TARGET=x86_64-unknown-linux-gnu
57- cp target/x86_64-unknown-linux-gnu/release/lighthouse \
58- lighthouse-build-2
59- sha256sum lighthouse-build-2 > lighthouse-build-2.sha256
82+ echo "=== Comparing Docker-built binaries (x86_64) ==="
83+ echo "Build 1 info:"
84+ ls -la lighthouse-build-1
85+ echo "Build 2 info:"
86+ ls -la lighthouse-build-2
6087
61- name : Compare binaries
62- run : |
63- echo "=== Build 1 SHA256 ==="
64- cat lighthouse-build-1.sha256
65- echo "=== Build 2 SHA256 ==="
66- cat lighthouse-build-2.sha256
67- echo "=== Binary Comparison ==="
88+ echo "=== SHA256 checksums ==="
89+ sha256sum lighthouse-build-*
90+
91+ echo "=== Binary comparison ==="
6892 if cmp lighthouse-build-1 lighthouse-build-2; then
69- echo "✅ Binaries are identical - reproducible build PASSED"
93+ echo "✅ SUCCESS: Docker-built binaries are identical!"
94+ echo "✅ Reproducible Docker build PASSED for x86_64"
7095 else
71- echo "❌ Binaries differ - reproducible build FAILED"
96+ echo "❌ FAILED: Docker-built binaries differ"
97+ echo "First 10 differences:"
98+ cmp -l lighthouse-build-1 lighthouse-build-2 | head -10
7299 exit 1
73100 fi
74101
75- name : Upload build artifacts (on failure)
76- if : failure()
77- uses : actions/upload-artifact@v4
78- with :
79- name : failed-reproducible-builds-x86_64
80- path : |
81- lighthouse-build-1
82- lighthouse-build-2
83- lighthouse-build-1.sha256
84- lighthouse-build-2.sha256
85-
86102build-aarch64 :
87103 name : test reproducible builds (aarch64)
88- runs-on : ubuntu-latest
104+ runs-on : ubuntu-24.04-arm
89105 steps :
90106 - uses : actions/checkout@v4
91107
92- - uses : dtolnay/rust-toolchain@stable
108+ - name : Set up Docker Buildx
109+ uses : docker/setup-buildx-action@v3
93110 with :
94- target : aarch64-unknown-linux-gnu
111+ driver : docker
95112
96- - name : Install build dependencies and cross-compilation tools
113+ - name : Build first reproducible Docker image
97114 run : |
98- sudo apt-get update
99- sudo apt-get install -y libclang-dev cmake gcc-aarch64-linux-gnu
100-
101- name : Install cargo-cache
102- run : cargo install cargo-cache
115+ echo "=== Building first Docker image (aarch64) ==="
116+ docker build -f Dockerfile.reproducible \
117+ --platform linux/arm64 \
118+ --build-arg RUST_TARGET="aarch64-unknown-linux-gnu" \
119+ --build-arg RUST_IMAGE="rust:1.86-bullseye@sha256:36053eabadeb701e3e0406610a2ce72ccfa10b7828963cd08cffdcf660518b27" \
120+ -t build-lighthouse-1-arm64 .
121+
122+ echo "=== Extracting binary from first build ==="
123+ docker create --name extract-lighthouse-1-arm64 build-lighthouse-1-arm64
124+ docker cp extract-lighthouse-1-arm64:/lighthouse ./lighthouse-build-1-arm64
125+ docker rm extract-lighthouse-1-arm64
126+
127+ echo "=== First build info ==="
128+ ls -la lighthouse-build-1-arm64
129+ sha256sum lighthouse-build-1-arm64
130+ file lighthouse-build-1-arm64
131+
132+ name : Clean Docker state completely
133+ run : |
134+ echo "=== Cleaning Docker state ==="
135+ docker rmi build-lighthouse-1-arm64 || true
136+ docker buildx prune -f || true
137+ docker system prune -f || true
138+ docker container prune -f || true
103139
104- - uses : Swatinem/rust-cache@v2
105- with :
106- cache-on-failure : true
107- key : reproducible-build-aarch64
140+ echo "=== Docker state cleaned ==="
141+ docker images
142+ docker ps -a
108143
109- - name : Build Lighthouse (first build)
144+ name : Build second reproducible Docker image
110145 run : |
111- make build-reproducible \
112- RUST_TARGET=aarch64-unknown-linux-gnu
113- cp target/aarch64-unknown-linux-gnu/release/lighthouse \
114- lighthouse-build-1-arm64
115- sha256sum lighthouse-build-1-arm64 > \
116- lighthouse-build-1-arm64.sha256
117-
118- name : Clean build artifacts and cache
146+ echo "=== Building second Docker image (aarch64) ==="
147+ docker build -f Dockerfile.reproducible \
148+ --platform linux/arm64 \
149+ --build-arg RUST_TARGET="aarch64-unknown-linux-gnu" \
150+ --build-arg RUST_IMAGE="rust:1.86-bullseye@sha256:36053eabadeb701e3e0406610a2ce72ccfa10b7828963cd08cffdcf660518b27" \
151+ -t build-lighthouse-2-arm64 .
152+
153+ echo "=== Extracting binary from second build ==="
154+ docker create --name extract-lighthouse-2-arm64 build-lighthouse-2-arm64
155+ docker cp extract-lighthouse-2-arm64:/lighthouse ./lighthouse-build-2-arm64
156+ docker rm extract-lighthouse-2-arm64
157+
158+ echo "=== Second build info ==="
159+ ls -la lighthouse-build-2-arm64
160+ sha256sum lighthouse-build-2-arm64
161+ file lighthouse-build-2-arm64
162+
163+ name : Compare Docker-built binaries
119164 run : |
120- make clean
121- cargo cache -a
122- rm -rf target/
165+ echo "=== Comparing Docker-built binaries (aarch64) ==="
166+ echo "Build 1 info:"
167+ ls -la lighthouse-build-1-arm64
168+ echo "Build 2 info:"
169+ ls -la lighthouse-build-2-arm64
123170
124- name : Build Lighthouse (second build)
125- run : |
126- make build-reproducible \
127- RUST_TARGET=aarch64-unknown-linux-gnu
128- cp target/aarch64-unknown-linux-gnu/release/lighthouse \
129- lighthouse-build-2-arm64
130- sha256sum lighthouse-build-2-arm64 > \
131- lighthouse-build-2-arm64.sha256
132-
133- name : Compare binaries
134- run : |
135- echo "=== Build 1 SHA256 (ARM64) ==="
136- cat lighthouse-build-1-arm64.sha256
137- echo "=== Build 2 SHA256 (ARM64) ==="
138- cat lighthouse-build-2-arm64.sha256
139- echo "=== Binary Comparison ==="
171+ echo "=== SHA256 checksums ==="
172+ sha256sum lighthouse-build-*-arm64
173+
174+ echo "=== Binary comparison ==="
140175 if cmp lighthouse-build-1-arm64 lighthouse-build-2-arm64; then
141- echo "✅ ARM64 binaries are identical - reproducible build PASSED"
176+ echo "✅ SUCCESS: Docker-built binaries are identical!"
177+ echo "✅ Reproducible Docker build PASSED for aarch64"
142178 else
143- echo "❌ ARM64 binaries differ - reproducible build FAILED"
179+ echo "❌ FAILED: Docker-built binaries differ"
180+ echo "First 10 differences:"
181+ cmp -l lighthouse-build-1-arm64 lighthouse-build-2-arm64 | head -10
144182 exit 1
145183 fi
146184
147- name : Upload build artifacts (on failure)
148- if : failure()
149- uses : actions/upload-artifact@v4
150- with :
151- name : failed-reproducible-builds-aarch64
152- path : |
153- lighthouse-build-1-arm64
154- lighthouse-build-2-arm64
155- lighthouse-build-1-arm64.sha256
156- lighthouse-build-2-arm64.sha256
157-
158185summary :
159186 name : reproducible build summary
160187 runs-on : ubuntu-latest
@@ -181,8 +208,9 @@ jobs:
181208 if [[ "${{ needs.build-x86_64.result }}" == "success" ]] \
182209 && [[ "${{ needs.build-aarch64.result }}" == "success" ]]; then
183210 echo "🎉 **Overall**: All reproducible builds are working correctly!"
211+ echo "Docker containers are reproducible."
184212 else
185213 echo "⚠️ **Overall**: Some reproducible builds failed"
186- echo "Check the logs above"
214+ echo "Check the logs above for details "
187215 exit 1
188216 fi
0 commit comments