Add workflow to ensure reproducibility #134
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Android - Ensure reproducibility | |
| on: | |
| schedule: | |
| # At 04:20 UTC every monday. | |
| # Notifications for scheduled workflows are sent to the user who last modified the cron | |
| # syntax in the workflow file. If you update this you must have notifications for | |
| # Github Actions enabled, so these don't go unnoticed. | |
| # https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs | |
| - cron: '20 6 * * 1' | |
| push: | |
| workflow_dispatch: | |
| permissions: {} | |
| jobs: | |
| build-fdroid-app: | |
| name: Build fdroid container | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - name: Build app | |
| run: ./building/containerized-build.sh android --fdroid | |
| - name: Upload apks | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: container-app | |
| path: android/app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk | |
| if-no-files-found: error | |
| retention-days: 7 | |
| build-fdroid-app-server: | |
| name: Build fdroid with fdroid server | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install fdroidserver | |
| run: | | |
| sudo apt-get -y update | |
| sudo apt-get -y install fdroidserver | |
| - name: Install gradle | |
| run: | | |
| sudo apt-get -y remove gradle | |
| mkdir /opt/gradle | |
| curl -sfLo /opt/gradle/gradle-8.13-bin.zip https\://services.gradle.org/distributions/gradle-8.13-bin.zip | |
| unzip -d /opt/gradle /opt/gradle/gradle-8.13-bin.zip | |
| # These are equivalent to the sudo section of the metadata file | |
| - name: Install dependencies | |
| run: sudo apt-get install -y build-essential protobuf-compiler libprotobuf-dev | |
| - name: Download metadata file | |
| uses: actions/checkout@v4 | |
| with: | |
| path: app-repo | |
| - name: Init fdroid | |
| run: fdroid init | |
| - name: Prepare metadata | |
| run: | | |
| ls app-repo/android/fdroid-build | |
| mkdir metadata | |
| mv app-repo/android/fdroid-build/metadata/net.mullvad.mullvadvpn.yml metadata/net.mullvad.mullvadvpn.yml | |
| sed -i 's/commit-hash/${{ github.sha }}/' metadata/net.mullvad.mullvadvpn.yml | |
| - name: Build app | |
| run: | | |
| export PATH=$PATH:/opt/gradle/gradle-8.13/bin | |
| fdroid build net.mullvad.mullvadvpn:64220099 -v | |
| - name: Upload apks | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: fdroidserver-app | |
| path: | | |
| build/net\.mullvad\.mullvadvpn/android/app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk | |
| if-no-files-found: error | |
| retention-days: 7 | |
| compare-builds: | |
| name: Check builds | |
| runs-on: ubuntu-latest | |
| needs: [build-fdroid-app, build-fdroid-app-server] | |
| steps: | |
| - name: Download container apk | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: container-app | |
| path: container | |
| - name: Download server apk | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: fdroidserver-app | |
| path: fdroidserver | |
| - name: Print checksums | |
| run: | | |
| echo "Container build checksum" | |
| md5sum container/app-oss-prod-fdroid-unsigned.apk | |
| echo "Fdroidserver build checksum" | |
| md5sum fdroidserver/app-oss-prod-fdroid-unsigned.apk | |
| - name: Compare files | |
| run: > | |
| if [[ -z $(diff container/app-oss-prod-fdroid-unsigned.apk fdroidserver/app-oss-prod-fdroid-unsigned.apk) ]] | |
| then echo "Equal checksums"; | |
| else echo "Checksums are different"; | |
| exit 1; fi |