Skip to content

Commit 3106021

Browse files
Add workflow to ensure reproducibility
Co-Authored-By: Albin <albin@mullvad.net>
1 parent 6dd59d1 commit 3106021

File tree

3 files changed

+169
-1
lines changed

3 files changed

+169
-1
lines changed
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
---
2+
name: Android - Verify F-Droid and reproducible builds
3+
on:
4+
schedule:
5+
# At 04:20 UTC every monday.
6+
# Notifications for scheduled workflows are sent to the user who last modified the cron
7+
# syntax in the workflow file. If you update this you must have notifications for
8+
# Github Actions enabled, so these don't go unnoticed.
9+
# https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs
10+
- cron: '20 6 * * 1'
11+
workflow_dispatch:
12+
13+
permissions: {}
14+
15+
jobs:
16+
build-fdroid-app:
17+
name: Build fdroid container
18+
runs-on: ubuntu-latest
19+
steps:
20+
- name: Checkout repository
21+
uses: actions/checkout@v4
22+
with:
23+
submodules: true
24+
25+
- name: Build app
26+
run: ./building/containerized-build.sh android --fdroid
27+
28+
- name: Upload apks
29+
uses: actions/upload-artifact@v4
30+
with:
31+
name: container-app
32+
path: android/app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk
33+
if-no-files-found: error
34+
retention-days: 7
35+
36+
build-fdroid-app-server:
37+
name: Build fdroid with fdroid server
38+
runs-on: ubuntu-latest
39+
steps:
40+
- name: Install fdroidserver
41+
run: |
42+
sudo apt-get -y update
43+
sudo apt-get -y install fdroidserver
44+
45+
- name: Install gradle
46+
run: |
47+
sudo apt-get -y remove gradle
48+
mkdir /opt/gradle
49+
curl -sfLo /opt/gradle/gradle-8.13-bin.zip https\://services.gradle.org/distributions/gradle-8.13-bin.zip
50+
unzip -d /opt/gradle /opt/gradle/gradle-8.13-bin.zip
51+
52+
# These are equivalent to the sudo section of the metadata file
53+
- name: Install dependencies
54+
run: sudo apt-get install -y build-essential protobuf-compiler libprotobuf-dev
55+
56+
- name: Download metadata file
57+
uses: actions/checkout@v4
58+
with:
59+
path: app-repo
60+
61+
- name: Init fdroid
62+
run: fdroid init
63+
64+
- name: Prepare metadata
65+
run: |
66+
mkdir metadata
67+
cp app-repo/android/fdroid-build/metadata/net.mullvad.mullvadvpn.yml metadata/net.mullvad.mullvadvpn.yml
68+
sed -i 's/commit-hash/${{ github.sha }}/' metadata/net.mullvad.mullvadvpn.yml
69+
70+
- name: Build app
71+
run: |
72+
export PATH=$PATH:/opt/gradle/gradle-8.13/bin
73+
fdroid build net.mullvad.mullvadvpn:1 -v
74+
75+
- name: Upload apks
76+
uses: actions/upload-artifact@v4
77+
with:
78+
name: fdroidserver-app
79+
path: |
80+
build/net\.mullvad\.mullvadvpn/android/app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk
81+
if-no-files-found: error
82+
retention-days: 7
83+
84+
compare-builds:
85+
name: Check builds
86+
runs-on: ubuntu-latest
87+
needs: [build-fdroid-app, build-fdroid-app-server]
88+
steps:
89+
- name: Download container apk
90+
uses: actions/download-artifact@v4
91+
with:
92+
name: container-app
93+
path: container
94+
95+
- name: Download server apk
96+
uses: actions/download-artifact@v4
97+
with:
98+
name: fdroidserver-app
99+
path: fdroidserver
100+
101+
- name: Print checksums
102+
run: |
103+
echo "Container build checksum"
104+
md5sum container/app-oss-prod-fdroid-unsigned.apk
105+
echo "Fdroidserver build checksum"
106+
md5sum fdroidserver/app-oss-prod-fdroid-unsigned.apk
107+
108+
- name: Compare files
109+
run: diff container/app-oss-prod-fdroid-unsigned.apk fdroidserver/app-oss-prod-fdroid-unsigned.apk

android/fdroid-build/env.sh

+4-1
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,13 @@
55
# shellcheck source=/dev/null
66
source "$HOME/.cargo/env"
77

8-
# Ensure Go compiler is accessible
8+
# Ensure Go compiler is accessible (needs to be removed if building locally on macOS)
99
export GOROOT="$HOME/go"
1010
export PATH="$GOROOT/bin:$PATH"
1111

12+
# Set up python3 path for the rust gradle plugin
13+
export RUST_ANDROID_GRADLE_PYTHON_COMMAND=/usr/bin/python3
14+
1215
# Ensure Rust crates know which tools to use for cross-compilation
1316
export NDK_TOOLCHAIN_DIR="$NDK_PATH/toolchains/llvm/prebuilt/linux-x86_64/bin"
1417

Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
AntiFeatures:
2+
NonFreeNet:
3+
en-US: Depends on the Mullvad VPN service.
4+
Categories:
5+
- Connectivity
6+
- Internet
7+
- Security
8+
- System
9+
License: GPL-3.0-or-later
10+
WebSite: https://mullvad.net
11+
SourceCode: https://github.com/mullvad/mullvadvpn-app
12+
IssueTracker: https://github.com/mullvad/mullvadvpn-app/issues
13+
Translation: https://github.com/mullvad/mullvadvpn-app/blob/HEAD/CONTRIBUTING.md#localization--translations
14+
Changelog: https://github.com/mullvad/mullvadvpn-app/blob/HEAD/android/CHANGELOG.md
15+
16+
AutoName: Mullvad VPN
17+
18+
RepoType: git
19+
Repo: https://github.com/mullvad/mullvadvpn-app.git
20+
21+
Builds:
22+
- versionName: 'Reproducible'
23+
versionCode: 1
24+
commit: commit-hash
25+
timeout: 10800
26+
subdir: android/app
27+
sudo:
28+
- apt-get update
29+
- apt-get install -y build-essential protobuf-compiler libprotobuf-dev
30+
init: NDK_PATH="$$NDK$$" ../fdroid-build/init.sh
31+
output: build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk
32+
rm:
33+
- desktop
34+
- graphics
35+
- ios
36+
- windows
37+
- building/sigstore
38+
- android/lib/billing
39+
prebuild:
40+
- git -C ../.. submodule update --init --recursive --depth=1 wireguard-go-rs
41+
- sed -i -e 's|Repositories.GradlePlugins|"https://plugins.gradle.org/m2/"|'
42+
../build.gradle.kts
43+
- sed -i '/\"desktop\//d' ../../Cargo.toml
44+
- sed -i '/^android-billingclient/d' ../gradle/libs.versions.toml
45+
build:
46+
- NDK_PATH="$$NDK$$" source ../fdroid-build/env.sh
47+
- cargo install --force cbindgen --version "0.26.0" --locked
48+
- echo $NDK_TOOLCHAIN_DIR "$$NDK$$"
49+
- ../build.sh --fdroid
50+
ndk: 27.2.12479018
51+
52+
AutoUpdateMode: Version
53+
UpdateCheckMode: Tags ^android/[0-9]{4}\.[0-9]+$
54+
UpdateCheckData: dist-assets/android-version-code.txt|(\d+)|dist-assets/android-version-name.txt|(.+)
55+
CurrentVersion: 'Reproducible'
56+
CurrentVersionCode: 1

0 commit comments

Comments
 (0)