Add workflow to ensure reproducibility

Pururun · albin-mullvad · Pururun · commit 948abe8ae188 · 2025-03-13T23:23:57.000+01:00
Co-Authored-By: Albin &lt;albin@mullvad.net&gt;
diff --git a/.github/workflows/android-reproducible-builds.yml b/.github/workflows/android-reproducible-builds.yml
@@ -0,0 +1,116 @@
+---
+name: Android - Ensure reproducibility
+on:
+  schedule:
+    # At 04:20 UTC every monday.
+    # Notifications for scheduled workflows are sent to the user who last modified the cron
+    # syntax in the workflow file. If you update this you must have notifications for
+    # Github Actions enabled, so these don't go unnoticed.
+    # https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs
+    - cron: '20 6 * * 1'
+  push:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  build-fdroid-app:
+    name: Build fdroid container
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Upload repro yaml file
+        uses: actions/upload-artifact@v4
+        with:
+          name: net.mullvad.mullvadvpn
+          path: android/fdroid-build/metadata/net.mullvad.mullvadvpn.yml
+          if-no-files-found: error
+          retention-days: 7
+
+      - name: Build app
+        run: ./building/containerized-build.sh android --fdroid
+
+      - name: Rename apk
+        run: |
+          cd dist
+          for file in *.apk; do mv "$file" "app-oss-prod-fdroid-container.apk"; done
+          cd ..
+
+      - name: Upload apks
+        uses: actions/upload-artifact@v4
+        with:
+          name: apks
+          path: dist
+          if-no-files-found: error
+          retention-days: 7
+
+  build-fdroid-app-server:
+    name: Build fdroid with fdroid server
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install fdroidserver
+        run: sudo apt-get install fdroidserver
+
+      - name: Install gradle
+        run: |
+          sudo apt-get remove gradle
+          mkdir /opt/gradle
+          curl -sfLo /opt/gradle/gradle-8.13-bin.zip https\://services.gradle.org/distributions/gradle-8.13-bin.zip 
+          unzip -d /opt/gradle /opt/gradle/gradle-8.13-bin.zip
+
+      # These are equivalent to the sudo section of the metadata file    
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential protobuf-compiler libprotobuf-dev
+
+      - name: Create empty repo
+        run: mkdir fdroid-repo && cd fdroid-repo && mkdir metadata
+
+      - name: Init
+        run: fdroid init
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: net.mullvad.mullvadvpn
+          path: metadata
+
+      - name: Update metadata
+        run: sed -i 's/commit-hash/${{ github.sha }}/' metadata/net.mullvad.mullvadvpn.yml
+
+      - name: Build app
+        run: |
+          export PATH=$PATH:/opt/gradle/gradle-8.13/bin
+          fdroid build net.mullvad.mullvadvpn:24090099 -v
+
+      - name: Upload apks
+        uses: actions/upload-artifact@v4
+        with:
+          name: app-oss-prod-fdroid-unsigned
+          path: build/net\.mullvad\.mullvadvpn/android/app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk
+          if-no-files-found: error
+          retention-days: 7
+
+  compare-builds:
+    name: Check builds
+    runs-on: ubuntu-latest
+    needs: [build-fdroid-app, build-fdroid-app-server]
+    steps:
+      - name: Download container apk
+        uses: actions/download-artifact@v4
+        with:
+          name: apks
+          path: apks
+
+      - name: Download server apk
+        uses: actions/download-artifact@v4
+        with:
+          name: app-oss-prod-fdroid-unsigned
+          path: apks
+
+      - name: Compare files
+        run: if [[ "$(md5sum app-oss-prod-fdroid-container.apk)" = "$(md5sum app-oss-prod-fdroid-unsigned.apk)" ]] then echo "Equal checksums"; else exit 1; fi
diff --git a/android/fdroid-build/env.sh b/android/fdroid-build/env.sh
@@ -5,10 +5,13 @@
 # shellcheck source=/dev/null
 source "$HOME/.cargo/env"
 
-# Ensure Go compiler is accessible
+# Ensure Go compiler is accessible (needs to be removed if building locally)
 export GOROOT="$HOME/go"
 export PATH="$GOROOT/bin:$PATH"
 
+# Set up python3 path for the rust gradle plugin
+export RUST_ANDROID_GRADLE_PYTHON_COMMAND=/usr/bin/python3
+
 # Ensure Rust crates know which tools to use for cross-compilation
 export NDK_TOOLCHAIN_DIR="$NDK_PATH/toolchains/llvm/prebuilt/linux-x86_64/bin"
 
diff --git a/android/fdroid-build/metadata/net.mullvad.mullvadvpn.yml b/android/fdroid-build/metadata/net.mullvad.mullvadvpn.yml
@@ -0,0 +1,56 @@
+AntiFeatures:
+  NonFreeNet:
+    en-US: Depends on the Mullvad VPN service.
+Categories:
+  - Connectivity
+  - Internet
+  - Security
+  - System
+License: GPL-3.0-or-later
+WebSite: https://mullvad.net
+SourceCode: https://github.com/mullvad/mullvadvpn-app
+IssueTracker: https://github.com/mullvad/mullvadvpn-app/issues
+Translation: https://github.com/mullvad/mullvadvpn-app/blob/HEAD/CONTRIBUTING.md#localization--translations
+Changelog: https://github.com/mullvad/mullvadvpn-app/blob/HEAD/android/CHANGELOG.md
+
+AutoName: Mullvad VPN
+
+RepoType: git
+Repo: https://github.com/mullvad/mullvadvpn-app.git
+
+Builds:
+  - versionName: '2024.9'
+    versionCode: 24090099
+    commit: commit-hash
+    timeout: 10800
+    subdir: android/app
+    sudo:
+      - apt-get update
+      - apt-get install -y build-essential protobuf-compiler libprotobuf-dev
+    init: NDK_PATH="$$NDK$$" ../fdroid-build/init.sh
+    output: build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk
+    rm:
+      - desktop
+      - graphics
+      - ios
+      - windows
+      - building/sigstore
+      - android/lib/billing
+    prebuild:
+      - git -C ../.. submodule update --init --recursive --depth=1 wireguard-go-rs
+      - sed -i -e 's|Repositories.GradlePlugins|"https://plugins.gradle.org/m2/"|'
+        ../build.gradle.kts
+      - sed -i '/\"desktop\//d' ../../Cargo.toml
+      - sed -i '/^android-billingclient/d' ../gradle/libs.versions.toml
+    build:
+      - NDK_PATH="$$NDK$$" source ../fdroid-build/env.sh
+      - cargo install --force cbindgen --version "0.26.0" --locked
+      - echo $NDK_TOOLCHAIN_DIR "$$NDK$$"
+      - ../build.sh --fdroid
+    ndk: 27.2.12479018
+
+AutoUpdateMode: Version
+UpdateCheckMode: Tags ^android/[0-9]{4}\.[0-9]+$
+UpdateCheckData: dist-assets/android-version-code.txt|(\d+)|dist-assets/android-version-name.txt|(.+)
+CurrentVersion: '2024.9'
+CurrentVersionCode: 24090099
