This repo is WIP; not ready for use yet.
The aim of this action is to allow defining a build in such a way that we are able to attempt to repeat that build and compare the results to ensure that we get the same built artifact(s) each time.
More documentation to follow as implementation progresses.
This is for internal HashiCorp use only; Internal folks please refer to RFC ENGSRV-084 for more details.
Currently only supports pure Go projects.
- Installs Specified Go version
- Primary Build:
- Executes your build instructions in the default checkout directory.
- Zips and uploads the results as GitHub Actions artifacts using standard HashiCorp artifact names.
- Local Verification Build:
- Executes your build instructions again in a different directory, at a later time.
- Zips and uploads the results as GitHub Actions artifacts labelled "local-verification-build".
- Compares Build Outputs:
- Compares the SHA256 sums of your compiled binary artifacts from both builds.
- Compares the SHA256 sums of your zip file artifacts from both builds.
- Fails the build if either produce a mismatch, succeds otherwise.
This Action can run on both Ubuntu and macOS runners.
Example usage:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: hashicorp/actions-reproducible-build@main
with:
go_version: 1.17
product_version: 1.0.0
os: linux
arch: amd64
package_name: my-app
instructions: go build -trimpath -o "$BIN_PATH" .
Name | Description |
---|---|
instructions (required) |
Build instructions to generate the binary. See Build Instructions for more info. |
go_version (required) |
Version of Go to use for this build. |
product_version (required) |
Version of the product being built. |
os (required) |
Target product operating system. |
arch (required) |
Target product architecture. |
package_name (required) |
Name of the package to build. Used to calculate default bin_name and zip_name . |
bin_name (optional) |
Name of the product binary generated. Defaults to package_name minus any -enterprise suffix. |
zip_name (optional) |
Name of the product zip file. Defaults to <package_name>_<product_version>_<os>_<arch>.zip . |
The main input is build_instructions
which defines the build.
Build instructions is a bash script. It should be kept as simple as possible.
When the build_instructions
are executed, there are a set of environment variables
already exported that you can make use of in your instructions,
(see Build Environment, below).
At a minimum, the script must use the environment variable $BIN_PATH
because the minimal thing it can do is to write the compiled binary to $BIN_PATH
.
In order to add other files like licenses etc to the zip file, you need to
write them into $TARGET_DIR
in your build instructions.
The following variables are exported when build_instructions
are executed,
so you can use them in your script and they're available to programs your
script calls.
Name | Description |
---|---|
TARGET_DIR |
Absolute path to the zip contents directory. |
PACKAGE_NAME |
Same as the package_name input. |
PRODUCT_VERSION |
Same as the product_version input. |
PRODUCT_REVISION |
The git commit SHA of the product repo being built. |
PRODUCT_REVISION_TIME |
UTC timestamp of the PRODUCT_REVISION commit in iso-8601 format. |
BIN_NAME |
Name of the Go binary file inside TARGET_DIR . |
BIN_PATH |
Same as TARGET_DIR/BIN_NAME . |
OS |
Same as the os input. |
ARCH |
Same as the arch input. |
GOOS |
Same as OS |
GOARCH |
Same as ARCH . |
- Store build metadata for external systems to use to reproduce the build.
- Support non-Go projects.
- See ENGSRV-083 for future plans.