Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signaling-only CI job to detect mismatching build artifact hashes early #1207

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Signaling-only CI job to detect mismatching build artifact hashes early #1207

wants to merge 2 commits into from
+175 −1

Conversation

0xB10C
Copy link
Contributor

@0xB10C 0xB10C commented Apr 26, 2024
edited

To detect build non-determinism and mismatching artifact hashes early (#1203), this introduces a CI job that comments a visual summary of the SHASUMs for each added/changed release. Before merging, it can be quickly visually verified that there are no mismatches. The CI job does not fail on mismatches - it only signals that there's a problem. It also does not check signature validity.

For example, when a noncodesigned.SHA256SUMS file for 24.2 is added, the CI job would comment on the PR:

noncodesigned.SHA256SUMS summary for release 24.2

User (see mapping below)            a b c d e f g h i j k l m n o p q
aarch64-linux-gnu-debug.tar.gz      █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
aarch64-linux-gnu.tar.gz            █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
arm-linux-gnueabihf-debug.tar.gz    █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
arm-linux-gnueabihf.tar.gz          █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
arm64-apple-darwin-unsigned.dmg     █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
arm64-apple-darwin-unsigned.tar.gz  █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
arm64-apple-darwin.tar.gz           █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
powerpc64-linux-gnu-debug.tar.gz    █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
powerpc64-linux-gnu.tar.gz          █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
powerpc64le-linux-gnu-debug.tar.gz  █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
powerpc64le-linux-gnu.tar.gz        █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
riscv64-linux-gnu-debug.tar.gz      █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
riscv64-linux-gnu.tar.gz            █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
win64-debug.zip                     █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
win64-setup-unsigned.exe            █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
win64-unsigned.tar.gz               █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
win64.zip                           █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
x86_64-apple-darwin-unsigned.dmg    █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
x86_64-apple-darwin-unsigned.tar.gz █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
x86_64-apple-darwin.tar.gz          █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
x86_64-linux-gnu-debug.tar.gz       █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
x86_64-linux-gnu.tar.gz             █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
bitcoin-24.2.tar.gz                 █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █ █
Details Symbols: - all hashes match: `█` - missing hash: `X` - hash mismatch: one of `░`, `▞`, `▄`, `▀`, `▌`, `▐`, `▚`

Username mapping:

  • a: willyko
  • b: jackielove4u
  • c: hebasto
  • d: kvaciral
  • e: TheCharlatan
  • f: 0xb10c
  • g: laanwj
  • h: svanstaa
  • i: glozow
  • j: Emzy
  • k: achow101
  • l: Sjors
  • m: fanquake
  • n: guggero
  • o: theStack
  • p: benthecarman
  • q: josibake

Here, all rows having only 's means that there are no hash mismatches. Other examples can be found here: 0xB10C#2

closes #1203

@0xB10C 0xB10C mentioned this pull request Apr 26, 2024
Open
@laanwj
Copy link
Member

laanwj commented Apr 26, 2024

i really like the overview, concept ACK!

@achow101
Copy link
Member

Neat, Concept ACK

@Mmgg002

This comment was marked as spam.

Sign in to view
@laanwj laanwj mentioned this pull request May 3, 2024
Closed
0xB10C added 2 commits May 3, 2024 14:53
@0xB10C
add: shasum-summary tool
dcb80c3 
Provides a text summary over who provided SHASUMs for each release
and artifact. Can be used to detect hash mismatches.

  usage: main.py [-h] diffrange

  Output a SHASUM summary to stdout

  positional arguments:
    diffrange   Only look at added or changed files in the diff-range

  options:
    -h, --help  show this help message and exit
@0xB10C
add: GitHub Action commenting a summary on PR
090b0fd
@0xB10C 0xB10C force-pushed the 2024-04-ci-comment-overview branch from 7904b58 to 090b0fd Compare May 3, 2024 12:53
maflcko
maflcko reviewed May 3, 2024
View reviewed changes
.github/workflows/shasum-summary.yml
return;
}
if (comment.length > 0) {
github.rest.issues.createComment({
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this require github permissions, or is it enabled by default?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't have to configure the token when testing on my fork.

actions/github-script uses the GITHUB_TOKEN by default, which is available in GitHub Actions: https://docs.github.com/en/actions/security-guides/automatic-token-authentication

@achow101
Copy link
Member

ACK dcb80c3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maflcko maflcko maflcko left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Notification for mismatching builds
5 participants
@0xB10C @laanwj @achow101 @Mmgg002 @maflcko