Add build checksums (not reproducible yet)

alganet · alganet · commit 99cbd52b7ce4 · 2026-01-11T03:35:47.000Z
This is an intermediate step towards reproducible static builds. It
just sets up a workflow for generating build checksums.

Those WILL vary after each build, since our scripts are still not
ready to produce builds that are reproducible.

This step is in a long walk towards better builds, more reproducible
results and perhaps even releases outside of docker.
diff --git a/.github/actions/generate-build-checksums/action.yml b/.github/actions/generate-build-checksums/action.yml
@@ -0,0 +1,46 @@
+# SPDX-FileCopyrightText: 2026 Alexandre Gomes Gaigalas <alganet@gmail.com>
+# SPDX-License-Identifier: ISC
+
+name: Generate and upload build checksums
+description: Extracts /opt from the built image, generates build checksums into checksums/build/, ensures correct ownership and uploads the artifact
+runs:
+  using: composite
+  steps:
+    - name: Extract image /opt
+      shell: bash
+      run: |
+        set -ex
+        container=$(docker create "${{ inputs.image }}")
+        docker cp $container:/opt ./image_out
+        docker rm $container
+
+    - name: Generate build checksums
+      shell: bash
+      env:
+        SHVR_DIR_OUT: ${{ github.workspace }}/image_out
+        SHVR_CHECKSUMS_DIR: ${{ github.workspace }}/checksums
+      run: |
+        set -ex
+        sh shvr.sh generate_build_checksums
+
+    - name: Ensure ownership of checksums
+      shell: bash
+      run: |
+        set -ex
+        # Some runners may create files as root when using docker, ensure runner can upload
+        sudo chown -R $(id -u):$(id -g) checksums/build || true
+
+    - name: Upload build checksums
+      uses: actions/upload-artifact@v6
+      with:
+        name: ${{ inputs.artifact_name }}
+        path: checksums/build
+
+inputs:
+  image:
+    description: Docker image tag to extract (required)
+    required: true
+  artifact_name:
+    description: Artifact name to upload
+    required: false
+    default: shvr-build-checksums
diff --git a/.github/workflows/docker-all.yml b/.github/workflows/docker-all.yml
@@ -44,6 +44,12 @@ jobs:
           build-args: |
             TARGETS=${{ matrix.targets }}
 
+      - name: Generate and upload build checksums
+        uses: ./.github/actions/generate-build-checksums
+        with:
+          image: ${{ matrix.tags }}
+          artifact_name: shvr-build-checksums
+
     strategy:
       fail-fast: true
       matrix:
diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml
@@ -44,6 +44,12 @@ jobs:
           build-args: |
             TARGETS=${{ matrix.targets }}
 
+      - name: Generate and upload build checksums
+        uses: ./.github/actions/generate-build-checksums
+        with:
+          image: ${{ matrix.tags }}
+          artifact_name: shvr-build-checksums
+
     strategy:
       fail-fast: true
       matrix:
diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml
@@ -44,6 +44,12 @@ jobs:
           build-args: |
             TARGETS=${{ matrix.targets }}
 
+      - name: Generate and upload build checksums
+        uses: ./.github/actions/generate-build-checksums
+        with:
+          image: ${{ matrix.tags }}
+          artifact_name: shvr-build-checksums
+
     strategy:
       fail-fast: false
       matrix:
diff --git a/shvr.sh b/shvr.sh
@@ -32,6 +32,7 @@ shvr_build ()
 	set -x
 
 	shvr_each build "${@:-}"
+	shvr_generate_build_checksums "${@:-}"
 }
 
 
@@ -196,6 +197,41 @@ shvr_generate_checksums()
 	done
 }
 
+
+# Generate checksums for build outputs under ${SHVR_DIR_OUT} and write them
+# to ${SHVR_CHECKSUMS_DIR}/build/<rel>.sha256sums mirroring the out layout.
+# Usage: shvr_generate_build_checksums [<shell>_<version> ...]
+shvr_generate_build_checksums()
+{
+	if test -z "$*"
+	then
+		start_dir="${SHVR_DIR_OUT}"
+		find "$start_dir" -type f | while read -r f
+		do
+			rel="${f#${SHVR_DIR_OUT}/}"
+			dest_dir="$(dirname "${SHVR_CHECKSUMS_DIR}/build/${rel}.sha256sums")"
+			mkdir -p "$dest_dir"
+			sha256sum "$f" | sed "s/  .*/  $(basename "$f")/" > "${SHVR_CHECKSUMS_DIR}/build/${rel}.sha256sums"
+		done
+	else
+		# Only generate checksums for specific targets (e.g., bash_5.3.9)
+		for t in "$@"
+		do
+			dir="$SHVR_DIR_OUT/${t}"
+			if test -d "$dir"
+			then
+				find "$dir" -type f | while read -r f
+				do
+					rel="${f#${SHVR_DIR_OUT}/}"
+					dest_dir="$(dirname "${SHVR_CHECKSUMS_DIR}/build/${rel}.sha256sums")"
+					mkdir -p "$dest_dir"
+					sha256sum "$f" | sed "s/  .*/  $(basename "$f")/" > "${SHVR_CHECKSUMS_DIR}/build/${rel}.sha256sums"
+				done
+			fi
+		done
+	fi
+}
+
 shvr_github_regen_downloads ()
 {
 	set -- $(printf '%s ' $(shvr_targets | sort -t'_' -k1,1 -k2Vr))
