Skip to content

Only try to apply grsec_lock once #627

Only try to apply grsec_lock once

Only try to apply grsec_lock once #627

Workflow file for this run

name: Package builds
on:
- merge_group
- push
- pull_request
# Only build for latest push/PR unless it's main or release/
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) }}
defaults:
run:
shell: bash
jobs:
build-debs:
strategy:
matrix:
build: [one, two]
ubuntu_version: [focal, noble]
# TODO: change this back to ubuntu-latest once it is consistently 24.04
runs-on: ubuntu-24.04
outputs:
artifact_id: ${{ steps.upload.outputs.artifact-id }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.8'
- name: Build packages
run: |
UBUNTU_VERSION=${{ matrix.ubuntu_version }} ./builder/build-debs.sh
- name: Build OSSEC packages
run: |
UBUNTU_VERSION=${{ matrix.ubuntu_version }} WHAT=ossec ./builder/build-debs.sh
- uses: actions/upload-artifact@v4
id: upload
with:
name: ${{ matrix.ubuntu_version }}-${{ matrix.build }}
path: build/${{ matrix.ubuntu_version }}
if-no-files-found: error
reproducible-debs:
strategy:
matrix:
ubuntu_version: [focal, noble]
runs-on: ubuntu-latest
container: debian:bookworm
needs:
- build-debs
steps:
- name: Install dependencies
run: |
apt-get update && apt-get install --yes diffoscope-minimal xz-utils \
--no-install-recommends
- uses: actions/download-artifact@v4
with:
pattern: "${{ matrix.ubuntu_version }}-*"
- name: diffoscope
run: |
find . -name '*.deb' -exec sha256sum {} \;
# FIXME: securedrop-app-code isn't reproducible
for pkg in ossec-agent ossec-server securedrop-config securedrop-keyring securedrop-ossec-agent securedrop-ossec-server
do
echo "Checking ${pkg}..."
diffoscope ${{ matrix.ubuntu_version }}-one/${pkg}*.deb ${{ matrix.ubuntu_version }}-two/${pkg}*.deb
done