Add a sample reproducible build solution using docker

xxuejie · xxuejie · commit 9110f78f13ca · 2024-06-30T02:10:21.000Z
diff --git a/README.md b/README.md
@@ -171,6 +171,30 @@ make test
 
 The templates provided here, use the same conventions as `ckb-native-build-sample` project, so feel free to refer to the more detailed [usage](https://github.com/xxuejie/ckb-native-build-sample?tab=readme-ov-file#usage) doc in the sample project.
 
+### Reproducible Build
+
+When using this set of templates, we always recommend to use locally installed native versions of LLVM & Rust to build and test your scripts. However, reproducible build is an important part of CKB scripts, which would require locked versions of LLVM & Rust to work, which might not be an easy task when using locally installed versions of compilers.
+
+For the time being, we have prepared a script that does reproducible build via [a docker container image](https://github.com/cryptape/llvm-n-rust). We do want to mention that docker is not necessarily THE way to do reproducible build, nor is it the best way to do reproducible build. There might well be other ways that are better, such as chroot or Nix. It's just that historically, docker has been used in CKB script's build process, and adding a script leveraging docker here, provides an easy solution into the issue.
+
+To do reproducible build, you can use the included script with varying commands:
+
+```
+$ ./scripts/reproducible_build_docker               # Clean current repository, used locked LLVM & Rust from a docker container
+                                                    # to build all contracts, then test the binaries against a checksum file.
+
+$ ./scripts/reproducible_build_docker --update      # Update the checksum file with new binaries, could be handy when you have
+                                                    # made changes to the binaries.
+
+$ ./scripts/reproducible_build_docker --no-clean    # Do not clean intermediate files before building, it is not recommended to
+                                                    # use this but when you really know what you are doing, it could help you save
+                                                    # some time.
+
+$ ./scripts/reproducible_build_docker --proxy "..." # Setup docker container so it pulls Rust crates using a proxy server
+```
+
+By default, the checksum file is stored in `checksums.txt` in the root of the repository. It is strongly recommended that this file is checked into version control, and a CI is setup so reproducible build is always checked in new commits.
+
 ### Standalone Contract Crate
 
 In rare cases if you want to simply use a standalone contract crate without a workspace. The [standalone-contract](https://github.com/cryptape/ckb-script-templates/tree/main/standalone-contract) template is prepared for you:
diff --git a/standalone-contract/scripts/reproducible_build_docker b/standalone-contract/scripts/reproducible_build_docker
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+#
+# An utility script helping with reproducible script builds via docker.
+# Note that this utility serves only as one example, docker is not
+# necessarily THE way to do reproducible build, nor is it the best way
+# to do reproducible build.
+set -ex
+
+DOCKER_IMAGE="docker.io/cryptape/llvm-n-rust:20240630"
+CHECKSUM_FILE_PATH="checksums.txt"
+
+# We are parsing command line arguments based on tips from:
+# https://stackoverflow.com/a/14203146
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -p|--proxy)
+      PROXY="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -u|--update)
+      UPDATE="yes"
+      shift # past argument
+      ;;
+    --no-clean)
+      NOCLEAN="yes"
+      shift # past argument
+      ;;
+    -*|--*)
+      echo "Unknown option $1"
+      exit 1
+      ;;
+    *)
+      echo "Unknown argument $1"
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -n "${PROXY}" ]]; then
+  PROXY_ARGS="-e ALL_PROXY=${PROXY} -e HTTPS_PROXY=${PROXY} -e HTTP_PROXY=${PROXY}"
+fi
+
+TASKS=""
+if [[ "${NOCLEAN}" != "yes" ]]; then
+  TASKS+=" clean "
+fi
+
+if [[ "${UPDATE}" = "yes" ]]; then
+  TASKS+=" checksum CHECKSUM_FILE=${CHECKSUM_FILE_PATH} "
+else
+  TASKS+=" build "
+fi
+
+docker run --rm $PROXY_ARGS -v `pwd`:/code $DOCKER_IMAGE make $TASKS
+
+if [[ "${UPDATE}" = "yes" ]]; then
+  echo "${CHECKSUM_FILE_PATH} file is updated with latest binary hashes!"
+else
+  sha256sum -c ${CHECKSUM_FILE_PATH}
+fi
diff --git a/workspace/scripts/reproducible_build_docker b/workspace/scripts/reproducible_build_docker
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+#
+# An utility script helping with reproducible script builds via docker.
+# Note that this utility serves only as one example, docker is not
+# necessarily THE way to do reproducible build, nor is it the best way
+# to do reproducible build.
+set -ex
+
+DOCKER_IMAGE="docker.io/cryptape/llvm-n-rust:20240630"
+CHECKSUM_FILE_PATH="checksums.txt"
+
+# We are parsing command line arguments based on tips from:
+# https://stackoverflow.com/a/14203146
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -p|--proxy)
+      PROXY="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -u|--update)
+      UPDATE="yes"
+      shift # past argument
+      ;;
+    --no-clean)
+      NOCLEAN="yes"
+      shift # past argument
+      ;;
+    -*|--*)
+      echo "Unknown option $1"
+      exit 1
+      ;;
+    *)
+      echo "Unknown argument $1"
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -n "${PROXY}" ]]; then
+  PROXY_ARGS="-e ALL_PROXY=${PROXY} -e HTTPS_PROXY=${PROXY} -e HTTP_PROXY=${PROXY}"
+fi
+
+TASKS=""
+if [[ "${NOCLEAN}" != "yes" ]]; then
+  TASKS+=" clean "
+fi
+
+if [[ "${UPDATE}" = "yes" ]]; then
+  TASKS+=" checksum CHECKSUM_FILE=${CHECKSUM_FILE_PATH} "
+else
+  TASKS+=" build "
+fi
+
+docker run --rm $PROXY_ARGS -v `pwd`:/code $DOCKER_IMAGE make $TASKS
+
+if [[ "${UPDATE}" = "yes" ]]; then
+  echo "${CHECKSUM_FILE_PATH} file is updated with latest binary hashes!"
+else
+  sha256sum -c ${CHECKSUM_FILE_PATH}
+fi
