Merge pull request #11 from cryptape/reproducible-build-via-docker

Add a sample reproducible build solution using docker

Author: quake

.github/workflows/rust.yml

@@ -37,10 +37,14 @@ jobs:
         git submodule add https://github.com/xxuejie/lib-dummy-atomics deps/lib-dummy-atomics
     - name: Run all checks
       run: cd test-workspace && make build test check clippy
+    - name: Reproducible build runs
+      run: cd test-workspace && ./scripts/reproducible_build_docker --update && ./scripts/reproducible_build_docker --no-clean
     - name: Generate standalone contract
       run: cargo generate --path . standalone-contract --name test-contract
     - name: Run all checks
       run: cd test-contract && make build test check clippy
+    - name: Reproducible build runs
+      run: cd test-contract && ./scripts/reproducible_build_docker --update && ./scripts/reproducible_build_docker --no-clean
 
   debian-build:
 
@@ -198,6 +202,49 @@ jobs:
     - name: Run all checks
       run: cd test-contract && make build test check clippy
 
+  # For now, github action's latest arm64-based macos runner does not support docker. We will have to
+  # Use an order version for now to test reproducible build on macOS. Maybe when macOS 15 is out we can
+  # re-test later.
+  #
+  # References:
+  # * https://github.com/orgs/community/discussions/69211
+  # * https://github.com/marketplace/actions/setup-docker-on-macos
+  macos-x64-reproducible-build:
+
+    runs-on: macos-13
+
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        submodules: true
+    - name: Setup Docker on macOS
+      run: brew install docker colima && colima start
+    - name: Install llvm 16
+      run: brew install llvm@16
+    - name: Install riscv64 target
+      run: rustup target add riscv64imac-unknown-none-elf
+    - name: Install cargo generate
+      run: cargo install cargo-generate
+    - name: Generate workspace
+      run: cargo generate --path . workspace --name test-workspace
+    - name: Generate crates && contracts
+      run: cd test-workspace &&
+        make generate CRATE=clib TEMPLATE=c-wrapper-crate DESTINATION=crates TEMPLATE_TYPE=--path TEMPLATE_REPO=.. &&
+        make generate CRATE=rlib TEMPLATE=x64-simulator-crate DESTINATION=crates TEMPLATE_TYPE=--path TEMPLATE_REPO=.. &&
+        make generate CRATE=c1 TEMPLATE=contract TEMPLATE_TYPE=--path TEMPLATE_REPO=.. &&
+        make generate CRATE=c2 TEMPLATE=atomics-contract TEMPLATE_TYPE=--path TEMPLATE_REPO=.. &&
+        make generate CRATE=c3 TEMPLATE=stack-reorder-contract TEMPLATE_TYPE=--path TEMPLATE_REPO=..
+    - name: Submodules
+      run: cd test-workspace &&
+        git submodule add https://github.com/nervosnetwork/ckb-c-stdlib deps/ckb-c-stdlib &&
+        git submodule add https://github.com/xxuejie/lib-dummy-atomics deps/lib-dummy-atomics
+    - name: Reproducible build runs
+      run: cd test-workspace && ./scripts/reproducible_build_docker --update && ./scripts/reproducible_build_docker --no-clean
+    - name: Generate standalone contract
+      run: cargo generate --path . standalone-contract --name test-contract
+    - name: Reproducible build runs
+      run: cd test-contract && ./scripts/reproducible_build_docker --update && ./scripts/reproducible_build_docker --no-clean
+
   windows-build:
 
     runs-on: windows-2019

README.md

@@ -171,6 +171,30 @@ make test
 
 The templates provided here, use the same conventions as `ckb-native-build-sample` project, so feel free to refer to the more detailed [usage](https://github.com/xxuejie/ckb-native-build-sample?tab=readme-ov-file#usage) doc in the sample project.
 
+### Reproducible Build
+
+When using this set of templates, we always recommend to use locally installed native versions of LLVM & Rust to build and test your scripts. However, reproducible build is an important part of CKB scripts, which would require locked versions of LLVM & Rust to work. It might not be an easy task when using locally installed versions of compilers.
+
+For the time being, we have prepared a script that does reproducible build via [a docker container image](https://github.com/cryptape/llvm-n-rust). We do want to mention that docker is not necessarily THE way to do reproducible build, nor is it the best way to do reproducible build. There might well be other ways that are better, such as chroot or Nix. It's just that historically, docker has been used in CKB script's build process, and adding a script leveraging docker here, provides an easy solution into the issue.
+
+To do reproducible build, you can use the included script with varying commands:
+
+```
+$ ./scripts/reproducible_build_docker               # Clean current repository, used locked LLVM & Rust from a docker container
+                                                    # to build all contracts, then test the binaries against a checksum file.
+
+$ ./scripts/reproducible_build_docker --update      # Update the checksum file with new binaries, could be handy when you have
+                                                    # made changes to the binaries.
+
+$ ./scripts/reproducible_build_docker --no-clean    # Do not clean intermediate files before building, it is not recommended to
+                                                    # use this but when you really know what you are doing, it could help you save
+                                                    # some time.
+
+$ ./scripts/reproducible_build_docker --proxy "..." # Setup docker container so it pulls Rust crates using a proxy server
+```
+
+By default, the checksum file is stored in `checksums.txt` in the root of the repository. It is strongly recommended that this file is checked into version control, and a CI is setup so reproducible build is always checked in new commits.
+
 ### Standalone Contract Crate
 
 In rare cases if you want to simply use a standalone contract crate without a workspace. The [standalone-contract](https://github.com/cryptape/ckb-script-templates/tree/main/standalone-contract) template is prepared for you:

standalone-contract/Makefile

@@ -24,7 +24,7 @@ BUILD_DIR := build/$(MODE)
 # likely match the crate name, which is also the name of the final binary.
 # However if this is not the case, you can tweak this variable. As the name hints,
 # more than one binary is supported here.
-BINARIES := $(notdir $(shell pwd))
+BINARIES := {{project-name}}
 
 ifeq (release,$(MODE))
 	MODE_ARGS := --release
@@ -75,4 +75,9 @@ clean:
 prepare:
 	rustup target add riscv64imac-unknown-none-elf
 
+# Generate checksum info for reproducible build
+CHECKSUM_FILE := build/checksums-$(MODE).txt
+checksum: build
+	shasum -a 256 build/$(MODE)/* > $(CHECKSUM_FILE)
+
 .PHONY: build test check clippy fmt cargo clean prepare

standalone-contract/scripts/reproducible_build_docker

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+#
+# An utility script helping with reproducible script builds via docker.
+# Note that this utility serves only as one example, docker is not
+# necessarily THE way to do reproducible build, nor is it the best way
+# to do reproducible build.
+set -ex
+
+DOCKER="${DOCKER:-docker}"
+DOCKER_IMAGE="${DOCKER_IMAGE:-docker.io/cryptape/llvm-n-rust:20240630}"
+CHECKSUM_FILE_PATH="${CHECKSUM_FILE_PATH:-checksums.txt}"
+
+# We are parsing command line arguments based on tips from:
+# https://stackoverflow.com/a/14203146
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -p|--proxy)
+      PROXY="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -u|--update)
+      UPDATE="yes"
+      shift # past argument
+      ;;
+    --no-clean)
+      NOCLEAN="yes"
+      shift # past argument
+      ;;
+    -*|--*)
+      echo "Unknown option $1"
+      exit 1
+      ;;
+    *)
+      echo "Unknown argument $1"
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -n "${PROXY}" ]]; then
+  DOCKER_RUN_ARGS="-e ALL_PROXY=${PROXY} -e HTTPS_PROXY=${PROXY} -e HTTP_PROXY=${PROXY} ${DOCKER_RUN_ARGS}"
+fi
+
+TASKS=""
+if [[ "${NOCLEAN}" != "yes" ]]; then
+  TASKS+=" clean "
+fi
+
+if [[ "${UPDATE}" = "yes" ]]; then
+  TASKS+=" checksum CHECKSUM_FILE=${CHECKSUM_FILE_PATH} "
+else
+  TASKS+=" build "
+fi
+
+$DOCKER run --rm $DOCKER_RUN_ARGS -v `pwd`:/code $DOCKER_IMAGE make $TASKS
+# Reset file ownerships for all files docker might touch
+$DOCKER run --rm $DOCKER_RUN_ARGS -e UID=`id -u` -e GID=`id -g` -v `pwd`:/code $DOCKER_IMAGE bash -c 'chown -R -f $UID:$GID checksums.txt build target'
+
+if [[ "${UPDATE}" = "yes" ]]; then
+  echo "${CHECKSUM_FILE_PATH} file is updated with latest binary hashes!"
+else
+  shasum -a 256 -c ${CHECKSUM_FILE_PATH}
+fi

workspace/Makefile

@@ -110,6 +110,6 @@ prepare:
 # Generate checksum info for reproducible build
 CHECKSUM_FILE := build/checksums-$(MODE).txt
 checksum: build
-	sha256sum build/$(MODE)/* > $(CHECKSUM_FILE)
+	shasum -a 256 build/$(MODE)/* > $(CHECKSUM_FILE)
 
 .PHONY: build test check clippy fmt cargo clean prepare checksum

workspace/scripts/reproducible_build_docker

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+#
+# An utility script helping with reproducible script builds via docker.
+# Note that this utility serves only as one example, docker is not
+# necessarily THE way to do reproducible build, nor is it the best way
+# to do reproducible build.
+set -ex
+
+DOCKER="${DOCKER:-docker}"
+DOCKER_IMAGE="${DOCKER_IMAGE:-docker.io/cryptape/llvm-n-rust:20240630}"
+CHECKSUM_FILE_PATH="${CHECKSUM_FILE_PATH:-checksums.txt}"
+
+# We are parsing command line arguments based on tips from:
+# https://stackoverflow.com/a/14203146
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -p|--proxy)
+      PROXY="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -u|--update)
+      UPDATE="yes"
+      shift # past argument
+      ;;
+    --no-clean)
+      NOCLEAN="yes"
+      shift # past argument
+      ;;
+    -*|--*)
+      echo "Unknown option $1"
+      exit 1
+      ;;
+    *)
+      echo "Unknown argument $1"
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -n "${PROXY}" ]]; then
+  DOCKER_RUN_ARGS="-e ALL_PROXY=${PROXY} -e HTTPS_PROXY=${PROXY} -e HTTP_PROXY=${PROXY} ${DOCKER_RUN_ARGS}"
+fi
+
+TASKS=""
+if [[ "${NOCLEAN}" != "yes" ]]; then
+  TASKS+=" clean "
+fi
+
+if [[ "${UPDATE}" = "yes" ]]; then
+  TASKS+=" checksum CHECKSUM_FILE=${CHECKSUM_FILE_PATH} "
+else
+  TASKS+=" build "
+fi
+
+$DOCKER run --rm $DOCKER_RUN_ARGS -v `pwd`:/code $DOCKER_IMAGE make $TASKS
+# Reset file ownerships for all files docker might touch
+$DOCKER run --rm $DOCKER_RUN_ARGS -e UID=`id -u` -e GID=`id -g` -v `pwd`:/code $DOCKER_IMAGE bash -c 'chown -R -f $UID:$GID checksums.txt build target'
+
+if [[ "${UPDATE}" = "yes" ]]; then
+  echo "${CHECKSUM_FILE_PATH} file is updated with latest binary hashes!"
+else
+  shasum -a 256 -c ${CHECKSUM_FILE_PATH}
+fi