[DO NOT MERGE] Macos repr exp #178
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ADME, flake.nix, and rust-toolchain.toml with detailed instructions and fixed versions
…ows target and updating README with detailed build instructions for multiple platforms
…ompilation support - Added a description field to Cargo.toml for better project clarity. - Updated reqwest dependency to disable default features and enable rustls-tls. - Consolidated secp256k1 and tokio dependencies for cleaner formatting. - Introduced release profile settings in Cargo.toml for deterministic builds. - Refactored flake.nix to streamline cross-compilation setup for multiple target systems. - Enhanced Windows cross-compilation support with proper linker and environment configurations. - Improved development shell setup in flake.nix for easier access to build tools and dependencies.
…p instructions in README.md
…r improved clarity
…nhanced platform support - Moved detailed reproducible builds instructions from contrib/reproducible/README.md to docs/reproducible-builds.md for better organization. - Updated flake.nix to include additional target platforms: ARMv7, RISC-V, and PowerPC64, with appropriate configurations for cross-compilation. - Added a new script, update-hashes.sh, to assist in updating git dependency hashes in flake.nix, improving the build process.
…tform support and remove PowerPC64 references
…t and updating hash verification logic
…producible builds documentation
…inux/Windows and macOS documentation checks
…lds documentation
* Add reproducible builds verification workflow and update related scripts * Enhance reproducibility verification workflow for Windows and macOS builds * Update Nix installation action to version 31 in reproducible builds workflow * Enhance reproducibility verification by adding platform matrix support and updating hash verification logic * Refactor output messages in reproducibility scripts for consistency and clarity * Update hash values for reproducible builds across platforms * Update build hash verification by excluding non-build-affecting files from source * Update hash values for aarch64, arm, riscv, and win64 platforms in reproducible builds documentation * Refactor hash verification jobs for reproducible builds to separate Linux/Windows and macOS documentation checks * Update hash values for x86_64 and arm64 platforms in reproducible builds documentation * Update reproducible builds workflow to trigger on pull requests and ensure jobs only run for non-draft PRs * Refactor reproducible builds documentation for clarity and conciseness * Refactor reproducible builds workflow to simplify build steps * Update available targets in flake.nix to remove unsupported macOS platforms for Linux builds * Refactor reproducible builds workflow by removing Linux verification job and consolidating hash verification steps for Linux and macOS
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
146
to
226
| name: Build & Verify Documented Hashes (macOS) | ||
| runs-on: macos-latest | ||
| if: github.event.pull_request.draft == false | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| platform: | ||
| - x86_64-apple-darwin | ||
| - arm64-apple-darwin | ||
|
|
||
| steps: | ||
| - name: Collect Workflow Telemetry | ||
| uses: catchpoint/workflow-telemetry-action@v2 | ||
| with: | ||
| comment_on_pr: false | ||
|
|
||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Nix | ||
| uses: cachix/install-nix-action@v31 | ||
| with: | ||
| extra_nix_config: | | ||
| experimental-features = nix-command flakes | ||
| # Add nix-community cache to pull the hermetic Apple SDK | ||
| substituters = https://cache.nixos.org/ https://nix-community.cachix.org | ||
| trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9rzoXEAFIuZOjU/sAMulcfhref3HjEDflGYW8= | ||
|
|
||
| - name: Setup Cachix (optional binary cache) | ||
| uses: cachix/cachix-action@v13 | ||
| with: | ||
| name: clementine-cli | ||
| skipPush: true | ||
| continue-on-error: true | ||
|
|
||
| - name: Build ${{ matrix.platform }} | ||
| run: | | ||
| echo "Building ${{ matrix.platform }} to verify documented hash..." | ||
| nix build .#${{ matrix.platform }} | ||
| echo "Build complete" | ||
|
|
||
| - name: Upload binary artifact | ||
| if: success() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: clementine-cli-${{ matrix.platform }} | ||
| path: result/bin/* | ||
| retention-days: 7 | ||
|
|
||
| - name: Verify documented hash for ${{ matrix.platform }} | ||
| run: | | ||
| ACTUAL_HASH=$(nix hash path ./result) | ||
|
|
||
| # Extract documented hash from reproducible-builds.md | ||
| # Platform names are in bold (**platform**) in the markdown table | ||
| # Table format: | **platform** | `hash` | | ||
| DOCUMENTED_HASH=$(grep "\*\*${{ matrix.platform }}\*\*" docs/reproducible-builds.md | sed 's/.*`\(sha256-[^`]*\)`.*/\1/') | ||
|
|
||
| echo "Platform: ${{ matrix.platform }}" | ||
| echo "Documented hash: $DOCUMENTED_HASH" | ||
| echo "Actual hash: $ACTUAL_HASH" | ||
| echo "" | ||
|
|
||
| if [ -z "$DOCUMENTED_HASH" ]; then | ||
| echo "ERROR: No documented hash found for ${{ matrix.platform }}" | ||
| echo "Please add the hash to docs/reproducible-builds.md Expected Hashes table:" | ||
| echo " $ACTUAL_HASH" | ||
| exit 1 | ||
| elif [ "$DOCUMENTED_HASH" != "$ACTUAL_HASH" ]; then | ||
| echo "ERROR: Documented hash does not match actual build hash!" | ||
| echo "The hash in docs/reproducible-builds.md is outdated." | ||
| echo "" | ||
| echo "Please update docs/reproducible-builds.md with the new hash:" | ||
| echo " Platform: ${{ matrix.platform }}" | ||
| echo " Old hash: $DOCUMENTED_HASH" | ||
| echo " New hash: $ACTUAL_HASH" | ||
| exit 1 | ||
| else | ||
| echo "OK: Documented hash matches actual build for ${{ matrix.platform }}" | ||
| fi | ||
|
|
||
| build-summary: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
The best way to fix this problem is to explicitly add a permissions block at the root of the workflow file, which applies to all jobs unless specifically overridden. This block should restrict permissions to the minimum required, which, in this case, is contents: read. This will mitigate the risk of accidental privilege escalation or misuse of the GITHUB_TOKEN in jobs that don't require write access.
How to fix:
- Add the following block right under the
name:entry, before any jobs or triggers:permissions: contents: read
- This restricts the token to read-only repository contents access for all jobs in the workflow, unless a job specifically overrides it.
- No new imports or methods are needed for this change.
Suggested changeset
1
.github/workflows/reproducible-builds.yml
| @@ -1,4 +1,6 @@ | ||
| name: Reproducible Builds Verification | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # Platform coverage: | ||
| # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix) |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Comment on lines
227
to
267
| name: Build Summary | ||
| runs-on: ubuntu-latest | ||
| needs: [verify-reproducibility-windows, verify-hash-documentation-linux, verify-hash-documentation-macos] | ||
| if: always() | ||
|
|
||
| steps: | ||
| - name: Check results | ||
| run: | | ||
| WINDOWS_RESULT="${{ needs.verify-reproducibility-windows.result }}" | ||
| DOCS_LINUX_RESULT="${{ needs.verify-hash-documentation-linux.result }}" | ||
| DOCS_MACOS_RESULT="${{ needs.verify-hash-documentation-macos.result }}" | ||
|
|
||
| echo "Build Results Summary:" | ||
| echo " Windows (native): $WINDOWS_RESULT" | ||
| echo " Nix Builds & Docs (Linux/Win): $DOCS_LINUX_RESULT" | ||
| echo " Nix Builds & Docs (macOS): $DOCS_MACOS_RESULT" | ||
| echo "" | ||
|
|
||
| # All jobs must succeed | ||
| if [ "$WINDOWS_RESULT" = "success" ] && [ "$DOCS_LINUX_RESULT" = "success" ] && [ "$DOCS_MACOS_RESULT" = "success" ]; then | ||
| echo "OK: All verifications passed!" | ||
| echo "" | ||
| echo "Reproducible builds completed and verified:" | ||
| echo " - Windows (x86_64-pc-windows-msvc) native via cargo" | ||
| echo " - All Nix platforms (Linux, Windows-cross, macOS)" | ||
| echo "" | ||
| echo "Documentation verified:" | ||
| echo " - All platform hashes match docs/reproducible-builds.md" | ||
| exit 0 | ||
| else | ||
| echo "ERROR: Verification failed on one or more checks" | ||
| echo "" | ||
| if [ "$DOCS_LINUX_RESULT" != "success" ] || [ "$DOCS_MACOS_RESULT" != "success" ]; then | ||
| echo " Documentation hash mismatch detected!" | ||
| echo " This means the code/dependencies changed and docs need updating." | ||
| echo " Please update docs/reproducible-builds.md with new hashes." | ||
| echo "" | ||
| fi | ||
| echo "Check the individual job logs for details" | ||
| exit 1 | ||
| fi No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
To address the issue, explicitly add a permissions block to the flagged job ("build-summary"), restricting token access to read-only for repository contents and disabling all others by default.
Best practice is to set at least contents: read (or use the global minimal-permission block) to clarify intent and prevent privilege escalation should further steps be added.
This should be added under job (level 234), right after name: Build Summary, but before runs-on. No other changes are required.
Suggested changeset
1
.github/workflows/reproducible-builds.yml
| @@ -232,6 +232,8 @@ | ||
|
|
||
| build-summary: | ||
| name: Build Summary | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| needs: [verify-reproducibility-windows, verify-hash-documentation-linux, verify-hash-documentation-macos] | ||
| if: false |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Comment on lines
20
to
64
| name: Verify Reproducible Windows Build (Native) | ||
| runs-on: windows-latest | ||
| if: false | ||
|
|
||
| steps: | ||
| - name: Collect Workflow Telemetry | ||
| uses: catchpoint/workflow-telemetry-action@v2 | ||
| with: | ||
| comment_on_pr: false | ||
|
|
||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Rust toolchain | ||
| uses: actions-rust-lang/setup-rust-toolchain@v1 | ||
| with: | ||
| toolchain: "1.89.0" | ||
| components: rustfmt, rust-src | ||
|
|
||
| - name: Build | ||
| shell: bash | ||
| env: | ||
| SOURCE_DATE_EPOCH: "1" | ||
| RUSTFLAGS: "-C debuginfo=0 -C opt-level=3 -C codegen-units=1 -C strip=none -C link-arg=/PDBALTPATH:clementine-cli.pdb -C link-arg=/Brepro" | ||
| run: | | ||
| echo "Building for Windows native (x86_64-pc-windows-msvc) with reproducible settings..." | ||
| cargo build --release | ||
| echo "Build complete" | ||
|
|
||
| - name: Calculate build hash | ||
| id: hash | ||
| shell: bash | ||
| run: | | ||
| HASH=$(sha256sum target/release/clementine-cli.exe | awk '{print $1}') | ||
| echo "hash=$HASH" >> $GITHUB_OUTPUT | ||
| echo "Build hash: $HASH" | ||
|
|
||
| - name: Upload binary artifact | ||
| if: success() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: clementine-cli-windows-native | ||
| path: target/release/clementine-cli.exe | ||
| retention-days: 7 | ||
|
|
||
| verify-hash-documentation-linux: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
To fix the problem, you should add a permissions block specifying minimal required permissions. The best practice is to add this at the root level of the workflow (i.e., before jobs:), unless specific jobs need more granular settings. For the type of builds and artifact uploads shown, explicit contents: read is sufficient unless specific steps need more; in this case, nothing appears to require write. Therefore, add:
permissions:
contents: readat the top level after the name: block and before on: (most conventional) in .github/workflows/reproducible-builds.yml. If later you discover that specific jobs require extra privileges (e.g. commenting on PRs), you can extend permissions in those jobs.
Suggested changeset
1
.github/workflows/reproducible-builds.yml
| @@ -1,5 +1,8 @@ | ||
| name: Reproducible Builds Verification | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # Platform coverage: | ||
| # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix) | ||
| # - Windows: Native build (x86_64-pc-windows-msvc via cargo) |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Comment on lines
65
to
145
| name: Build & Verify Documented Hashes (Linux/Windows-Nix) | ||
| runs-on: ubuntu-latest | ||
| if: false | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| platform: | ||
| - x86_64-linux-gnu | ||
| - aarch64-linux-gnu | ||
| - arm-linux-gnueabihf | ||
| - riscv64-linux-gnu | ||
| - win64 | ||
|
|
||
| steps: | ||
| - name: Collect Workflow Telemetry | ||
| uses: catchpoint/workflow-telemetry-action@v2 | ||
| with: | ||
| comment_on_pr: false | ||
|
|
||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Nix | ||
| uses: cachix/install-nix-action@v31 | ||
| with: | ||
| extra_nix_config: | | ||
| experimental-features = nix-command flakes | ||
|
|
||
| - name: Setup Cachix (optional binary cache) | ||
| uses: cachix/cachix-action@v13 | ||
| with: | ||
| name: clementine-cli | ||
| skipPush: true | ||
| continue-on-error: true | ||
|
|
||
| - name: Build ${{ matrix.platform }} | ||
| run: | | ||
| echo "Building ${{ matrix.platform }} to verify documented hash..." | ||
| nix build .#${{ matrix.platform }} | ||
| echo "Build complete" | ||
|
|
||
| - name: Upload binary artifact | ||
| if: success() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: clementine-cli-${{ matrix.platform }} | ||
| path: result/bin/* | ||
| retention-days: 7 | ||
|
|
||
| - name: Verify documented hash for ${{ matrix.platform }} | ||
| run: | | ||
| ACTUAL_HASH=$(nix hash path ./result) | ||
|
|
||
| # Extract documented hash from reproducible-builds.md | ||
| # Platform names are in bold (**platform**) in the markdown table | ||
| # Table format: | **platform** | `hash` | | ||
| DOCUMENTED_HASH=$(grep "\*\*${{ matrix.platform }}\*\*" docs/reproducible-builds.md | sed 's/.*`\(sha256-[^`]*\)`.*/\1/') | ||
|
|
||
| echo "Platform: ${{ matrix.platform }}" | ||
| echo "Documented hash: $DOCUMENTED_HASH" | ||
| echo "Actual hash: $ACTUAL_HASH" | ||
| echo "" | ||
|
|
||
| if [ -z "$DOCUMENTED_HASH" ]; then | ||
| echo "ERROR: No documented hash found for ${{ matrix.platform }}" | ||
| echo "Please add the hash to docs/reproducible-builds.md Expected Hashes table:" | ||
| echo " $ACTUAL_HASH" | ||
| exit 1 | ||
| elif [ "$DOCUMENTED_HASH" != "$ACTUAL_HASH" ]; then | ||
| echo "ERROR: Documented hash does not match actual build hash!" | ||
| echo "The hash in docs/reproducible-builds.md is outdated." | ||
| echo "" | ||
| echo "Please update docs/reproducible-builds.md with the new hash:" | ||
| echo " Platform: ${{ matrix.platform }}" | ||
| echo " Old hash: $DOCUMENTED_HASH" | ||
| echo " New hash: $ACTUAL_HASH" | ||
| exit 1 | ||
| else | ||
| echo "OK: Documented hash matches actual build for ${{ matrix.platform }}" | ||
| fi | ||
|
|
||
| verify-hash-documentation-macos: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
To fix this problem, add a permissions block to the workflow file. The best practice is to set this either at the root level (to cover all jobs unless individually overridden) or on the specific job (verify-hash-documentation-linux). Because none of the jobs (including the highlighted one) appear to need anything but minimal access, set permissions: contents: read at the workflow root (directly below the name line). This establishes least privilege for all jobs, unless overridden later. No changes to functionality are introduced; all artifact uploads, checkouts, and hashing remain unaffected because the relevant actions only require read access to repository contents.
Edits needed:
- Insert under line 1 (
name: Reproducible Builds Verification):
permissions:\n contents: read
No imports or additional definitions required.
Suggested changeset
1
.github/workflows/reproducible-builds.yml
| @@ -1,4 +1,6 @@ | ||
| name: Reproducible Builds Verification | ||
| permissions: | ||
| contents: read | ||
|
|
||
| # Platform coverage: | ||
| # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix) |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.