Add buildroot image and workflow

In order to build shim reproducibly, the build environment needs to be reproducible. Unlike Debian's snapshot service, Endless does have access to old packages. The container image here is intended to contain all necessary build dependencies so that shim can be built reproducibly in it. The image should be built and published whenever shim is built for Endless OS so that it matches that build environment as well as possible.
endlessm · Aug 21, 2024 · 9c8f6d0 · 9c8f6d0
1 parent 1a54c18
commit 9c8f6d0
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 0 deletions.
diff --git a/.github/workflows/buildroot.yml b/.github/workflows/buildroot.yml
@@ -0,0 +1,28 @@
+name: Buildroot image
+
+on:
+  # This is only run manually since we only want to update the image
+  # when shim is updated and built for Endless OS.
+  workflow_dispatch:
+
+jobs:
+  image:
+    name: Build and publish image
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+
+    env:
+      IMAGE_REPO: ghcr.io/${{ github.repository_owner }}/shim-review-buildroot
+      IMAGE_TAG: endless-shim-x64-20240820
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Build image
+        run: docker build -f Dockerfile-buildroot -t "$IMAGE_REPO:$IMAGE_TAG" .
+      - name: Registry login
+        run: docker login -u ${{ github.actor }} --password-stdin ghcr.io <<< "${{ secrets.GITHUB_TOKEN }}"
+      - name: Push image
+        run: docker push "$IMAGE_REPO:$IMAGE_TAG"
diff --git a/Dockerfile-buildroot b/Dockerfile-buildroot
@@ -0,0 +1,16 @@
+# The purpose of this image is to have a static build environment
+# containing all build dependencies. It should be rebuilt when shim is
+# updated in Endless OS to capture the environment at that time.
+
+FROM docker.io/endlessm/eos:master
+
+RUN export DEBIAN_FRONTEND=noninteractive && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+      build-essential git-buildpackage pristine-tar && \
+    apt-get build-dep -y --no-install-recommends shim && \
+    apt-get clean
+
+LABEL org.opencontainers.image.source=https://github.com/endlessm/shim-review
+LABEL org.opencontainers.image.description="Endless shim-review buildroot image"
+LABEL org.opencontainers.image.licenses=GPL-2.0-or-later