chore: ignore Safety 73711 in cryptography #525
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package builds | |
on: | |
- merge_group | |
- push | |
- pull_request | |
# Only build for latest push/PR unless it's main or release/ | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) }} | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
build-debs: | |
strategy: | |
matrix: | |
build: [one, two] | |
ubuntu_version: [focal, noble] | |
# TODO: change this back to ubuntu-latest once it is consistently 24.04 | |
runs-on: ubuntu-24.04 | |
outputs: | |
artifact_id: ${{ steps.upload.outputs.artifact-id }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: '3.8' | |
- name: Build packages | |
run: | | |
UBUNTU_VERSION=${{ matrix.ubuntu_version }} ./builder/build-debs.sh | |
- name: Build OSSEC packages | |
run: | | |
UBUNTU_VERSION=${{ matrix.ubuntu_version }} WHAT=ossec ./builder/build-debs.sh | |
- uses: actions/upload-artifact@v4 | |
id: upload | |
with: | |
name: ${{ matrix.ubuntu_version }}-${{ matrix.build }} | |
path: build/${{ matrix.ubuntu_version }} | |
if-no-files-found: error | |
reproducible-debs: | |
strategy: | |
matrix: | |
ubuntu_version: [focal, noble] | |
runs-on: ubuntu-latest | |
container: debian:bookworm | |
needs: | |
- build-debs | |
steps: | |
- name: Install dependencies | |
run: | | |
apt-get update && apt-get install --yes diffoscope-minimal \ | |
--no-install-recommends | |
- uses: actions/download-artifact@v4 | |
with: | |
pattern: "${{ matrix.ubuntu_version }}-*" | |
- name: diffoscope | |
run: | | |
find . -name '*.deb' -exec sha256sum {} \; | |
# FIXME: securedrop-app-code isn't reproducible | |
for pkg in ossec-agent ossec-server securedrop-config securedrop-keyring securedrop-ossec-agent securedrop-ossec-server | |
do | |
echo "Checking ${pkg}..." | |
diffoscope ${{ matrix.ubuntu_version }}-one/${pkg}*.deb ${{ matrix.ubuntu_version }}-two/${pkg}*.deb | |
done |