mirror of
https://github.com/tenrok/axios.git
synced 2026-06-17 19:21:29 +03:00
dependabot[bot]
bd88727198
Bumps the github-actions group with 1 update: [actions/setup-node](https://github.com/actions/setup-node). Updates `actions/setup-node` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/53b83947a5a98c8d113130e565377fae1a50d02f...48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
82 lines
2.4 KiB
YAML
82 lines
2.4 KiB
YAML
name: Verify build reproducibility
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- 'lib/**'
|
|
- 'rollup.config.js'
|
|
- 'package.json'
|
|
- 'package-lock.json'
|
|
- '.github/workflows/verify-build-reproducibility.yml'
|
|
push:
|
|
branches: [v1.x]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
verify-reproducible-build:
|
|
name: Two-pass build and diff
|
|
runs-on: ubuntu-latest
|
|
# Non-blocking until divergence is eliminated. Surfaces regressions in
|
|
# the build's determinism without gating merges. Remove this line to
|
|
# promote to a hard gate once the build is byte-identical across runs.
|
|
continue-on-error: true
|
|
steps:
|
|
- name: Checkout repo
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup node
|
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: 24.x
|
|
cache: npm
|
|
|
|
- name: Install (pass 1)
|
|
run: npm ci --ignore-scripts
|
|
|
|
- name: Build (pass 1)
|
|
run: npm run build
|
|
|
|
- name: Snapshot pass 1
|
|
run: |
|
|
mv dist dist-pass1
|
|
find dist-pass1 -type f -exec sha256sum {} + | sort -k2 > pass1.sha256
|
|
echo "--- pass 1 hashes ---"
|
|
cat pass1.sha256
|
|
|
|
- name: Clean and reinstall (pass 2)
|
|
run: |
|
|
rm -rf node_modules
|
|
npm ci --ignore-scripts
|
|
|
|
- name: Build (pass 2)
|
|
run: npm run build
|
|
|
|
- name: Snapshot pass 2 and diff
|
|
run: |
|
|
find dist -type f -exec sha256sum {} + | sort -k2 | sed 's| dist/| dist-pass1/|' > pass2.sha256
|
|
echo "--- pass 2 hashes (path-normalised) ---"
|
|
cat pass2.sha256
|
|
if ! diff -u pass1.sha256 pass2.sha256; then
|
|
echo "::warning::Build is not reproducible — dist/ differs between passes."
|
|
echo "This does not fail the job (continue-on-error: true) but is visible in the run summary."
|
|
echo "See THREATMODEL.md §T-S5 for context."
|
|
exit 1
|
|
fi
|
|
echo "Build is byte-identical across passes."
|
|
|
|
- name: Upload diff artifact on divergence
|
|
if: failure()
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: reproducibility-diff
|
|
path: |
|
|
pass1.sha256
|
|
pass2.sha256
|
|
dist-pass1
|
|
dist
|
|
retention-days: 7
|