mirror of
https://github.com/tenrok/axios.git
synced 2026-06-17 19:21:29 +03:00
dependabot[bot]
b2890f8efb
Bumps the github-actions group with 3 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact), [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action). Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a) Updates `peter-evans/create-pull-request` from 8.1.0 to 8.1.1 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/c0f553fe549906ede9cf27b5156039d195d2ece0...5f6978faf089d4d20b00c7766989d076bb2fc7f1) Updates `zizmorcore/zizmor-action` from 0.5.2 to 0.5.3 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](https://github.com/zizmorcore/zizmor-action/compare/71321a20a9ded102f6e9ce5718a2fcec2c4f70d8...b1d7e1fb5de872772f31590499237e7cce841e8e) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jay <jasonsaayman@gmail.com>
82 lines
2.4 KiB
YAML
82 lines
2.4 KiB
YAML
name: Verify build reproducibility
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- 'lib/**'
|
|
- 'rollup.config.js'
|
|
- 'package.json'
|
|
- 'package-lock.json'
|
|
- '.github/workflows/verify-build-reproducibility.yml'
|
|
push:
|
|
branches: [v1.x]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
verify-reproducible-build:
|
|
name: Two-pass build and diff
|
|
runs-on: ubuntu-latest
|
|
# Non-blocking until divergence is eliminated. Surfaces regressions in
|
|
# the build's determinism without gating merges. Remove this line to
|
|
# promote to a hard gate once the build is byte-identical across runs.
|
|
continue-on-error: true
|
|
steps:
|
|
- name: Checkout repo
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup node
|
|
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
|
|
with:
|
|
node-version: 24.x
|
|
cache: npm
|
|
|
|
- name: Install (pass 1)
|
|
run: npm ci --ignore-scripts
|
|
|
|
- name: Build (pass 1)
|
|
run: npm run build
|
|
|
|
- name: Snapshot pass 1
|
|
run: |
|
|
mv dist dist-pass1
|
|
find dist-pass1 -type f -exec sha256sum {} + | sort -k2 > pass1.sha256
|
|
echo "--- pass 1 hashes ---"
|
|
cat pass1.sha256
|
|
|
|
- name: Clean and reinstall (pass 2)
|
|
run: |
|
|
rm -rf node_modules
|
|
npm ci --ignore-scripts
|
|
|
|
- name: Build (pass 2)
|
|
run: npm run build
|
|
|
|
- name: Snapshot pass 2 and diff
|
|
run: |
|
|
find dist -type f -exec sha256sum {} + | sort -k2 | sed 's| dist/| dist-pass1/|' > pass2.sha256
|
|
echo "--- pass 2 hashes (path-normalised) ---"
|
|
cat pass2.sha256
|
|
if ! diff -u pass1.sha256 pass2.sha256; then
|
|
echo "::warning::Build is not reproducible — dist/ differs between passes."
|
|
echo "This does not fail the job (continue-on-error: true) but is visible in the run summary."
|
|
echo "See THREATMODEL.md §T-S5 for context."
|
|
exit 1
|
|
fi
|
|
echo "Build is byte-identical across passes."
|
|
|
|
- name: Upload diff artifact on divergence
|
|
if: failure()
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: reproducibility-diff
|
|
path: |
|
|
pass1.sha256
|
|
pass2.sha256
|
|
dist-pass1
|
|
dist
|
|
retention-days: 7
|