From cfa4478ace10408527ccb582c677ff3172382ae2 Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Tue, 14 Jan 2025 10:51:33 +0200
Subject: [PATCH] ci: Add a CI job that enforces image reproducibility

Add a CI job that uses the `reproduce.py` dev script to enforce image
reproducibility, for every PR that we send to the repo.

Fixes #1047
---
 .github/workflows/ci.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f4e7f4041..0c32c9c40 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -471,3 +471,30 @@ jobs:
           #     file successfully.
           xvfb-run -s '-ac' ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} run --dev \
               bash -c 'cd dangerzone; poetry run make test'
+
+  check-reproducibility:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install dev. dependencies
+        run: |-
+          sudo apt-get update
+          sudo apt-get install -y git python3-poetry --no-install-recommends
+          poetry install --only package
+
+      - name: Verify that the Dockerfile matches the commited template and params
+        run: |-
+          cp Dockerfile Dockerfile.orig
+          make Dockerfile
+          diff Dockerfile.orig Dockerfile
+
+      - name: Build Dangerzone container image
+        run: |
+          python3 ./install/common/build-image.py --no-save
+
+      - name: Reproduce the same container image
+        run: |
+          ./dev_scripts/reproduce-image.py