Lance/repros support

.github/workflows/artifacts.yml

@@ -25,3 +25,34 @@ jobs:
         shell: 'script -q -e -c "bash {0}"'
         run: |
             make -j$(nproc)
+  reproduce:
+    name: reproduce artifacts
+    runs-on:
+      group: ubuntu-runners
+    strategy:
+      matrix:
+        host: [144.76.154.76]
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Run `make`
+        run: |
+          mkdir -p ~/.ssh/
+          chmod 700 ~/.ssh
+          echo "${{ secrets.REPROS_KEY }}" > ~/.ssh/repros.key
+          chmod 600 ~/.ssh/repros.key
+          cat >>~/.ssh/config <<-END
+            Host $${{matrix.host}}
+                HostName ${{matrix.host}}
+                User git
+                IdentityFile ~/.ssh/repros.key
+                StrictHostKeyChecking no
+          END
+          echo "Using key: ~/.ssh/repros.key"
+          ssh-keygen -l -f /home/runner/.ssh/repros.key
+          ssh-keyscan -H ${{matrix.host}} >> ~/.ssh/known_hosts
+          git remote add repros-lance git@${{matrix.host}}:qos
+          ssh-agent sh -c " \
+            ssh-add ~/.ssh/repros.key \
+            && git push repros-lance HEAD \
+          "

.repros/config.yml

@@ -0,0 +1,15 @@
+build:
+  command: make
+sign:
+  files:
+    - out/qos_client/index.json
+    - out/qos_enclave/index.json
+    - out/qos_host/index.json
+    - out/digests.txt
+  format: raw
+  method: ssh
+  backing: disk
+storage:
+  method: git
+  location: [email protected]:tkhq/repros-sigs.git
+  path: /qos

Makefile

@@ -3,7 +3,10 @@ include src/macros.mk
 REGISTRY := local
 .DEFAULT_GOAL :=
 .PHONY: default
-default: \
+default: out/digests.txt
+
+.PHONY: all
+all: \
 	out/qos_client/index.json \
 	out/qos_host/index.json \
 	out/qos_enclave/index.json
@@ -39,6 +42,9 @@ shell: out/.common-loaded
 		qos-local/common:latest \
 		/bin/bash
 
+out/digests.txt: all
+	@$(call digests) > $@
+
 out/nitro.pcrs: out/qos_enclave.tar
 	@$(call run,/src/scripts/extract_oci_file.sh qos_enclave.tar nitro.pcrs)
 

src/macros.mk

@@ -13,6 +13,18 @@ define run
 		/bin/sh -c "set -eu; $(1)"
 endef
 
+define digests
+	find out -iname "index.json" \
+	| awk -F/ '{print $$2}' \
+	| sort \
+	| while IFS= read -r package; do \
+	    jq \
+	        -jr '.manifests[].digest | sub ("sha256:";"")' \
+	        out/$${package}/index.json; \
+	    printf " %s\n" "$${package}"; \
+	done
+endef
+
 define build_context
 $$( \
 	self=$(1); \