From b6b29a659b37a9d3e72eab71056095b9ead52e86 Mon Sep 17 00:00:00 2001 From: Andreas Schildbach Date: Sat, 16 Sep 2023 15:12:47 +0200 Subject: [PATCH] build.Containerfile: reproducible reference build via containerization Currently, buildah, Podman and Docker are supported. The goals of the reference build are: - Make our release process more transparent - Improve reproducibility by shielding our build from the hosts environment - Reduce the trust necessary for running our build by shielding the hosts environment from possible side effects of our build Note both the signing and the uploading of release artifacts are out of scope for the reference build. --- .dockerignore | 20 +++++++++++++++++ README.adoc | 6 ++++++ build.Containerfile | 52 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+) create mode 100644 .dockerignore create mode 100644 build.Containerfile diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 000000000..6345f47c0 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,20 @@ +build.Containerfile +**/.* + +# bitcoinj +**/*.wallet +**/*.spvchain + +# Gradle +**/build/ +gradle/ +gradlew* + +# IntelliJ +**/*.iml +.idea/ + +# Eclipse +**/.project +**/.classpath +**/.settings/ diff --git a/README.adoc b/README.adoc index b7d8554f4..f7f8cdb26 100644 --- a/README.adoc +++ b/README.adoc @@ -74,6 +74,12 @@ To dump the state of the wallet in `~/bitcoinj/bitcoinj-test.wallet` with the te NOTE: These instructions are for macOS/Linux, for Windows use the `wallettool/build/install/wallet-tool/bin/wallet-tool.bat` batch file with the equivalent Windows command-line commands and options. +### Building the reference build + +Our reference build (which is also used for our releases) is running within a container to provide good reproducibility. +Buildah 1.26+, Podman 4.1+ and Docker (with BuildKit) are supported. We tested various combinations of host OSes +(Debian, Ubuntu, macOS, Windows+WSL) and architectures (amd64, arm64). For usage instructions see `build.Containerfile`. + ### Example applications These are found in the `examples` module. diff --git a/build.Containerfile b/build.Containerfile new file mode 100644 index 000000000..b8ac98607 --- /dev/null +++ b/build.Containerfile @@ -0,0 +1,52 @@ +# +# Reproducible reference build +# +# Usage: +# +# buildah build --file build.Containerfile --output . +# or +# podman build --file build.Containerfile --output . +# or +# docker build --file build.Containerfile --output . +# +# The build artifacts are written to the specified output directory. +# To also run tests, add +# +# --build-arg ADDITIONAL_GRADLE_TASK=test +# + +# stage: set up debian environment +FROM debian:bullseye-slim AS setup-stage + +ENV DEBIAN_FRONTEND noninteractive +RUN /usr/bin/apt-get update && \ + /usr/bin/apt-get --yes install openjdk-11-jdk-headless gradle && \ + /usr/sbin/adduser --disabled-login --gecos "" builder + +# stage: build +FROM setup-stage AS build-stage + +ARG ADDITIONAL_GRADLE_TASK="" + +# give up privileges +USER builder +WORKDIR /home/builder + +# copy project source code +COPY --chown=builder / project/ + +# build project +RUN /usr/bin/gradle --project-dir project/ \ + --no-build-cache --no-daemon --no-parallel \ + -Dmaven.repo.local=repo \ + clean ${ADDITIONAL_GRADLE_TASK} :bitcoinj-core:publishToMavenLocal :bitcoinj-wallettool:installDist + +# stage: export build output +FROM scratch AS export-stage +COPY --from=build-stage \ + /home/builder/repo/org/bitcoinj/*/*/*.jar \ + /home/builder/repo/org/bitcoinj/*/*/*.pom \ + /core/ +COPY --from=build-stage \ + /home/builder/project/wallettool/build/install/wallet-tool/ \ + /wallettool/