Merge branch 'add-ci-workflow-to-guarantee-reproducible-builds-over-time-droid-1675'

1 files changed, 109 insertions, 0 deletions

diff --git a/.github/workflows/android-reproducible-builds.yml b/.github/workflows/android-reproducible-builds.yml
new file mode 100644
index 0000000000..8b053d9a64
--- /dev/null
+++ b/.github/workflows/android-reproducible-builds.yml
@@ -0,0 +1,109 @@
+---
+name: Android - Verify F-Droid and reproducible builds
+on:
+  schedule:
+    # At 04:20 UTC every monday.
+    # Notifications for scheduled workflows are sent to the user who last modified the cron
+    # syntax in the workflow file. If you update this you must have notifications for
+    # Github Actions enabled, so these don't go unnoticed.
+    # https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs
+    - cron: '20 6 * * 1'
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  build-fdroid-app:
+    name: Build fdroid container
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Build app
+        run: ./building/containerized-build.sh android --fdroid
+
+      - name: Upload apks
+        uses: actions/upload-artifact@v4
+        with:
+          name: container-app
+          path: android/app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk
+          if-no-files-found: error
+          retention-days: 7
+
+  build-fdroid-app-server:
+    name: Build fdroid with fdroid server
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install fdroidserver
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install fdroidserver
+
+      - name: Install gradle
+        run: |
+          sudo apt-get -y remove gradle
+          mkdir /opt/gradle
+          curl -sfLo /opt/gradle/gradle-8.13-bin.zip https\://services.gradle.org/distributions/gradle-8.13-bin.zip
+          unzip -d /opt/gradle /opt/gradle/gradle-8.13-bin.zip
+
+      # These are equivalent to the sudo section of the metadata file
+      - name: Install dependencies
+        run: sudo apt-get install -y build-essential protobuf-compiler libprotobuf-dev
+
+      - name: Download metadata file
+        uses: actions/checkout@v4
+        with:
+          path: app-repo
+
+      - name: Init fdroid
+        run: fdroid init
+
+      - name: Prepare metadata
+        run: |
+          mkdir metadata
+          cp app-repo/android/fdroid-build/metadata/net.mullvad.mullvadvpn.yml metadata/net.mullvad.mullvadvpn.yml
+          sed -i 's/commit-hash/${{ github.sha }}/' metadata/net.mullvad.mullvadvpn.yml
+
+      - name: Build app
+        run: |
+          export PATH=$PATH:/opt/gradle/gradle-8.13/bin
+          fdroid build net.mullvad.mullvadvpn:1 -v
+
+      - name: Upload apks
+        uses: actions/upload-artifact@v4
+        with:
+          name: fdroidserver-app
+          path: |
+            build/net\.mullvad\.mullvadvpn/android/app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk
+          if-no-files-found: error
+          retention-days: 7
+
+  compare-builds:
+    name: Check builds
+    runs-on: ubuntu-latest
+    needs: [build-fdroid-app, build-fdroid-app-server]
+    steps:
+      - name: Download container apk
+        uses: actions/download-artifact@v4
+        with:
+          name: container-app
+          path: container
+
+      - name: Download server apk
+        uses: actions/download-artifact@v4
+        with:
+          name: fdroidserver-app
+          path: fdroidserver
+
+      - name: Print checksums
+        run: |
+          echo "Container build checksum"
+          md5sum container/app-oss-prod-fdroid-unsigned.apk
+          echo "Fdroidserver build checksum"
+          md5sum fdroidserver/app-oss-prod-fdroid-unsigned.apk
+
+      - name: Compare files
+        run: diff container/app-oss-prod-fdroid-unsigned.apk fdroidserver/app-oss-prod-fdroid-unsigned.apk