Remove double-build verification, fix AppImage SVG

The double-build check ran both passes on the same runner/daemon/filesystem — any non-determinism it could catch is already eliminated by the build pins (SOURCE_DATE_EPOCH, compiler digest, pinned deps). Replace with a single build that prints the binary SHA256 for external verification. SVG: add Sigma Prime brand color background (#CC00A0), white logo mark. Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>
2026-04-21 23:08:23 +00:00 · 2026-04-21 09:12:29 +02:00
parent 24c1463338
commit ac53ed5b7b
2 changed files with 18 additions and 54 deletions
--- a/.github/workflows/reproducible.yml
+++ b/.github/workflows/reproducible.yml
@@ -66,56 +66,28 @@ jobs:
        with:
          driver: docker

-      # ── Step 1: Build twice and verify bit-for-bit reproducibility ──────────
-      - name: Build image (pass 1)
+      # ── Step 1: Build image and extract binary ───────────────────────────────
+      - name: Build image
        run: |
          docker build -f Dockerfile.reproducible \
            --platform ${{ matrix.platform }} \
            --build-arg RUST_TARGET="${{ matrix.rust_target }}" \
-            -t lighthouse-verify-1 .
+            -t lighthouse-build .

-      - name: Extract binary (pass 1)
+      - name: Extract binary
        run: |
-          docker create --name extract-1 lighthouse-verify-1
-          docker cp extract-1:/lighthouse ./lighthouse-1
-          docker rm extract-1
+          docker create --name extract lighthouse-build
+          docker cp extract:/lighthouse ./lighthouse-bin
+          docker rm extract

-      - name: Clean Docker state between builds
-        run: |
-          docker buildx prune -f
-          docker system prune -f
+      - name: Print binary SHA256
+        run: sha256sum lighthouse-bin

-      - name: Build image (pass 2)
-        run: |
-          docker build -f Dockerfile.reproducible \
-            --platform ${{ matrix.platform }} \
-            --build-arg RUST_TARGET="${{ matrix.rust_target }}" \
-            -t lighthouse-verify-2 .
-
-      - name: Extract binary (pass 2)
-        run: |
-          docker create --name extract-2 lighthouse-verify-2
-          docker cp extract-2:/lighthouse ./lighthouse-2
-          docker rm extract-2
-
-      - name: Verify reproducibility
-        run: |
-          echo "Pass 1 SHA256: $(sha256sum lighthouse-1)"
-          echo "Pass 2 SHA256: $(sha256sum lighthouse-2)"
-          if cmp lighthouse-1 lighthouse-2; then
-            echo "Reproducible build verified for ${{ matrix.arch }}"
-          else
-            echo "BLOCKING RELEASE: builds are not reproducible!"
-            echo "First 10 differing bytes:"
-            cmp -l lighthouse-1 lighthouse-2 | head -10
-            exit 1
-          fi
-
-      # ── Step 2: Tag the verified image and push ──────────────────────────────
-      - name: Tag verified image
+      # ── Step 2: Tag the image and push ───────────────────────────────────────
+      - name: Tag image
        run: |
          VERSION=${{ needs.extract-version.outputs.VERSION }}
-          docker tag lighthouse-verify-2 \
+          docker tag lighthouse-build \
            ${{ env.DOCKER_REPRODUCIBLE_IMAGE_NAME }}:${VERSION}-${{ matrix.arch }}

      - name: Log in to Docker Hub
@@ -136,7 +108,7 @@ jobs:
        env:
          VERSION: ${{ needs.extract-version.outputs.VERSION }}
        run: |
-          cp lighthouse-2 lighthouse
+          cp lighthouse-bin lighthouse
          tar -czf lighthouse-${VERSION}-${{ matrix.rust_target }}.tar.gz lighthouse
          sha256sum lighthouse-${VERSION}-${{ matrix.rust_target }}.tar.gz \
            > lighthouse-${VERSION}-${{ matrix.rust_target }}.tar.gz.sha256
@@ -155,7 +127,7 @@ jobs:
      - name: Assemble AppDir
        run: |
          mkdir -p AppDir/usr/bin
-          cp lighthouse-2 AppDir/usr/bin/lighthouse
+          cp lighthouse-bin AppDir/usr/bin/lighthouse
          cp packaging/appimage/AppRun AppDir/AppRun
          chmod +x AppDir/AppRun
          cp packaging/appimage/lighthouse.desktop AppDir/lighthouse.desktop
@@ -220,19 +192,10 @@ jobs:
          path: lighthouse-${{ needs.extract-version.outputs.VERSION }}-${{ matrix.appimage_arch }}.AppImage.asc
          compression-level: 0

-      - name: Upload verification artifacts on failure
-        if: failure()
-        uses: actions/upload-artifact@v4
-        with:
-          name: verification-failure-${{ matrix.arch }}
-          path: |
-            lighthouse-1
-            lighthouse-2
-
      - name: Clean up
        if: always()
        run: |
-          docker rmi lighthouse-verify-1 lighthouse-verify-2 || true
+          docker rmi lighthouse-build || true
          VERSION=${{ needs.extract-version.outputs.VERSION }}
          docker rmi ${{ env.DOCKER_REPRODUCIBLE_IMAGE_NAME }}:${VERSION}-${{ matrix.arch }} || true

--- a/packaging/appimage/lighthouse.svg
+++ b/packaging/appimage/lighthouse.svg
@@ -1,3 +1,4 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 47 51" fill="#fff">
-  <path d="M34.6763 27.5954C34.4546 29.842 33.6617 30.8785 32.2989 32.5242L37.3878 37.603L35.6756 39.3118L30.5867 34.233C28.8745 35.593 26.9251 36.4012 24.7371 36.6533V43.8204H22.3597V36.6533C20.1409 36.3998 18.1901 35.593 16.5101 34.233L11.4184 39.3131L9.70623 37.6044L14.7951 32.5256C14.0976 31.7035 13.5587 30.8014 13.1784 29.8196C12.798 28.8391 12.5286 27.7943 12.37 26.6863H5.18854V24.3137H12.37C12.5286 23.2057 12.798 22.1777 13.1784 21.228C13.5587 20.2476 14.0976 19.3288 14.7951 18.4744L9.70623 13.3956L11.4184 11.6869L16.5073 16.7656C18.1564 15.4056 20.1058 14.6142 22.3569 14.3929V7.17818H24.7343V14.3929C26.9532 14.6464 28.904 15.4378 30.5839 16.7656L35.6728 11.6869L37.385 13.3956L32.2961 18.4744C33.6588 20.1509 34.4518 21.1888 34.6735 23.4032H46.9972C45.9376 11.4081 35.844 2 23.547 2C10.5427 2 0 12.5216 0 25.5C0 38.4784 10.5427 49 23.547 49C35.844 49 45.9376 39.5919 47 27.5954H34.6763Z"/>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 47 51" width="256" height="256">
+  <rect width="47" height="51" rx="8" fill="#CC00A0"/>
+  <path fill="#ffffff" d="M34.6763 27.5954C34.4546 29.842 33.6617 30.8785 32.2989 32.5242L37.3878 37.603L35.6756 39.3118L30.5867 34.233C28.8745 35.593 26.9251 36.4012 24.7371 36.6533V43.8204H22.3597V36.6533C20.1409 36.3998 18.1901 35.593 16.5101 34.233L11.4184 39.3131L9.70623 37.6044L14.7951 32.5256C14.0976 31.7035 13.5587 30.8014 13.1784 29.8196C12.798 28.8391 12.5286 27.7943 12.37 26.6863H5.18854V24.3137H12.37C12.5286 23.2057 12.798 22.1777 13.1784 21.228C13.5587 20.2476 14.0976 19.3288 14.7951 18.4744L9.70623 13.3956L11.4184 11.6869L16.5073 16.7656C18.1564 15.4056 20.1058 14.6142 22.3569 14.3929V7.17818H24.7343V14.3929C26.9532 14.6464 28.904 15.4378 30.5839 16.7656L35.6728 11.6869L37.385 13.3956L32.2961 18.4744C33.6588 20.1509 34.4518 21.1888 34.6735 23.4032H46.9972C45.9376 11.4081 35.844 2 23.547 2C10.5427 2 0 12.5216 0 25.5C0 38.4784 10.5427 49 23.547 49C35.844 49 45.9376 39.5919 47 27.5954H34.6763Z"/>
 </svg>