From ac53ed5b7b6b921a78e793f1121bd153b423ee99 Mon Sep 17 00:00:00 2001
From: antondlr <anton@sigmaprime.io>
Date: Tue, 21 Apr 2026 09:12:29 +0200
Subject: [PATCH] Remove double-build verification, fix AppImage SVG
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The double-build check ran both passes on the same runner/daemon/filesystem —
any non-determinism it could catch is already eliminated by the build pins
(SOURCE_DATE_EPOCH, compiler digest, pinned deps). Replace with a single build
that prints the binary SHA256 for external verification.

SVG: add Sigma Prime brand color background (#CC00A0), white logo mark.

Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>
---
 .github/workflows/reproducible.yml | 67 +++++++-----------------------
 packaging/appimage/lighthouse.svg  |  5 ++-
 2 files changed, 18 insertions(+), 54 deletions(-)

diff --git a/.github/workflows/reproducible.yml b/.github/workflows/reproducible.yml
index b1409dd610..290b0ef339 100644
--- a/.github/workflows/reproducible.yml
+++ b/.github/workflows/reproducible.yml
@@ -66,56 +66,28 @@ jobs:
         with:
           driver: docker
 
-      # ── Step 1: Build twice and verify bit-for-bit reproducibility ──────────
-      - name: Build image (pass 1)
+      # ── Step 1: Build image and extract binary ───────────────────────────────
+      - name: Build image
         run: |
           docker build -f Dockerfile.reproducible \
             --platform ${{ matrix.platform }} \
             --build-arg RUST_TARGET="${{ matrix.rust_target }}" \
-            -t lighthouse-verify-1 .
+            -t lighthouse-build .
 
-      - name: Extract binary (pass 1)
+      - name: Extract binary
         run: |
-          docker create --name extract-1 lighthouse-verify-1
-          docker cp extract-1:/lighthouse ./lighthouse-1
-          docker rm extract-1
+          docker create --name extract lighthouse-build
+          docker cp extract:/lighthouse ./lighthouse-bin
+          docker rm extract
 
-      - name: Clean Docker state between builds
-        run: |
-          docker buildx prune -f
-          docker system prune -f
+      - name: Print binary SHA256
+        run: sha256sum lighthouse-bin
 
-      - name: Build image (pass 2)
-        run: |
-          docker build -f Dockerfile.reproducible \
-            --platform ${{ matrix.platform }} \
-            --build-arg RUST_TARGET="${{ matrix.rust_target }}" \
-            -t lighthouse-verify-2 .
-
-      - name: Extract binary (pass 2)
-        run: |
-          docker create --name extract-2 lighthouse-verify-2
-          docker cp extract-2:/lighthouse ./lighthouse-2
-          docker rm extract-2
-
-      - name: Verify reproducibility
-        run: |
-          echo "Pass 1 SHA256: $(sha256sum lighthouse-1)"
-          echo "Pass 2 SHA256: $(sha256sum lighthouse-2)"
-          if cmp lighthouse-1 lighthouse-2; then
-            echo "Reproducible build verified for ${{ matrix.arch }}"
-          else
-            echo "BLOCKING RELEASE: builds are not reproducible!"
-            echo "First 10 differing bytes:"
-            cmp -l lighthouse-1 lighthouse-2 | head -10
-            exit 1
-          fi
-
-      # ── Step 2: Tag the verified image and push ──────────────────────────────
-      - name: Tag verified image
+      # ── Step 2: Tag the image and push ───────────────────────────────────────
+      - name: Tag image
         run: |
           VERSION=${{ needs.extract-version.outputs.VERSION }}
-          docker tag lighthouse-verify-2 \
+          docker tag lighthouse-build \
             ${{ env.DOCKER_REPRODUCIBLE_IMAGE_NAME }}:${VERSION}-${{ matrix.arch }}
 
       - name: Log in to Docker Hub
@@ -136,7 +108,7 @@ jobs:
         env:
           VERSION: ${{ needs.extract-version.outputs.VERSION }}
         run: |
-          cp lighthouse-2 lighthouse
+          cp lighthouse-bin lighthouse
           tar -czf lighthouse-${VERSION}-${{ matrix.rust_target }}.tar.gz lighthouse
           sha256sum lighthouse-${VERSION}-${{ matrix.rust_target }}.tar.gz \
             > lighthouse-${VERSION}-${{ matrix.rust_target }}.tar.gz.sha256
@@ -155,7 +127,7 @@ jobs:
       - name: Assemble AppDir
         run: |
           mkdir -p AppDir/usr/bin
-          cp lighthouse-2 AppDir/usr/bin/lighthouse
+          cp lighthouse-bin AppDir/usr/bin/lighthouse
           cp packaging/appimage/AppRun AppDir/AppRun
           chmod +x AppDir/AppRun
           cp packaging/appimage/lighthouse.desktop AppDir/lighthouse.desktop
@@ -220,19 +192,10 @@ jobs:
           path: lighthouse-${{ needs.extract-version.outputs.VERSION }}-${{ matrix.appimage_arch }}.AppImage.asc
           compression-level: 0
 
-      - name: Upload verification artifacts on failure
-        if: failure()
-        uses: actions/upload-artifact@v4
-        with:
-          name: verification-failure-${{ matrix.arch }}
-          path: |
-            lighthouse-1
-            lighthouse-2
-
       - name: Clean up
         if: always()
         run: |
-          docker rmi lighthouse-verify-1 lighthouse-verify-2 || true
+          docker rmi lighthouse-build || true
           VERSION=${{ needs.extract-version.outputs.VERSION }}
           docker rmi ${{ env.DOCKER_REPRODUCIBLE_IMAGE_NAME }}:${VERSION}-${{ matrix.arch }} || true
 
diff --git a/packaging/appimage/lighthouse.svg b/packaging/appimage/lighthouse.svg
index c5e2b082d3..3ee0c80a58 100644
--- a/packaging/appimage/lighthouse.svg
+++ b/packaging/appimage/lighthouse.svg
@@ -1,3 +1,4 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 47 51" fill="#fff">
-  <path d="M34.6763 27.5954C34.4546 29.842 33.6617 30.8785 32.2989 32.5242L37.3878 37.603L35.6756 39.3118L30.5867 34.233C28.8745 35.593 26.9251 36.4012 24.7371 36.6533V43.8204H22.3597V36.6533C20.1409 36.3998 18.1901 35.593 16.5101 34.233L11.4184 39.3131L9.70623 37.6044L14.7951 32.5256C14.0976 31.7035 13.5587 30.8014 13.1784 29.8196C12.798 28.8391 12.5286 27.7943 12.37 26.6863H5.18854V24.3137H12.37C12.5286 23.2057 12.798 22.1777 13.1784 21.228C13.5587 20.2476 14.0976 19.3288 14.7951 18.4744L9.70623 13.3956L11.4184 11.6869L16.5073 16.7656C18.1564 15.4056 20.1058 14.6142 22.3569 14.3929V7.17818H24.7343V14.3929C26.9532 14.6464 28.904 15.4378 30.5839 16.7656L35.6728 11.6869L37.385 13.3956L32.2961 18.4744C33.6588 20.1509 34.4518 21.1888 34.6735 23.4032H46.9972C45.9376 11.4081 35.844 2 23.547 2C10.5427 2 0 12.5216 0 25.5C0 38.4784 10.5427 49 23.547 49C35.844 49 45.9376 39.5919 47 27.5954H34.6763Z"/>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 47 51" width="256" height="256">
+  <rect width="47" height="51" rx="8" fill="#CC00A0"/>
+  <path fill="#ffffff" d="M34.6763 27.5954C34.4546 29.842 33.6617 30.8785 32.2989 32.5242L37.3878 37.603L35.6756 39.3118L30.5867 34.233C28.8745 35.593 26.9251 36.4012 24.7371 36.6533V43.8204H22.3597V36.6533C20.1409 36.3998 18.1901 35.593 16.5101 34.233L11.4184 39.3131L9.70623 37.6044L14.7951 32.5256C14.0976 31.7035 13.5587 30.8014 13.1784 29.8196C12.798 28.8391 12.5286 27.7943 12.37 26.6863H5.18854V24.3137H12.37C12.5286 23.2057 12.798 22.1777 13.1784 21.228C13.5587 20.2476 14.0976 19.3288 14.7951 18.4744L9.70623 13.3956L11.4184 11.6869L16.5073 16.7656C18.1564 15.4056 20.1058 14.6142 22.3569 14.3929V7.17818H24.7343V14.3929C26.9532 14.6464 28.904 15.4378 30.5839 16.7656L35.6728 11.6869L37.385 13.3956L32.2961 18.4744C33.6588 20.1509 34.4518 21.1888 34.6735 23.4032H46.9972C45.9376 11.4081 35.844 2 23.547 2C10.5427 2 0 12.5216 0 25.5C0 38.4784 10.5427 49 23.547 49C35.844 49 45.9376 39.5919 47 27.5954H34.6763Z"/>
 </svg>