Add reproducibility verification

Author: ppkarwasz

.editorconfig

@@ -1,14 +1,5 @@
 root = true
 
-[.editorconfig]
-charset						= utf-8
-end_of_line					= lf
-indent_size					= 4
-indent_style				= tab
-insert_final_newline		= true
-tab_width					= 4
-trim_trailing_whitespace	= true
-
 [*]
 charset						= utf-8
 end_of_line					= lf
@@ -18,20 +9,7 @@ insert_final_newline		= true
 tab_width					= 4
 trim_trailing_whitespace	= true
 
-[*.sh]
-charset						= utf-8
-end_of_line					= lf
-indent_size					= 2
-indent_style				= space
-insert_final_newline		= true
-tab_width					= 2
-trim_trailing_whitespace	= true
-
-[CMakeLists.txt]
-charset						= utf-8
-end_of_line					= lf
+[{*.sh,*.yml,CMakeLists.txt}]
 indent_size					= 2
 indent_style				= space
-insert_final_newline		= true
 tab_width					= 2
-trim_trailing_whitespace	= true

.github/workflows/package_code.yml

@@ -15,54 +15,91 @@
 name: Generate release files
 
 on:
+  workflow_call:
   push:
     branches:
       - master
-#  pull_request:
-#    branches:
-#      - master
+
+permissions: read-all
 
 jobs:
-  job1:
-    name: 'Package code for release'
-    runs-on: ubuntu-20.04
-    timeout-minutes: 38
-    strategy:
-      fail-fast: false
+
+  package:
+    name: Package code
+    runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
-      with:
-        persist-credentials: false # do not persist auth token in the local git config
-        path: clean-checkout
+      - name: Checkout repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871   # 4.2.1
+        with:
+          persist-credentials: false # do not persist auth token in the local git config
 
-# Consider using CPack when it supports a white-list for included files
-#    - name: 'Install minimum dependencies'
-#      run: |
-#        sudo apt-get install -y libapr1-dev libaprutil1-dev
-#
-#    - name: 'Create release files'
-#      run: |
-#        cmake -B package -S clean-checkout -DAPACHE_MAINTAINER=yes -DCPACK_PACKAGE_DIRECTORY=`pwd`
-#        cmake --build package --target dist
-#
-    - name: 'Create release files'
-      run: |
-        cd clean-checkout
-        rm -r src/main/abi-symbols
-        VERSION=`grep 'set(log4cxx_VER ' src/cmake/projectVersionDetails.cmake|sed -Ee 's/.*log4cxx_VER ([0-9]*)\.([0-9]*)\.([0-9]*).*/\1.\2.\3/'`
-        tar -zcf "../apache-log4cxx-$VERSION.tar.gz" "--transform=s,^,apache-log4cxx-$VERSION/," INSTALL  LICENSE  NOTICE  README.md  CMakeLists.txt  src  liblog4cxx.pc.in  liblog4cxx-qt.pc.in  KEYS
-        cd ..
-        sha512sum "apache-log4cxx-$VERSION.tar.gz" > "apache-log4cxx-$VERSION.tar.gz.sha512"
-        sha256sum "apache-log4cxx-$VERSION.tar.gz" > "apache-log4cxx-$VERSION.tar.gz.sha256"
-        tar xf "apache-log4cxx-$VERSION.tar.gz"
-        zip -rm "apache-log4cxx-$VERSION.zip" apache-log4cxx-$VERSION
-        sha512sum "apache-log4cxx-$VERSION.zip" > "apache-log4cxx-$VERSION.zip.sha512"
-        sha256sum "apache-log4cxx-$VERSION.zip" > "apache-log4cxx-$VERSION.zip.sha256"
+      - name: Determine version
+        shell: bash
+        run: |
+          VERSION=$(grep -Po '(?<=set\(log4cxx_VER ")(.*)(?="\))' src/cmake/projectVersionDetails.cmake)
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Create release files
+        shell: bash
+        run: |
+          ./package.sh
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882   # 4.4.3
+        if: always()
+        with:
+          name: apache-log4cxx
+          path: |
+            CMakeLists/apache-log4cxx-*
+
+  verify-reproducibility:
+    name: Verify reproducibility
+    needs: package
+    runs-on:
+      - ubuntu-latest
+      - macos-latest
+      - windows-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871   # 4.2.1
+        with:
+          persist-credentials: false # do not persist auth token in the local git config
+
+      - name: Determine version
+        shell: bash
+        run: |
+          VERSION=$(grep -Po '(?<=set\(log4cxx_VER ")(.*)(?="\))' src/cmake/projectVersionDetails.cmake)
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Download artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16   # 4.1.8
+        with:
+          name: apache-log4cxx
+          path: |
+            CMakeLists/reference
+
+      - name: Check release files
+        id: check
+        shell: bash
+        run: |
+          ./package.sh
+          current=CMakeLists/apache-log4cxx-$VERSION
+          reference=CMakeLists/reference/apache-log4cxx-$VERSION
+          for format in tar.gz zip; do
+            for hash in sha256 sha512; do
+              if cmp --silent "$reference.$format.$hash" "$current.$format.$hash"; then
+                echo Files apache-log4cxx-$VERSION.$format differ\! >& 2
+                exit 1
+              fi
+            done
+          done
 
-    - uses: actions/upload-artifact@v4
-      if: always()
-      with:
-        name: 'Upload release files'
-        path: |
-          apache-log4cxx-*
+      - name: Upload reproducibility results
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882   # 4.4.3
+        if: ${{ failure() && steps.check.conclusion == 'failure' }}
+        with:
+          name: apache-log4cxx-reproducibility-${{ runner.os }}
+          path: |
+            CMakeLists/apache-log4cxx-*

package.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+#
+set -e
+
+# Determine the version and build timestamp
+VERSION=$(grep -Po '(?<=set\(log4cxx_VER ")(.*)(?="\))' src/cmake/projectVersionDetails.cmake)
+if ! echo "$VERSION" | grep -Pq '^\d+\.\d+\.\d+$'; then
+  echo Invalid version number: "$VERSION" >& 2
+  exit 1
+fi
+
+OUTPUT_TIMESTAMP=$(grep -Po '(?<=set\(log4cxx_OUTPUT_TIMESTAMP ")(.*)(?="\))' src/cmake/projectVersionDetails.cmake)
+if ! echo "$OUTPUT_TIMESTAMP" | grep -Pq '^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$'; then
+  echo Invalid build timestamp: "$OUTPUT_TIMESTAMP" >& 2
+  echo Run '`'date -u +%Y-%m-%dT%H:%M:%SZ'`' to generate it
+  exit 1
+fi
+
+# Build directory
+build=CMakeFiles
+
+# Create source directory
+mkdir -p "$build"
+OUTPUT_DIR="$build/apache-log4cxx-$VERSION"
+if [ -f "$OUTPUT_DIR" ]; then
+  if [ ! -d "$OUTPUT_DIR" ]; then
+    echo File "$OUTPUT_DIR" is not a directory >& 2
+    exit 1
+  fi
+  if [ ! -z "$(ls -A "$OUTPUT_DIR")" ]; then
+    echo Directory "$OUTPUT_DIR" is not empty >& 2
+    exit 1
+  fi
+fi
+mkdir -p "$OUTPUT_DIR"
+
+# Copy files to directory
+cp -r \
+  CMakeLists.txt \
+  KEYS \
+  INSTALL \
+  LICENSE \
+  NOTICE \
+  README.md \
+  src \
+  liblog4cxx.pc.in \
+  liblog4cxx-qt.pc.in \
+  "$OUTPUT_DIR"
+rm -r "$OUTPUT_DIR"/src/main/abi-symbols
+
+# Create TAR file
+#
+# See https://reproducible-builds.org/docs/archives/ for reproducibility tips
+TAR_ARCHIVE="$build/apache-log4cxx-$VERSION.tar.gz"
+echo 'Tar version:'
+tar --version | sed -e 's/^/\t/'
+echo 'Gzip version:'
+gzip --version  | sed -e 's/^/\t/'
+if [ -f "$TAR_ARCHIVE" ]; then
+  echo Archive "$TAR_ARCHIVE" already exists >& 2
+  exit 1
+fi
+
+tar --transform="s!^$OUTPUT_DIR!apache-log4cxx-$VERSION!" \
+  --mtime="$OUTPUT_TIMESTAMP" \
+  --owner=0 --group=0 --numeric-owner \
+  --sort=name \
+  --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
+  --create --gzip --file "$TAR_ARCHIVE" "$OUTPUT_DIR"
+
+echo -e Tar archive: "$TAR_ARCHIVE"
+
+# Create ZIP file
+#
+# See https://reproducible-builds.org/docs/archives/ for reproducibility tips
+# Change the mtime of all files
+ZIP_ARCHIVE="$build/apache-log4cxx-$VERSION.zip"
+echo 'Zip version:'
+zip --version | sed 's/^/\t/'
+if [ -f "$ZIP_ARCHIVE" ]; then
+  echo Archive "$ZIP_ARCHIVE" already exists >& 2
+  exit 1
+fi
+
+find "$OUTPUT_DIR" -exec touch --date="$OUTPUT_TIMESTAMP" -m {} +
+# Sort files and zip.
+(
+  cd "$build"
+  find apache-log4cxx-$VERSION -print0 |
+  LC_ALL=C sort -z |
+  xargs -0 zip -q -X apache-log4cxx-$VERSION.zip
+)
+
+echo -e ZIP archive: "$ZIP_ARCHIVE"
+
+# Generate hashes
+(
+  cd "$build"
+  for format in tar.gz zip; do
+    sha256sum apache-log4cxx-$VERSION.$format > apache-log4cxx-$VERSION.$format.sha256
+    sha512sum apache-log4cxx-$VERSION.$format > apache-log4cxx-$VERSION.$format.sha512
+  done
+)

src/cmake/projectVersionDetails.cmake

@@ -1,5 +1,27 @@
-# This file should contain nothing but the following line
-# setting the project version. The variable name must not
-# clash with the log4cxx_VERSION* variables automatically
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+##
+# This file should contain only the current version and the build timestamp
+
+# The variable name must not clash with the log4cxx_VERSION* variables automatically
 # defined by the project() command.
-set(log4cxx_VER 1.3.0.0)
+set(log4cxx_VER "1.3.0")
+
+# Timestamp used for the source archive to guarantee reproducible builds in ISO 8601 format.
+#
+# To generate use: date -u +%Y-%m-%dT%H:%M:%SZ
+set(log4cxx_OUTPUT_TIMESTAMP "2024-10-11T14:35:14Z")