fix: added partial docker verification workflow

Signed-off-by: Matt Peterson <[email protected]>

.github/workflows/release-push-image.yaml

@@ -52,13 +52,13 @@ jobs:
       java-distribution: ${{ inputs.java-distribution || 'temurin' }}
       java-version: ${{ inputs.java-version || '21.0.4' }}
 
-#  check-docker:
-#    name: Docker
-#    uses: ./.github/workflows/zxc-verify-docker-build-determinism.yaml
-#    with:
-#      ref: ${{ github.event.inputs.ref || '' }}
-#      java-distribution: ${{ inputs.java-distribution || 'temurin' }}
-#      java-version: ${{ inputs.java-version || '21.0.4' }}
+  check-docker:
+    name: Docker
+    uses: ./.github/workflows/zxc-verify-docker-build-determinism.yaml
+    with:
+      ref: ${{ github.event.inputs.ref || '' }}
+      java-distribution: ${{ inputs.java-distribution || 'temurin' }}
+      java-version: ${{ inputs.java-version || '21.0.4' }}
 
   publish:
     runs-on: block-node-linux-medium

.github/workflows/support/scripts/generate-gradle-artifact-baseline.sh

@@ -102,21 +102,11 @@ start_group "Configuring Environment"
     fi
   end_task "DONE (Found: ${SHA256SUM})"
 
-#  start_task "Checking for prebuilt libraries"
-#    ls -al "${GITHUB_WORKSPACE}/${RELEASE_LIB_PATH}"/*.jar >/dev/null 2>&1 || fail "ERROR (Exit Code: ${?})" "${?}"
-#  end_task "FOUND (Path: ${GITHUB_WORKSPACE}/${RELEASE_LIB_PATH}/*.jar)"
-
   start_task "Checking for prebuilt applications"
     ls -al "${GITHUB_WORKSPACE}/${RELEASE_APPS_PATH}"/*.jar >/dev/null 2>&1 || fail "ERROR (Exit Code: ${?})" "${?}"
   end_task "FOUND (Path: ${GITHUB_WORKSPACE}/${RELEASE_APPS_PATH}/*.jar)"
 end_group
 
-#start_group "Generating Library Hashes (${GITHUB_WORKSPACE}/${RELEASE_LIB_PATH}/*.jar)"
-#  pushd "${GITHUB_WORKSPACE}/${RELEASE_LIB_PATH}" >/dev/null 2>&1 || fail "PUSHD ERROR (Exit Code: ${?})" "${?}"
-#  ${SHA256SUM} -b -- *.jar | sort -k 2 | tee -a "${TEMP_DIR}"/libraries.sha256
-#  popd >/dev/null 2>&1 || fail "POPD ERROR (Exit Code: ${?})" "${?}"
-#end_group
-
 start_group "Generating Application Hashes (${GITHUB_WORKSPACE}/${RELEASE_APPS_PATH}/*.jar)"
   pushd "${GITHUB_WORKSPACE}/${RELEASE_APPS_PATH}" >/dev/null 2>&1 || fail "PUSHD ERROR (Exit Code: ${?})" "${?}"
   ${SHA256SUM} -b -- *.jar | sort -k 2 | tee -a "${TEMP_DIR}"/applications.sha256
@@ -131,7 +121,6 @@ start_group "Generating Final Release Manifests"
 
   start_task "Copying the manifest files"
   cp "${TEMP_DIR}/manifest.tar.gz" "${MANIFEST_PATH}/${GITHUB_SHA}.tar.gz" || fail "COPY ERROR (Exit Code: ${?})" "${?}"
-#  cp "${TEMP_DIR}/libraries.sha256" "${MANIFEST_PATH}/libraries.sha256" || fail "COPY ERROR (Exit Code: ${?})" "${?}"
   cp "${TEMP_DIR}/applications.sha256" "${MANIFEST_PATH}/applications.sha256" || fail "COPY ERROR (Exit Code: ${?})" "${?}"
   end_task "DONE (Path: ${MANIFEST_PATH}/${GITHUB_SHA}.tar.gz)"
 
@@ -141,7 +130,6 @@ start_group "Generating Final Release Manifests"
       printf "file=%s\n" "${MANIFEST_PATH}/${GITHUB_SHA}.tar.gz"
       printf "name=%s\n" "${GITHUB_SHA}.tar.gz"
       printf "applications=%s\n" "${MANIFEST_PATH}/applications.sha256"
-#      printf "libraries=%s\n" "${MANIFEST_PATH}/libraries.sha256"
     } >> "${GITHUB_OUTPUT}"
   end_task
 end_group

.github/workflows/zxc-verify-docker-build-determinism.yaml

@@ -14,6 +14,10 @@
 # limitations under the License.
 ##
 name: "ZXC: Verify Docker Build Determinism"
+# Here, the ZXC prefix:
+# Z - Ensures sort order such that this script appears at the bottom of the UI
+# X - Indicates it's not for direct user consumption
+# C - Indicates this is a 'workflow_call' based reusable workflow
 on:
   workflow_call:
     inputs:
@@ -33,14 +37,6 @@ on:
         required: false
         default: "21.0.4"
 
-#    secrets:
-#      gradle-cache-username:
-#        description: "The username used to authenticate with the Gradle Build Cache Node."
-#        required: true
-#      gradle-cache-password:
-#        description: "The password used to authenticate with the Gradle Build Cache Node."
-#        required: true
-
 defaults:
   run:
     shell: bash
@@ -50,32 +46,99 @@ permissions:
   contents: read
 
 env:
-#  GRADLE_CACHE_USERNAME: ${{ secrets.gradle-cache-username }}
-#  GRADLE_CACHE_PASSWORD: ${{ secrets.gradle-cache-password }}
   DOCKER_MANIFEST_GENERATOR: .github/workflows/support/scripts/generate-docker-artifact-baseline.sh
   DOCKER_MANIFEST_PATH: ${{ github.workspace }}/.manifests/docker
-  DOCKER_REGISTRY: localhost:5000
-  DOCKER_IMAGE_NAME: consensus-node
-  DOCKER_CONTEXT_PATH: hedera-node/infrastructure/docker/containers/production-next/consensus-node
+#  DOCKER_REGISTRY: localhost:5000
+#  DOCKER_IMAGE_NAME: consensus-node
+#  DOCKER_CONTEXT_PATH: hedera-node/infrastructure/docker/containers/production-next/consensus-node
   SKOPEO_VERSION: v1.14.0
 
 jobs:
   generate-baseline:
     name: Generate Baseline
     runs-on: block-node-linux-medium
-#    outputs:
-#      sha: ${{ steps.commit.outputs.sha }}
-#      sha-abbrev: ${{ steps.commit.outputs.sha-abbrev }}
-#      source-date: ${{ steps.commit.outputs.source-date }}
-#      path: ${{ steps.baseline.outputs.path }}
-#      file: ${{ steps.baseline.outputs.file }}
-#      name: ${{ steps.baseline.outputs.name }}
+    outputs:
+      sha: ${{ steps.commit.outputs.sha }}
+      sha-abbrev: ${{ steps.commit.outputs.sha-abbrev }}
+      source-date: ${{ steps.commit.outputs.source-date }}
+      path: ${{ steps.baseline.outputs.path }}
+      file: ${{ steps.baseline.outputs.file }}
+      name: ${{ steps.baseline.outputs.name }}
 
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
-      - name: Hello World
-        run: echo "Testing Docker Build Determinism"
+      - name: Checkout Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Authenticate to Google Cloud
+        id: google-auth
+        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
+        with:
+          workload_identity_provider: "projects/235822363393/locations/global/workloadIdentityPools/hedera-builds-pool/providers/hedera-builds-gh-actions"
+          service_account: "[email protected]"
+
+      - name: Setup Google Cloud SDK
+        uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2
+
+      - name: Retrieve Commit Hash
+        id: commit
+        run: |
+          echo "sha=$(git rev-parse HEAD)" >> "${GITHUB_OUTPUT}"
+          echo "sha-abbrev=$(git rev-parse HEAD | tr -d '[:space:]' | cut -c1-8)" >> "${GITHUB_OUTPUT}"
+          echo "source-date=$(git log -1 --pretty=%ct)" >> "${GITHUB_OUTPUT}"
+
+      - name: Baseline Existence Check
+        id: baseline
+        run: |
+          BASELINE_NAME="${{ steps.commit.outputs.sha }}.tar.gz"
+          BASELINE_PATH="gs://hedera-ci-ephemeral-artifacts/${{ github.repository }}/docker/baselines"
+          BASELINE_FILE="${BASELINE_PATH}/${BASELINE_NAME}"
+          BASELINE_EXISTS="false"
+
+          if gsutil ls "${BASELINE_FILE}" >/dev/null 2>&1; then
+             BASELINE_EXISTS="true"
+          fi
+
+          echo "exists=${BASELINE_EXISTS}" >> "${GITHUB_OUTPUT}"
+          echo "path=${BASELINE_PATH}" >> "${GITHUB_OUTPUT}"
+          echo "name=${BASELINE_NAME}" >> "${GITHUB_OUTPUT}"
+          echo "file=${BASELINE_FILE}" >> "${GITHUB_OUTPUT}"
+
+      - name: Setup Java
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
+        if: ${{ steps.baseline.outputs.exists == 'false' && !failure() && !cancelled() }}
+        with:
+          distribution: ${{ inputs.java-distribution }}
+          java-version: ${{ inputs.java-version }}
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1
+        if: ${{ steps.baseline.outputs.exists == 'false' && !failure() && !cancelled() }}
+        with:
+          cache-disabled: true
+
+      - name: Install Skopeo and JQ
+        if: ${{ steps.baseline.outputs.exists == 'false' && !failure() && !cancelled() }}
+        run: |
+          sudo apt-get update
+          sudo apt-get install --yes --no-install-recommends skopeo jq
+
+      - name: Setup QEmu Support
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        if: ${{ steps.baseline.outputs.exists == 'false' && !failure() && !cancelled() }}
+
+      - name: Setup Docker Buildx Support
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        if: ${{ steps.baseline.outputs.exists == 'false' && !failure() && !cancelled() }}
+        with:
+          version: v0.16.2
+          driver-opts: network=host
+          buildkitd-config-inline: |
+            [registry."docker.io"]
+              mirrors = ["https://hub.mirror.docker.lat.ope.eng.hashgraph.io"]

.github/workflows/zxc-verify-gradle-build-determinism.yaml

@@ -147,8 +147,8 @@ jobs:
         os:
           - ubuntu-22.04
           - ubuntu-20.04
-          - windows-2022
-          - windows-2019
+#          - windows-2022
+#          - windows-2019
           - block-node-linux-medium
     steps:
       - name: Harden Runner