From 0d119244fdfed9382b2e38825c911fdb6e7ae6ef Mon Sep 17 00:00:00 2001
From: Nicolas Mattia <nicolas.mattia@dfinity.org>
Date: Fri, 21 Feb 2025 15:33:17 +0100
Subject: [PATCH] wip

---
 .github/workflows-source/ci-main.yml | 38 +++++++++++++++++++++++++---
 ci/bazel-scripts/main.sh             |  4 +++
 ci/scripts/build-determinism.sh      |  7 +----
 ci/scripts/run-build-ic.sh           |  3 ---
 ci/src/artifacts/upload.bzl          |  1 +
 5 files changed, 41 insertions(+), 12 deletions(-)

diff --git a/.github/workflows-source/ci-main.yml b/.github/workflows-source/ci-main.yml
index fdd07e45a7fb..eb5be3135d05 100644
--- a/.github/workflows-source/ci-main.yml
+++ b/.github/workflows-source/ci-main.yml
@@ -142,9 +142,20 @@ jobs:
         uses: ./.github/actions/bazel-test-all/
         with:
           BAZEL_COMMAND: test --config=ci ${{ env.BAZEL_EXTRA_ARGS }}
-          BAZEL_TARGETS: //...
+          BAZEL_TARGETS: "//..."
           BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Foo bar
+        run: |
+          find -L bazel-out -name SHA256SUMS | xargs cat | sort | uniq > out_shafile_all
+      - name: Upload out_shafile
+        uses: actions/upload-artifact@v4
+        with:
+          name: out_shafile_all
+          retention-days: 1
+          path: |
+            out_shafile_all
       - <<: *bazel-bep
 
   bazel-test-macos-intel:
@@ -252,20 +263,29 @@ jobs:
         id: build-ic
         shell: bash
         run: |
-          set -eExuo pipefail
-          [ -n "${NODE_NAME:-}" ] && echo "Run on node: $NODE_NAME" >>$GITHUB_STEP_SUMMARY
+          set -euo pipefail
           REPO_NAME="${GITHUB_REPOSITORY##*/}"
           rm -rf "/cache/job/${CI_JOB_NAME}/${CI_RUN_ID}"
           mkdir -p "/cache/job/${CI_JOB_NAME}/${CI_RUN_ID}/artifacts"
           ln -s "/cache/job/${CI_JOB_NAME}/${CI_RUN_ID}/artifacts" /__w/$REPO_NAME/$REPO_NAME/artifacts
           "$CI_PROJECT_DIR"/ci/scripts/run-build-ic.sh
           rm -rf "/cache/job/${CI_JOB_NAME}/${CI_RUN_ID}"
+
+          find -L bazel-out -name SHA256SUMS | xargs cat | sort | uniq > out_shafile_all
+
         env:
           BAZEL_COMMAND: build --config=ci
           BAZEL_TARGETS: //...
           MERGE_BASE_SHA: ${{ github.event.pull_request.base.sha }}
           BRANCH_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
           RUN_ON_DIFF_ONLY: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'CI_ALL_BAZEL_TARGETS') }}
+      - name: Upload out_shafile
+        uses: actions/upload-artifact@v4
+        with:
+          name: out_shafile_build
+          retention-days: 1
+          path: |
+            out_shafile_build
       - name: Upload build-ic.tar
         uses: actions/upload-artifact@v4
         with:
@@ -311,6 +331,18 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: build-ic
+      - name: Download out_shafile_all
+        uses: actions/download-artifact@v4
+        with:
+          name: out_shafile_all
+      - name: Download out_shafile_build
+        uses: actions/download-artifact@v4
+        with:
+          name: out_shafile_build
+
+      - name: diff
+        run: |
+          diff <(sort < ./out_shafile_build) <(sort <./out_shafile_all)
       - name: Build Determinism Test
         id: build-determinism
         run: |
diff --git a/ci/bazel-scripts/main.sh b/ci/bazel-scripts/main.sh
index c28be7b68199..23f4fd2b5ecf 100755
--- a/ci/bazel-scripts/main.sh
+++ b/ci/bazel-scripts/main.sh
@@ -113,3 +113,7 @@ if [ -n "${GITHUB_STEP_SUMMARY:-}" ]; then
     echo "BuildBuddy [$invocation]($(<"$url_out"))" >>$GITHUB_STEP_SUMMARY
 fi
 rm "$url_out"
+
+echo "the shasums:"
+
+find -L bazel-out -name SHA256SUMS
diff --git a/ci/scripts/build-determinism.sh b/ci/scripts/build-determinism.sh
index 01a1ca39a572..8c88b902bf65 100755
--- a/ci/scripts/build-determinism.sh
+++ b/ci/scripts/build-determinism.sh
@@ -23,13 +23,8 @@ sed -i -e '/.wasm.gz.did/d' "$PATH0/SHA256SUMS" "$PATH1/SHA256SUMS"
 sed -i -e '/disk-img/d' "$PATH0/SHA256SUMS" "$PATH1/SHA256SUMS"
 
 if ! diff -u "$PATH0/SHA256SUMS" "$PATH1/SHA256SUMS"; then
-    cat build-ic/info
     echo "Build Determinism Check Failed!"
-    echo "Contact IDX or investigate by yourself using diffoscope:"
-    echo " * [bazel-test-all]: curl -sfS https://download.dfinity.systems/ic/$VERSION/$PATH0/<artifact> -O"
-    echo " * [build-ic]: curl $(cat build-ic/url) -O"
-    echo "See info for pull the artifacts from both CI jobs above. Specify <artifact> based on logs (e.g. 'ic-admin.gz', 'disk-img.tar.zst')."
-    echo "Note that [build-ic] artifacts.tar contains all the build artifacts (binaries, canisters and IC images)."
+    echo "Contact IDX or investigate by yourself using diffoscope."
     exit 1
 fi
 
diff --git a/ci/scripts/run-build-ic.sh b/ci/scripts/run-build-ic.sh
index 230e51e4b4a7..407595914d5a 100755
--- a/ci/scripts/run-build-ic.sh
+++ b/ci/scripts/run-build-ic.sh
@@ -72,7 +72,4 @@ for DIR in release canisters icos/guestos icos/hostos icos/setupos; do
     fi
 done
 
-EXTERNAL_URL="https://objects.$(echo "${NODE_NAME:-}" | cut -d'-' -f1)-idx1.dfinity.network/$(cat /ceph-s3-info/BUCKET_NAME)/${VERSION}/${CI_JOB_NAME}/artifacts.tar"
-echo -e "Node: ${NODE_NAME:-}\nURL: ${URL}\nExternal URL: ${EXTERNAL_URL}" >./build-ic/info
-echo "${EXTERNAL_URL}" >./build-ic/url
 tar -cf build-ic.tar build-ic
diff --git a/ci/src/artifacts/upload.bzl b/ci/src/artifacts/upload.bzl
index fb69ef525d7e..f25f9734f3e8 100644
--- a/ci/src/artifacts/upload.bzl
+++ b/ci/src/artifacts/upload.bzl
@@ -63,6 +63,7 @@ def _upload_artifact_impl(ctx):
         outputs = [urls],
     )
     out.append(urls)
+    out.append(checksum)
     out.extend(fileurl)
 
     executable = ctx.actions.declare_file(ctx.label.name + ".bin")