flowey: add reproducible build verification job

[justus-camp-microsoft]

A lot of changes folded into this one:

1. Introduces some new build profiles, underhill-ship-reproducible and boot-release-reproducible. There's an issue with fat LTO and thin LTO causing non-reproducible binaries that we'll need to either get fixed to be have a reliably reproducible build or we'll have to ship with LTO off
2. Builds the binary twice, once using the underlying flowey node directly and one using the local command line. The idea here is that on any given commit you should be able to reproduce the CI artifact binary by running cargo xflowey build-reproducible x64-cvm --release. There's a flowey job that does this and then diffs them.
3. As a part of this we now have a node that install Nix on the CI runner.

[Copilot]

Pull request overview

This PR adds a CI gate to verify reproducible OpenHCL IGVM builds by introducing reproducible-focused Cargo profiles and new flowey jobs/nodes to build the same artifact two ways (node-based vs. local pipeline invocation) and byte-compare the outputs, including bootstrapping Nix on CI runners.

Changes:

• Add new reproducible build profiles (underhill-ship-reproducible, boot-release-reproducible) and wire them through flowey build profile enums.
• Add CI jobs to run build-reproducible locally in CI, publish outputs, and byte-compare against the node-based build.
• Add a shared install_nix flowey node and use it from relevant jobs.

Reviewed changes

Copilot reviewed 14 out of 17 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
flowey/flowey_lib_hvlite/src/run_cargo_build.rs	Adds new BuildProfile variants mapping to the new Cargo profiles.
flowey/flowey_lib_hvlite/src/build_openvmm_hcl.rs	Adds OpenvmmHclShipReproducible and maps it to the new build profile.
flowey/flowey_lib_hvlite/src/build_openhcl_igvm_from_recipe.rs	Wires the reproducible HCL profile into sidecar + boot profile selection.
flowey/flowey_lib_hvlite/src/build_openhcl_boot.rs	Adds ReleaseReproducible boot profile and maps to the new cargo build profile.
flowey/flowey_lib_hvlite/src/_jobs/test_reproducible_build.rs	New job to run the local reproducible pipeline in CI and publish outputs.
flowey/flowey_lib_hvlite/src/_jobs/mod.rs	Exposes the newly added reproducible-build job modules.
flowey/flowey_lib_hvlite/src/_jobs/local_build_igvm.rs	Adds output label for the new ship-reproducible profile.
flowey/flowey_lib_hvlite/src/_jobs/check_reproducible_build.rs	New job to compare produced artifact binaries for byte-identical output.
flowey/flowey_lib_hvlite/src/_jobs/cfg_nix.rs	Ensures Nix is installed before resolving Nix dependency paths.
flowey/flowey_lib_common/src/lib.rs	Exports the new install_nix node module.
flowey/flowey_lib_common/src/install_nix.rs	New node to install Nix (and ensure nix-shell is on PATH) in CI.
flowey/flowey_hvlite/src/pipelines/checkin_gates.rs	Adds GitHub check-in gate jobs to build and verify reproducible outputs.
flowey/flowey_hvlite/src/pipelines/build_reproducible.rs	Updates release mode to use reproducible profiles and adds CI guard/override.
Cargo.toml	Defines the two new reproducible Cargo profiles.

Comments suppressed due to low confidence (1)

flowey/flowey_hvlite/src/pipelines/build_reproducible.rs:112

• build-reproducible is marked local-only, but it unconditionally creates a Linux(Nix) job. When a user runs this CLI on non-Linux hosts, pipeline run will silently skip the job due to platform mismatch and still exit successfully. Consider failing early with a clear error if the host platform isn’t Linux (or otherwise ensuring the pipeline can’t “succeed” without producing artifacts).

    fn into_pipeline(self, backend_hint: PipelineBackendHint) -> anyhow::Result<Pipeline> {
        if !matches!(backend_hint, PipelineBackendHint::Local) {
            anyhow::bail!("build-reproducible is for local use only")
        }

        bail_if_running_in_ci()?;

        let Self { recipe, release } = self;

        let mut pipeline = Pipeline::new();

        let (pub_openhcl_igvm, _use_openhcl_igvm) = pipeline.new_artifact("x64-cvm-openhcl-igvm");
        let (pub_openhcl_igvm_extras, _use_openhcl_igvm_extras) =
            pipeline.new_artifact("x64-cvm-openhcl-igvm-extras");

        let local_run_args = {
            let mut args = crate::pipelines_shared::cfg_common_params::LocalRunArgs::default();
            args.locked = true;
            args.no_incremental = true;
            args
        };
        let cfg_common_params = crate::pipelines_shared::cfg_common_params::get_cfg_common_params(
            &mut pipeline,
            backend_hint,
            Some(local_run_args),
        )?;

        let openvmm_repo_source =
            RepoSource::ExistingClone(ReadVar::from_static(crate::repo_root()));

        let mut job = pipeline.new_job(
            FlowPlatform::Linux(FlowPlatformLinuxDistro::Nix),
            FlowArch::host(backend_hint),
            "build-reproducible",
        );

[Copilot]

Pull request overview

Copilot reviewed 15 out of 18 changed files in this pull request and generated no new comments.