feat: reproducible packages #748
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
defaults to $SOURCE_DATE_EPOCH closes #744 closes #734 Signed-off-by: Carlos Alexandro Becker <[email protected]>
pull-request-size
bot
added
the
size/L
Deploying with
|
| Latest commit: |
f2da005
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://387daf8f.nfpm.pages.dev |
| Branch Preview URL: | https://dates.nfpm.pages.dev |
|
PS: jury not set on the field name, feel free to suggest others |
This was referenced Dec 6, 2023
closes #739
pull-request-size
bot
added
size/XL
cognifloyd
approved these changes
Dec 6, 2023
djgilcrease
approved these changes
Dec 6, 2023
Signed-off-by: Carlos Alexandro Becker <[email protected]>
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #748 +/- ##
==========================================
- Coverage 75.36% 74.93% -0.43%
==========================================
Files 10 11 +1
Lines 2440 2466 +26
==========================================
+ Hits 1839 1848 +9
- Misses 425 439 +14
- Partials 176 179 +3 ☔ View full report in Codecov by Sentry. |
cognifloyd
approved these changes
Dec 7, 2023
Signed-off-by: Carlos Alexandro Becker <[email protected]>
derekcollison
added a commit
to nats-io/nats-server
that referenced
this pull request
Dec 23, 2024
Use commit time in mod_timestamp, as documented in: https://goreleaser.com/customization/builds/#reproducible-builds https://goreleaser.com/blog/reproducible-builds/ https://goreleaser.com/customization/templates/?h=templates#common-fields ## Test plan: ### Before. Build two times: ``` goreleaser release --snapshot --clean -f .goreleaser.yml mv dist/ ~/tmp/dist_before goreleaser release --snapshot --clean -f .goreleaser.yml vimdiff dist/SHA256SUMS ~/tmp/dist_before/SHA256SUMS ``` Observe all the shasums are different:  ### After: Do the build two times, ``` goreleaser release --snapshot --clean -f .goreleaser.yml mv dist/ ~/tmp/dist_after goreleaser release --snapshot --clean -f .goreleaser.yml vimdiff dist/SHA256SUMS ~/tmp/dist_after/SHA256SUMS ``` Observe that only rpm and deb packages are different  There was a feature added to goreleaser to make packages reproducible too, but I haven't figured out how to use it yet: goreleaser/nfpm#748 I asked in Discord. We can tackle that separately Signed-off-by: Alex Bozhenko <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a new
mtimefields to the root of the yaml configuration file, and replace all occurrences oftime.Now()with its value.This should help making packaging reproducible.
Also, if that value is empty, it will default to
$SOURCE_DATE_EPOCHas per reproducible-builds.orgIt also fixes several instances in which ordering could change, changing the contents of the package slightly (namely, usage of maps).
closes #744
closes #734