Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make goreleaser archives reproducible #6299

Merged
merged 1 commit into from
Dec 23, 2024

Conversation

alexbozhenko
Copy link
Contributor

@alexbozhenko alexbozhenko commented Dec 23, 2024

Use commit time in mod_timestamp, as documented in:
https://goreleaser.com/customization/builds/#reproducible-builds
https://goreleaser.com/blog/reproducible-builds/
https://goreleaser.com/customization/templates/?h=templates#common-fields

Test plan:

Before.

Build two times:

goreleaser release --snapshot --clean -f .goreleaser.yml
mv dist/ ~/tmp/dist_before
goreleaser release --snapshot --clean -f .goreleaser.yml 
vimdiff dist/SHA256SUMS ~/tmp/dist_before/SHA256SUMS

Observe all the shasums are different:
image

After:

Do the build two times,

goreleaser release --snapshot --clean -f .goreleaser.yml
mv dist/ ~/tmp/dist_after
goreleaser release --snapshot --clean -f .goreleaser.yml 
vimdiff dist/SHA256SUMS ~/tmp/dist_after/SHA256SUMS

Observe that only rpm and deb packages are different
image

There was a feature added to goreleaser to make packages reproducible too, but I haven't figured out how to use it yet:
goreleaser/nfpm#748
I asked in Discord. We can tackle that separately

Signed-off-by: Alex Bozhenko [email protected]

@alexbozhenko alexbozhenko force-pushed the goreleaser_reproducible branch from a6e8d60 to 48d31ed Compare December 23, 2024 20:04
@alexbozhenko alexbozhenko force-pushed the goreleaser_reproducible branch from 48d31ed to 7751bc9 Compare December 23, 2024 20:06
@alexbozhenko alexbozhenko changed the title use commit time in mod_timestamp Make goreleaser archives reproducible Dec 23, 2024
@alexbozhenko alexbozhenko marked this pull request as ready for review December 23, 2024 20:15
@alexbozhenko alexbozhenko requested a review from a team as a code owner December 23, 2024 20:15
Copy link
Member

@wallyqs wallyqs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, the binary is already reproducible but this would make the tarballs from the release reproducible as well.

@derekcollison derekcollison merged commit c4b778c into nats-io:main Dec 23, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants