chore(reproducibility): add buildid= and trimpath

Signed-off-by: Batuhan Apaydın <[email protected]>

.goreleaser.yaml

@@ -22,14 +22,18 @@ builds:
     mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}'
     env: &build-env
       - CGO_ENABLED=0
+    flags: &build-flags
+      - -trimpath
     ldflags: &build-ldflags |
+      -buildid=
       -w
       -s
       -extldflags '-static'
       -X github.com/anchore/grype/internal/version.version={{.Version}}
       -X github.com/anchore/grype/internal/version.syftVersion={{.Env.SYFT_VERSION}}
       -X github.com/anchore/grype/internal/version.gitCommit={{.Commit}}
       -X github.com/anchore/grype/internal/version.buildDate={{.Date}}
+      -X github.com/anchore/grype/internal/version.buildDate={{.Env.BUILD_DATE}}
       -X github.com/anchore/grype/internal/version.gitDescription={{.Summary}}
 
   - id: darwin-build

Makefile

@@ -9,6 +9,14 @@ RELEASE_CMD=$(TEMPDIR)/goreleaser release --rm-dist
 SNAPSHOT_CMD=$(RELEASE_CMD) --skip-publish --snapshot
 VERSION=$(shell git describe --dirty --always --tags)
 
+# https://reproducible-builds.org/docs/source-date-epoch/
+DATE_FMT = +%Y-%m-%dT%H:%M:%SZ
+ifdef SOURCE_DATE_EPOCH
+    BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u "$(DATE_FMT)")
+else
+    BUILD_DATE ?= $(shell date "$(DATE_FMT)")
+endif
+
 # formatting variables
 BOLD := $(shell tput -T linux bold)
 PURPLE := $(shell tput -T linux setaf 5)
@@ -206,6 +214,7 @@ $(SNAPSHOTDIR): ## Build snapshot release binaries and packages
 
 	# build release snapshots
 	bash -c "\
+		BUILD_DATE=$(BUILD_DATE) \
 		SKIP_SIGNING=true \
 		SYFT_VERSION=$(SYFT_VERSION)\
 			$(SNAPSHOT_CMD) --skip-sign --config $(TEMPDIR)/goreleaser.yaml"