From 504055e620c42fce2e1200ec77060791c85c0424 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Thu, 24 Feb 2022 10:27:34 +0300 Subject: [PATCH] chore(reproducibility): add buildid= and trimpath MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- .goreleaser.yaml | 4 ++++ Makefile | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 4164d1ea8dbb..991ce6149369 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -22,7 +22,10 @@ builds: mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}' env: &build-env - CGO_ENABLED=0 + flags: &build-flags + - -trimpath ldflags: &build-ldflags | + -buildid= -w -s -extldflags '-static' @@ -30,6 +33,7 @@ builds: -X github.com/anchore/grype/internal/version.syftVersion={{.Env.SYFT_VERSION}} -X github.com/anchore/grype/internal/version.gitCommit={{.Commit}} -X github.com/anchore/grype/internal/version.buildDate={{.Date}} + -X github.com/anchore/grype/internal/version.buildDate={{.Env.BUILD_DATE}} -X github.com/anchore/grype/internal/version.gitDescription={{.Summary}} - id: darwin-build diff --git a/Makefile b/Makefile index b4fe7bba1e86..a151d640da75 100644 --- a/Makefile +++ b/Makefile @@ -9,6 +9,14 @@ RELEASE_CMD=$(TEMPDIR)/goreleaser release --rm-dist SNAPSHOT_CMD=$(RELEASE_CMD) --skip-publish --snapshot VERSION=$(shell git describe --dirty --always --tags) +# https://reproducible-builds.org/docs/source-date-epoch/ +DATE_FMT = +%Y-%m-%dT%H:%M:%SZ +ifdef SOURCE_DATE_EPOCH + BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u "$(DATE_FMT)") +else + BUILD_DATE ?= $(shell date "$(DATE_FMT)") +endif + # formatting variables BOLD := $(shell tput -T linux bold) PURPLE := $(shell tput -T linux setaf 5) @@ -206,6 +214,7 @@ $(SNAPSHOTDIR): ## Build snapshot release binaries and packages # build release snapshots bash -c "\ + BUILD_DATE=$(BUILD_DATE) \ SKIP_SIGNING=true \ SYFT_VERSION=$(SYFT_VERSION)\ $(SNAPSHOT_CMD) --skip-sign --config $(TEMPDIR)/goreleaser.yaml"