From dfc0225c00f9464baa7fd4e7b5a58280bec51bbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Thu, 24 Feb 2022 10:27:34 +0300 Subject: [PATCH] chore(reproducibility): add buildid= and trimpath MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- .goreleaser.yaml | 9 ++++++--- Makefile | 13 ++++++++++++- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 4164d1ea8db..c6586a77d7b 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -22,14 +22,17 @@ builds: mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}' env: &build-env - CGO_ENABLED=0 + flags: &build-flags + - -trimpath ldflags: &build-ldflags | + -buildid= -w -s -extldflags '-static' -X github.com/anchore/grype/internal/version.version={{.Version}} -X github.com/anchore/grype/internal/version.syftVersion={{.Env.SYFT_VERSION}} -X github.com/anchore/grype/internal/version.gitCommit={{.Commit}} - -X github.com/anchore/grype/internal/version.buildDate={{.Date}} + -X github.com/anchore/grype/internal/version.buildDate={{.Env.BUILD_DATE}} -X github.com/anchore/grype/internal/version.gitDescription={{.Summary}} - id: darwin-build @@ -102,7 +105,7 @@ dockers: use: buildx build_flag_templates: - "--platform=linux/amd64" - - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_DATE={{.Env.BUILD_DATE}}" - "--build-arg=BUILD_VERSION={{.Version}}" - "--build-arg=VCS_REF={{.FullCommit}}" - "--build-arg=VCS_URL={{.GitURL}}" @@ -116,7 +119,7 @@ dockers: use: buildx build_flag_templates: - "--platform=linux/arm64/v8" - - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_DATE={{.Env.BUILD_DATE}}" - "--build-arg=BUILD_VERSION={{.Version}}" - "--build-arg=VCS_REF={{.FullCommit}}" - "--build-arg=VCS_URL={{.GitURL}}" diff --git a/Makefile b/Makefile index b4fe7bba1e8..67251019130 100644 --- a/Makefile +++ b/Makefile @@ -9,6 +9,14 @@ RELEASE_CMD=$(TEMPDIR)/goreleaser release --rm-dist SNAPSHOT_CMD=$(RELEASE_CMD) --skip-publish --snapshot VERSION=$(shell git describe --dirty --always --tags) +# https://reproducible-builds.org/docs/source-date-epoch/ +DATE_FMT = +%Y-%m-%dT%H:%M:%SZ +ifdef SOURCE_DATE_EPOCH + BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u "$(DATE_FMT)") +else + BUILD_DATE ?= $(shell date "$(DATE_FMT)") +endif + # formatting variables BOLD := $(shell tput -T linux bold) PURPLE := $(shell tput -T linux setaf 5) @@ -206,6 +214,7 @@ $(SNAPSHOTDIR): ## Build snapshot release binaries and packages # build release snapshots bash -c "\ + BUILD_DATE=$(BUILD_DATE) \ SKIP_SIGNING=true \ SYFT_VERSION=$(SYFT_VERSION)\ $(SNAPSHOT_CMD) --skip-sign --config $(TEMPDIR)/goreleaser.yaml" @@ -222,7 +231,8 @@ snapshot-with-signing: ## Build snapshot release binaries and packages (with dum # build release snapshots bash -c "\ - SYFT_VERSION=$(SYFT_VERSION)\ + SYFT_VERSION=$(SYFT_VERSION) \ + BUILD_DATE=$(BUILD_DATE) \ $(SNAPSHOT_CMD) --config $(TEMPDIR)/goreleaser.yaml || (cat .github/scripts/apple-signing/log/*.txt && false)" # remove the keychain with the trusted self-signed cert automatically @@ -265,6 +275,7 @@ release: clean-dist CHANGELOG.md ## Build and publish final binaries and packag # note: notarization cannot be done in parallel, thus --parallelism 1 bash -c "\ SYFT_VERSION=$(SYFT_VERSION)\ + BUILD_DATE=$(BUILD_DATE) \ $(RELEASE_CMD) \ --config $(TEMPDIR)/goreleaser.yaml \ --parallelism 1 \