-
Notifications
You must be signed in to change notification settings - Fork 582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support reproducible builds using SOURCE_DATE_EPOCH #994
Comments
It should already be possible using the -
name: Build and push
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: user/app:latest
env:
SOURCE_DATE_EPOCH: 0 @dvdksn Maybe we could have a new section in https://docs.docker.com/build/ci/github-actions/ about reproducible builds? |
Yeah sounds like a good addition. Noted |
Repost from #1043 Contributing guidelines
I've found a bug, and:
DescriptionThe logs show that the sha256 for all layers for the registry cache are the same except for config. Expected behaviourThe sha256 for the registry cache config should be the same. Actual behaviour
Repository URLhttps://github.com/huxuan/ss-python Workflow run URL/actions/runs/7709174339/job/21009975797 YAML workflowcontainer-publish:
needs: release-publish
permissions:
contents: read
packages: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
username: ${{ github.actor }}
- env:
SOURCE_DATE_EPOCH: 0
uses: docker/build-push-action@v5
with:
build-args: |
PYTHON_VERSION=${{ matrix.python-version }}
cache-from: |
type=registry,ref=ghcr.io/${{ github.repository }}:build-cache-dev-py${{ matrix.python-version }}
cache-to: type=registry,ref=ghcr.io/${{ github.repository }}:build-cache-dev-py${{ matrix.python-version }},mode=max
context: .
file: .devcontainer/prebuild/.devcontainer/Dockerfile
provenance: false
push: true
tags: |
ghcr.io/${{ github.repository }}:dev-py${{ matrix.python-version }}
ghcr.io/${{ github.repository }}:dev-py${{ matrix.python-version }}-${{ github.ref_name }}
target: dev
- env:
SOURCE_DATE_EPOCH: 0
uses: docker/build-push-action@v5
with:
build-args: |
PYTHON_VERSION=${{ matrix.python-version }}
PDM_BUILD_SCM_VERSION=${{ github.ref_name }}
cache-from: |
type=registry,ref=ghcr.io/${{ github.repository }}:build-cache-dev-py${{ matrix.python-version }}
type=registry,ref=ghcr.io/${{ github.repository }}:build-cache-prod-py${{ matrix.python-version }}
cache-to: type=registry,ref=ghcr.io/${{ github.repository }}:build-cache-prod-py${{ matrix.python-version }},mode=max
context: .
file: .devcontainer/prebuild/.devcontainer/Dockerfile
provenance: false
push: true
tags: |
ghcr.io/${{ github.repository }}:prod-py${{ matrix.python-version }}
ghcr.io/${{ github.repository }}:prod-py${{ matrix.python-version }}-${{ github.ref_name }}
target: prod
strategy:
matrix:
python-version:
- '3.8'
- '3.9'
- '3.10'
- '3.11'
- '3.12' Workflow logsAttempt 1: https://github.com/huxuan/ss-python/actions/runs/7709174339/job/21009847395
Attempt 2: https://github.com/huxuan/ss-python/actions/runs/7709174339/job/21009975797
BuildKit logsNo response Additional info
|
Description
Right now, builds are not reproducible. An important step towards that goal would be supporting timestamps as per reproducible-builds.org and the Docker blog.
I propose a new field called
source-date-epoch
with the following behaviour:SOURCE_DATE_EPOCH
is set to the specified value and is passed on to dockerThe text was updated successfully, but these errors were encountered: