reproducible build test

.cargo/config.toml

@@ -2,6 +2,7 @@
 [target.'cfg(all())']
 rustflags = [
     "--cfg", "tokio_unstable",
+    "-Zremap-cwd-prefix=/reproducible-cwd",
     "--remap-path-prefix=$HOME=/reproducible-home",
     "--remap-path-prefix=$PWD=/reproducible-pwd",
 ]

.github/workflows/build.yml

@@ -87,6 +87,7 @@ jobs:
           use-cross: ${{ matrix.cargo-cross }}
           args: --all-features --release --target ${{ matrix.target }}
         env:
+          ENV SOURCE_DATE_EPOCH: "0" # for rust-embed determinism
           CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS: "--cfg tokio_unstable --remap-path-prefix=$HOME=/reproducible-home --remap-path-prefix=$PWD=/reproducible-pwd"
           CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_RUSTFLAGS: "--cfg tokio_unstable --remap-path-prefix=$HOME=/reproducible-home --remap-path-prefix=$PWD=/reproducible-pwd"
           CARGO_TARGET_X86_64_APPLE_DARWIN_RUSTFLAGS: "--cfg tokio_unstable --remap-path-prefix=$HOME=/reproducible-home --remap-path-prefix=$PWD=/reproducible-pwd"

.github/workflows/docker.yml

@@ -29,6 +29,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -56,12 +58,24 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
+      - name: Build Docker image without pushing
+        if: github.event_name == 'pull_request'
+        id: build-no-push
+        uses: docker/build-push-action@v6.13.0
+        with:
+          file: docker/Dockerfile
+          push: false
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: ${{ matrix.docker-platform }}
+          cache-from: type=gha,scope=build-${{ matrix.docker-platform }}
+
       - name: Build and push Docker image
+        if: github.event_name != 'pull_request'
         id: build
         uses: docker/build-push-action@v6.13.0
         with:
           file: docker/Dockerfile
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           labels: ${{ steps.meta.outputs.labels }}
           platforms: ${{ matrix.docker-platform }}
           cache-from: type=gha,scope=build-${{ matrix.docker-platform }}
@@ -73,12 +87,14 @@ jobs:
           provenance: false
 
       - name: Export digest
+        if: github.event_name != 'pull_request'
         run: |
           mkdir -p ${{ runner.temp }}/digests
           digest="${{ steps.build.outputs.digest }}"
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
+        if: github.event_name != 'pull_request'
         uses: actions/upload-artifact@v4
         with:
           name: digests-${{ matrix.matrix-id }}
@@ -87,6 +103,7 @@ jobs:
           retention-days: 1
 
   merge:
+    if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest
     needs:
       - build
@@ -102,7 +119,6 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
         uses: docker/login-action@v3.3.0
         with:
           registry: ${{ env.REGISTRY }}

.github/workflows/reprotest.yml

@@ -2,7 +2,7 @@ name: Reproducibility test
 permissions:
   contents: read
 
-on: [workflow_dispatch]
+on: workflow_dispatch
 
 jobs:
   reprotest:
@@ -29,4 +29,5 @@ jobs:
 
       - name: Reprotest
         run: |
-          sudo env "PATH=$PATH" reprotest -vv --vary=environment,build_path,kernel,aslr,num_cpus --build-command 'just npm ci; just npm run build; cargo build --all-features --release' . target/release/warpgate
+          sudo ulimit -n 999999
+          sudo env "PATH=$PATH" reprotest -vv --min-cpus=99999 --vary=environment,build_path,kernel,aslr,num_cpus,-time,-user_group,fileordering,domain_host,home,locales,exec_path,timezone,umask --build-command 'just npm ci; just npm run build; SOURCE_DATE_EPOCH=0 cargo build --all-features --release' . target/release/warpgate

docker/Dockerfile

@@ -11,6 +11,7 @@ RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
 
 COPY . /opt/warpgate
 
+ENV SOURCE_DATE_EPOCH 0 # for rust-embed determinism
 RUN cd /opt/warpgate \
     && just npm ci \
     && just openapi \

rust-toolchain

@@ -1 +1 @@
-1.84.0
+nightly-2025-01-01