From 64ec2a8b4b9fe3cd47400cf1232c8cdae04a9d90 Mon Sep 17 00:00:00 2001
From: Eugene <inbox@null.page>
Date: Fri, 21 Mar 2025 23:46:54 +0100
Subject: [PATCH] reproducible build test

---
 .cargo/config.toml              |  1 +
 .github/workflows/build.yml     |  1 +
 .github/workflows/docker.yml    | 20 ++++++++++++++++++--
 .github/workflows/reprotest.yml |  5 +++--
 docker/Dockerfile               |  1 +
 rust-toolchain                  |  2 +-
 6 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/.cargo/config.toml b/.cargo/config.toml
index 9f6de608..8ab42254 100644
--- a/.cargo/config.toml
+++ b/.cargo/config.toml
@@ -2,6 +2,7 @@
 [target.'cfg(all())']
 rustflags = [
     "--cfg", "tokio_unstable",
+    "-Zremap-cwd-prefix=/reproducible-cwd",
     "--remap-path-prefix=$HOME=/reproducible-home",
     "--remap-path-prefix=$PWD=/reproducible-pwd",
 ]
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e6430848..97612998 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -87,6 +87,7 @@ jobs:
           use-cross: ${{ matrix.cargo-cross }}
           args: --all-features --release --target ${{ matrix.target }}
         env:
+          ENV SOURCE_DATE_EPOCH: "0" # for rust-embed determinism
           CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS: "--cfg tokio_unstable --remap-path-prefix=$HOME=/reproducible-home --remap-path-prefix=$PWD=/reproducible-pwd"
           CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_RUSTFLAGS: "--cfg tokio_unstable --remap-path-prefix=$HOME=/reproducible-home --remap-path-prefix=$PWD=/reproducible-pwd"
           CARGO_TARGET_X86_64_APPLE_DARWIN_RUSTFLAGS: "--cfg tokio_unstable --remap-path-prefix=$HOME=/reproducible-home --remap-path-prefix=$PWD=/reproducible-pwd"
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 5ec4cfa8..7dde70d1 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -29,6 +29,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -56,12 +58,24 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
+      - name: Build Docker image without pushing
+        if: github.event_name == 'pull_request'
+        id: build-no-push
+        uses: docker/build-push-action@v6.13.0
+        with:
+          file: docker/Dockerfile
+          push: false
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: ${{ matrix.docker-platform }}
+          cache-from: type=gha,scope=build-${{ matrix.docker-platform }}
+
       - name: Build and push Docker image
+        if: github.event_name != 'pull_request'
         id: build
         uses: docker/build-push-action@v6.13.0
         with:
           file: docker/Dockerfile
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           labels: ${{ steps.meta.outputs.labels }}
           platforms: ${{ matrix.docker-platform }}
           cache-from: type=gha,scope=build-${{ matrix.docker-platform }}
@@ -73,12 +87,14 @@ jobs:
           provenance: false
 
       - name: Export digest
+        if: github.event_name != 'pull_request'
         run: |
           mkdir -p ${{ runner.temp }}/digests
           digest="${{ steps.build.outputs.digest }}"
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
+        if: github.event_name != 'pull_request'
         uses: actions/upload-artifact@v4
         with:
           name: digests-${{ matrix.matrix-id }}
@@ -87,6 +103,7 @@ jobs:
           retention-days: 1
 
   merge:
+    if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest
     needs:
       - build
@@ -102,7 +119,6 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
         uses: docker/login-action@v3.3.0
         with:
           registry: ${{ env.REGISTRY }}
diff --git a/.github/workflows/reprotest.yml b/.github/workflows/reprotest.yml
index e56df212..194ad3ca 100644
--- a/.github/workflows/reprotest.yml
+++ b/.github/workflows/reprotest.yml
@@ -2,7 +2,7 @@ name: Reproducibility test
 permissions:
   contents: read
 
-on: [workflow_dispatch]
+on: workflow_dispatch
 
 jobs:
   reprotest:
@@ -29,4 +29,5 @@ jobs:
 
       - name: Reprotest
         run: |
-          sudo env "PATH=$PATH" reprotest -vv --vary=environment,build_path,kernel,aslr,num_cpus --build-command 'just npm ci; just npm run build; cargo build --all-features --release' . target/release/warpgate
+          sudo ulimit -n 999999
+          sudo env "PATH=$PATH" reprotest -vv --min-cpus=99999 --vary=environment,build_path,kernel,aslr,num_cpus,-time,-user_group,fileordering,domain_host,home,locales,exec_path,timezone,umask --build-command 'just npm ci; just npm run build; SOURCE_DATE_EPOCH=0 cargo build --all-features --release' . target/release/warpgate
diff --git a/docker/Dockerfile b/docker/Dockerfile
index f8f6fdb4..757c9502 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -11,6 +11,7 @@ RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
 
 COPY . /opt/warpgate
 
+ENV SOURCE_DATE_EPOCH 0 # for rust-embed determinism
 RUN cd /opt/warpgate \
     && just npm ci \
     && just openapi \
diff --git a/rust-toolchain b/rust-toolchain
index bd0f9e6c..09a243d7 100644
--- a/rust-toolchain
+++ b/rust-toolchain
@@ -1 +1 @@
-1.84.0
+nightly-2025-01-01