Make image builds reproducible

HadrienPatte · Aug 25, 2024 · a92dd78 · a92dd78
1 parent 9aada81
commit a92dd78
Show file tree

Hide file tree

Showing 9 changed files with 21 additions and 18 deletions.
diff --git a/.github/scripts/build-image.sh b/.github/scripts/build-image.sh
@@ -8,27 +8,34 @@ echo "Building $IMAGE"
 DEFAULT_GOLANG_VERSION="1.21"
 DEFAULT_CHISEL_VERSION="v0.10.0"
 
-RELEASE=$(./images/${IMAGE}/latest.sh)
+REPOSITORY=$(jq -r '.repository' ./images/${IMAGE}/metadata.json)
+RELEASE_METADATA=$(curl -s "https://api.github.com/repos/${REPOSITORY}/releases/latest")
+SOURCE_DATE_EPOCH=$(date +%s -d $(echo ${RELEASE_METADATA} | jq -r '.created_at'))
+RELEASE=$(echo ${RELEASE_METADATA} | jq -r '.tag_name')
 VERSION=${RELEASE%%_*}
 VERSION=${VERSION#release-}
 VERSION=${VERSION#v}
 
+echo "Version $VERSION"
 if [[ -z $VERSION ]]; then
     echo "Failed to retrieve latest version for $IMAGE"
 else
     docker buildx build \
-        --push \
         --platform linux/amd64,linux/arm64 \
+        --provenance=false \
         --tag ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/${IMAGE}:${VERSION} \
         --tag ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/${IMAGE}:latest \
         --build-arg RELEASE=${RELEASE} \
         --build-arg VERSION=${VERSION} \
         --build-arg GOLANG_VERSION=${DEFAULT_GOLANG_VERSION} \
         --build-arg CHISEL_VERSION=${DEFAULT_CHISEL_VERSION} \
+        --build-arg SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH} \
         --label "org.opencontainers.image.authors=${GITHUB_REPOSITORY_OWNER}" \
         --label "org.opencontainers.image.source=${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" \
         --label "org.opencontainers.image.version=${VERSION}" \
         --label "org.opencontainers.image.vendor=${GITHUB_REPOSITORY_OWNER}" \
         --label "org.opencontainers.image.title=${IMAGE}" \
+        --output type=registry,name=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/${IMAGE}:${VERSION},rewrite-timestamp=true \
+        --output type=registry,name=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/${IMAGE}:latest,rewrite-timestamp=true \
         - < images/${IMAGE}/Dockerfile
 fi
diff --git a/images/prowlarr/latest.sh b/images/prowlarr/latest.sh
diff --git a/images/prowlarr/metadata.json b/images/prowlarr/metadata.json
@@ -0,0 +1,3 @@
+{
+  "repository": "Prowlarr/Prowlarr"
+}
diff --git a/images/qbittorrent/latest.sh b/images/qbittorrent/latest.sh
diff --git a/images/qbittorrent/metadata.json b/images/qbittorrent/metadata.json
@@ -0,0 +1,3 @@
+{
+  "repository": "userdocs/qbittorrent-nox-static"
+}
diff --git a/images/radarr/latest.sh b/images/radarr/latest.sh
diff --git a/images/radarr/metadata.json b/images/radarr/metadata.json
@@ -0,0 +1,3 @@
+{
+  "repository": "Radarr/Radarr"
+}
diff --git a/images/sonarr/latest.sh b/images/sonarr/latest.sh
diff --git a/images/sonarr/metadata.json b/images/sonarr/metadata.json
@@ -0,0 +1,3 @@
+{
+  "repository": "Sonarr/Sonarr"
+}