From a92dd784fe91e631d3d0a4da812daf84c18844f5 Mon Sep 17 00:00:00 2001
From: Hadrien Patte <hadrien.patte@protonmail.com>
Date: Sat, 24 Aug 2024 20:43:34 +0200
Subject: [PATCH] Make image builds reproducible

---
 .github/scripts/build-image.sh   | 11 +++++++++--
 images/prowlarr/latest.sh        |  4 ----
 images/prowlarr/metadata.json    |  3 +++
 images/qbittorrent/latest.sh     |  4 ----
 images/qbittorrent/metadata.json |  3 +++
 images/radarr/latest.sh          |  4 ----
 images/radarr/metadata.json      |  3 +++
 images/sonarr/latest.sh          |  4 ----
 images/sonarr/metadata.json      |  3 +++
 9 files changed, 21 insertions(+), 18 deletions(-)
 delete mode 100755 images/prowlarr/latest.sh
 create mode 100644 images/prowlarr/metadata.json
 delete mode 100755 images/qbittorrent/latest.sh
 create mode 100644 images/qbittorrent/metadata.json
 delete mode 100755 images/radarr/latest.sh
 create mode 100644 images/radarr/metadata.json
 delete mode 100755 images/sonarr/latest.sh
 create mode 100644 images/sonarr/metadata.json

diff --git a/.github/scripts/build-image.sh b/.github/scripts/build-image.sh
index 24521a1..3d97596 100755
--- a/.github/scripts/build-image.sh
+++ b/.github/scripts/build-image.sh
@@ -8,27 +8,34 @@ echo "Building $IMAGE"
 DEFAULT_GOLANG_VERSION="1.21"
 DEFAULT_CHISEL_VERSION="v0.10.0"
 
-RELEASE=$(./images/${IMAGE}/latest.sh)
+REPOSITORY=$(jq -r '.repository' ./images/${IMAGE}/metadata.json)
+RELEASE_METADATA=$(curl -s "https://api.github.com/repos/${REPOSITORY}/releases/latest")
+SOURCE_DATE_EPOCH=$(date +%s -d $(echo ${RELEASE_METADATA} | jq -r '.created_at'))
+RELEASE=$(echo ${RELEASE_METADATA} | jq -r '.tag_name')
 VERSION=${RELEASE%%_*}
 VERSION=${VERSION#release-}
 VERSION=${VERSION#v}
 
+echo "Version $VERSION"
 if [[ -z $VERSION ]]; then
     echo "Failed to retrieve latest version for $IMAGE"
 else
     docker buildx build \
-        --push \
         --platform linux/amd64,linux/arm64 \
+        --provenance=false \
         --tag ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/${IMAGE}:${VERSION} \
         --tag ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/${IMAGE}:latest \
         --build-arg RELEASE=${RELEASE} \
         --build-arg VERSION=${VERSION} \
         --build-arg GOLANG_VERSION=${DEFAULT_GOLANG_VERSION} \
         --build-arg CHISEL_VERSION=${DEFAULT_CHISEL_VERSION} \
+        --build-arg SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH} \
         --label "org.opencontainers.image.authors=${GITHUB_REPOSITORY_OWNER}" \
         --label "org.opencontainers.image.source=${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" \
         --label "org.opencontainers.image.version=${VERSION}" \
         --label "org.opencontainers.image.vendor=${GITHUB_REPOSITORY_OWNER}" \
         --label "org.opencontainers.image.title=${IMAGE}" \
+        --output type=registry,name=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/${IMAGE}:${VERSION},rewrite-timestamp=true \
+        --output type=registry,name=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/${IMAGE}:latest,rewrite-timestamp=true \
         - < images/${IMAGE}/Dockerfile
 fi
diff --git a/images/prowlarr/latest.sh b/images/prowlarr/latest.sh
deleted file mode 100755
index 68a502b..0000000
--- a/images/prowlarr/latest.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-curl -s "https://api.github.com/repos/Prowlarr/Prowlarr/releases/latest" | jq -r '.tag_name'
diff --git a/images/prowlarr/metadata.json b/images/prowlarr/metadata.json
new file mode 100644
index 0000000..940ad8e
--- /dev/null
+++ b/images/prowlarr/metadata.json
@@ -0,0 +1,3 @@
+{
+  "repository": "Prowlarr/Prowlarr"
+}
diff --git a/images/qbittorrent/latest.sh b/images/qbittorrent/latest.sh
deleted file mode 100755
index acc907b..0000000
--- a/images/qbittorrent/latest.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-curl -s "https://api.github.com/repos/userdocs/qbittorrent-nox-static/releases/latest" | jq -r '.tag_name'
diff --git a/images/qbittorrent/metadata.json b/images/qbittorrent/metadata.json
new file mode 100644
index 0000000..cd983b9
--- /dev/null
+++ b/images/qbittorrent/metadata.json
@@ -0,0 +1,3 @@
+{
+  "repository": "userdocs/qbittorrent-nox-static"
+}
diff --git a/images/radarr/latest.sh b/images/radarr/latest.sh
deleted file mode 100755
index 879afe3..0000000
--- a/images/radarr/latest.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-curl -s "https://api.github.com/repos/Radarr/Radarr/releases/latest" | jq -r '.tag_name'
diff --git a/images/radarr/metadata.json b/images/radarr/metadata.json
new file mode 100644
index 0000000..0d5e8e1
--- /dev/null
+++ b/images/radarr/metadata.json
@@ -0,0 +1,3 @@
+{
+  "repository": "Radarr/Radarr"
+}
diff --git a/images/sonarr/latest.sh b/images/sonarr/latest.sh
deleted file mode 100755
index f719abd..0000000
--- a/images/sonarr/latest.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-curl -s "https://api.github.com/repos/Sonarr/Sonarr/releases/latest" | jq -r '.tag_name'
diff --git a/images/sonarr/metadata.json b/images/sonarr/metadata.json
new file mode 100644
index 0000000..bd64367
--- /dev/null
+++ b/images/sonarr/metadata.json
@@ -0,0 +1,3 @@
+{
+  "repository": "Sonarr/Sonarr"
+}