grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

chore(reproducibility): add buildid= and trimpath

Open developer-guy opened this issue 2 years ago • 14 comments

Signed-off-by: Batuhan Apaydın [email protected]

developer-guy avatar Feb 24 '22 07:02 developer-guy

For reference about what this is doing:

  • https://stackoverflow.com/questions/63831540/removing-module-path-in-trace-in-go
  • https://github.com/golang/go/issues/34186
  • https://github.com/golang/go/issues/33772#issuecomment-528176001

wagoodman avatar Feb 24 '22 14:02 wagoodman

@developer-guy out of curiosity, why the change to explicitly specify GOPATH in the workflow files?

wagoodman avatar Feb 24 '22 14:02 wagoodman

I saw it from the documentation: https://goreleaser.com/customization/build/

developer-guy avatar Feb 24 '22 14:02 developer-guy

I see the reason for trimpath, but what I'm referring to is:

  • https://github.com/anchore/grype/pull/642/files#diff-e426ed45842837026e10e66af23d9c7077e89eacbe6958ce7cb991130ad05adaR143
  • https://github.com/anchore/grype/pull/642/files#diff-f3c08cd4e56926b1732a8183a4eb36057b86d9503161db0021350279b18144a7R184

Where there was a change to explicitly set GOPATH: /home/runner/go. I'm confused as to why this is needed --can you elaborate?

wagoodman avatar Feb 24 '22 14:02 wagoodman

I see the reason for trimpath, but what I'm referring to is:

Where there was a change to explicitly set GOPATH: /home/runner/go. I'm confused as to why this is needed --can you elaborate?

to be able to use it in .goreleaser.yml via .Env, I think

developer-guy avatar Feb 24 '22 15:02 developer-guy

I see the reason for trimpath, but what I'm referring to is:

Where there was a change to explicitly set GOPATH: /home/runner/go. I'm confused as to why this is needed --can you elaborate?

I've replaced with ${{ env.GOPATH }} this one.

developer-guy avatar Feb 24 '22 15:02 developer-guy

https://github.com/hashicorp/vault-csi-provider/pull/143

developer-guy avatar Feb 24 '22 15:02 developer-guy

I've replaced with ${{ env.GOPATH }} this one.

Right, but doesn't this do nothing?

        env:
           GOPATH: ${{ env.GOPATH }}

... since this is setting an environment variable based off of the current environment variable value of the same name? Are these 'GOPATH' changes necessary?

wagoodman avatar Feb 24 '22 16:02 wagoodman

I reverted GOPATH changes, let's what will happen 😮

developer-guy avatar Feb 24 '22 16:02 developer-guy 

   ⨯ release failed after 96.69s error=failed to build for linux_amd64: exit status 2: # github.com/anchore/grype
open main: no such file or directory

@wagoodman :(

developer-guy avatar Feb 24 '22 16:02 developer-guy

I think we should get build date via https://reproducible-builds.org/docs/source-date-epoch/

developer-guy avatar Feb 25 '22 05:02 developer-guy

seems everything is fine @wagoodman, thanks a ton 🙋🏻‍♂️

developer-guy avatar Feb 25 '22 08:02 developer-guy

Clarifying question: why not use the built in goreleaser {{.CommitDate}} variable? Is there a functional difference between that and the makefile updates you made?

I can't seem to parse the specific behavior of the set of date commands, and if the purpose of SOURCE_DATE_EPOCH is to provide a timestamp that is relative to the source change, then the goreleaser CommitDate seems like a much easier option.

wagoodman avatar Mar 07 '22 14:03 wagoodman

@developer-guy friendly nudge on https://github.com/anchore/grype/pull/642#issuecomment-1060717671 (also 1:1 with https://github.com/anchore/syft/pull/847)

wagoodman avatar Apr 01 '22 16:04 wagoodman

I'm going to close this as stale, but please reach out on a new issue if you wanted to chat further about this.

wagoodman avatar Jan 11 '23 19:01 wagoodman