deterministic SHA for releases

[macfarla]

As a release manager, I want the SHA for the release artifacts to be deterministic (based on github commit), so that if we have to re-run a workflow using the same commit as input, the artifacts that result are verifiably identical.

Current hypothesis is that timestamp is also baked in and that's why the sha produced is not deterministic

[shemnon]

You will want these two options set in lots of places

• preserveFileTimestamps = false
• reproducibleFileOrder = true

It appears Gradle took away dirMode and fileMode settings, hopefully it's because they made it consistent. This old and incompatible plugin may have other useful insights - https://github.com/Johni0702/gradle-reproducible-builds-plugin?tab=readme-ov-file

[macfarla]

also maybe some context in #5785