-
-
Notifications
You must be signed in to change notification settings - Fork 911
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add SOURCE_DATE_EPOCH support for templates #2510
Conversation
@shibumi is attempting to deploy a commit to the goreleaser Team on Vercel. A member of the Team first needs to authorize it. |
0a8275d
to
3bb2f87
Compare
hmm, that's not really needed I think... you can set for example, in this config I use the commit timestamp as date the date for everything: https://github.com/caarlos0/goreleaserfiles/blob/main/build.yml |
Right now I set the following in my goreleaser config: project_name: in-toto
builds:
- ldflags:
- "-s -w"
- "-extldflags=-zrelro"
- "-extldflags=-znow"
- "-X main.tag={{.Version}}"
- "-X main.commit={{.FullCommit}}"
- "-X main.date={{.Date}}"
env:
- "CGO_ENABLED=0"
- "GO111MODULE=on"
- "GOFLAGS=-mod=readonly -trimpath" Setting the commit date should work and it would still be reproducible, however what if someone wants to explicitly set Date? How does In my opinion it would be easier for downstream (Linux distributions packaging their packages) if goreleaser would respect SOURCE_DATE_EPOCH without any further goreleaser config patches, because otherwise downstream would be forced to patch every goreleaser config in the wild just for getting reliable reproducibility. I am not an expert in this area. @kpcyrd can you give us some hints? |
builds.mod_timestamp sets the modified timestamp on the output binary https://goreleaser.com/customization/build/ I'm not sure about adding this feature though... how deep do we need to integrate it? Is it only for binaries or also packages, checksums, etc etc etc? full disclosure: I didn't know https://reproducible-builds.org until now, please forgive me if its a dumb question hehe |
Using {{ .CommitDate }} should definitely work, but what about builds via tarballs? Will the CommitDate just be empty? If so, we can maybe close this PR and I will just use CommitDate for future builds. This should work. |
not sure I understand your question, but goreleaser only works against a git repository... so that seems not be an issue 🤔 |
We will just stick with .CommitDate. This is actually exactly what I am looking for. Closing this. |
neat, let me know if you need anything :) |
This commit is going to add support for the SOURCE_DATE_EPOCH variable. This is important for reproducible builds.
During reproducible builds the build environment has to respect the standardized SOURCE_DATE_EPOCH variable for injecting a fake date
This change is being made for allowing goreleaser to build artifacts reproducible.
Relevant resources for this can be found here: https://reproducible-builds.org/docs/source-date-epoch/
EDIT: I am very confident that this is the wrong position for the code right now. It might make more sense to check the env variable when wrapping the additional context, right?