Check build reproducibility across languages

[sophiewigmore]

Context

Recently, a user found that in some instances, multiple builds on the same source code produce images with different digests (see this thread). The user expected that the build would've produced the same image. This issue appears to have cropped up without our knowledge since we did not have language-family level tests for reproducibility. This latest occurrence may be related to the SBOM work we recently added.

Issue

We should perform an investigation across all of our language family buildpacks to determine the status of build reproducibility. For any buildpacks that do not produce reproducible images, we should file an issue to flag that and (hopefully) resolve it down the line. The issues file should include an outcome about adding a test at the language-test level.
Buildpacks to investigate:

• .NET Core Assert that builds are reproducible paketo-buildpacks/dotnet-core#756
• Go Assert that builds are reproducible paketo-buildpacks/go#645
• NodeJS Assert that builds are reproducible paketo-buildpacks/nodejs#631
• PHP Assert that builds are reproducible paketo-buildpacks/php#568
• Python Investigate that builds are reproducible paketo-buildpacks/python#507
• Ruby Assert that builds are reproducible paketo-buildpacks/ruby#811
• Web Servers
• Java Native Image (cc @dmikusa-pivotal)
• Java (cc @dmikusa-pivotal)

[c0d1ngm0nk3y]

We tried this with a simple NodeJS based application and were able to reproduce the IMAGE_ID two weeks later, with the following information:

• version of the application (package-lock.json used)
• pack version
• builder version
• run image version

[sophiewigmore]

cc @paketo-buildpacks/nodejs-maintainers