Add reproducible build infrastructure

[wksantiago]

• Add Dockerfile for deterministic builds with pinned Rust 1.85.0
• Add CI job to verify reproducibility (build twice, compare hashes)
• Add justfile with build and verification commands
• Add rust-toolchain.toml for consistent local development

Summary by CodeRabbit

• New Features

  • Reproducible build support with CI verification to ensure identical build outputs.

• Documentation

  • Added a reproducibility guide detailing build and verification procedures.

• Chores

  • Added tooling and local tasks for deterministic builds and verification.
  • Updated VCS ignore rules to exclude build output directories.

• Bug Fixes

  • Minor fix to file-unlock behavior to improve reliability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds reproducible-build tooling: a multi-stage Dockerfile and Just tasks to produce deterministic artifacts, CI job that builds twice and compares artifact hashes, rust-toolchain pinning, .gitignore entries for outputs, docs for reproducibility, and a single minor FileExt API call change.

Changes

Cohort / File(s)	Summary
CI workflow \.github/workflows/ci.yml	Adds a reproducible job that runs two Docker builds using Dockerfile.reproducible, computes sha256 of produced keep artifacts, and fails if hashes differ.
Reproducible build image Dockerfile.reproducible	New multi-stage Dockerfile that builds the Rust workspace with pinned toolchain, sets SOURCE_DATE_EPOCH and RUSTFLAGS, and outputs release artifacts to /out.
Local build tasks justfile	New Just tasks: build-reproducible, build-reproducible-hash, verify-reproducible, verify-sha, plus clean, fmt, clippy, and test to support reproducible workflows and hash checks.
Toolchain config rust-toolchain.toml	Pins Rust toolchain to 1.85.0 and enables rustfmt and clippy components.
Documentation docs/REPRODUCIBILITY.md	New guide describing reproducible build requirements, Docker/Just commands, verification steps, and deterministic build settings.
Git ignore .gitignore	Adds dist/ and dist-verify/ to ignored paths.
Minor code change keep-cli/src/signer/nonce_store.rs	Replaces file.unlock() with FileExt::unlock(&file) preserving error context; no behavior change.

Sequence Diagram(s)

sequenceDiagram
    actor Developer
    participant GHCI as GitHub CI
    participant Docker as Docker Builder
    participant Verifier as Hash Verifier
    participant Artifact as Build Artifacts

    Developer->>GHCI: Push PR / trigger workflow
    GHCI->>Docker: Run build `#1` using Dockerfile.reproducible
    activate Docker
    Docker->>Artifact: Produce dist1/keep
    Docker-->>GHCI: Store dist1
    deactivate Docker

    GHCI->>Docker: Run build `#2` using Dockerfile.reproducible
    activate Docker
    Docker->>Artifact: Produce dist2/keep
    Docker-->>GHCI: Store dist2
    deactivate Docker

    GHCI->>Verifier: Compute sha256(dist1/keep) and sha256(dist2/keep)
    Verifier-->>GHCI: Return hashes
    alt hashes equal
        GHCI->>Developer: Pass job (reproducible)
    else hashes differ
        GHCI->>Developer: Fail job (non-reproducible)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I built two piles with timestamps set,
I hashed them twice to be certain yet.
Docker hummed softly, the bytes did agree—
Two identical carrots for tech and me. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary purpose of the changeset—adding reproducible build infrastructure through multiple new files and configurations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wksantiago]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/ci.yml:
- Around line 56-67: The reproducibility step currently runs two Docker builds
that may both use the same layer cache; change the docker build invocation(s) so
at least one build is forced to rebuild without cache (for example add the
--no-cache flag to the second docker build that produces dist2) to ensure HASH1
and HASH2 reflect an actual fresh rebuild of Dockerfile.reproducible; keep the
existing SHA comparison logic using HASH1 and HASH2 unchanged.

🧹 Nitpick comments (1)

docs/REPRODUCIBILITY.md (1)

65-67: Minor: CI also runs on schedule.

The CI workflow includes a weekly schedule trigger (cron: "0 0 * * 0"), so reproducibility checks also run on scheduled builds, not just PRs and pushes.

Suggested wording

 ## CI Verification

-Every PR and push to main runs the reproducibility check, building twice and comparing hashes.
+Every PR, push to main, and weekly scheduled build runs the reproducibility check, building twice and comparing hashes.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 875d0ae and 7de3bab.

📒 Files selected for processing (7)

• .github/workflows/ci.yml
• .gitignore
• Dockerfile.reproducible
• docs/REPRODUCIBILITY.md
• justfile
• keep-cli/src/signer/nonce_store.rs
• rust-toolchain.toml

🚧 Files skipped from review as they are similar to previous changes (4)

• keep-cli/src/signer/nonce_store.rs
• Dockerfile.reproducible
• justfile
• rust-toolchain.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build (windows-latest)
• GitHub Check: reproducible
• GitHub Check: build (macos-latest)
• GitHub Check: build (ubuntu-latest)

🔇 Additional comments (3)

.gitignore (1)

23-24: LGTM!

The new ignore patterns correctly align with the build output directories used by the reproducible build infrastructure (dist/ from just build-reproducible and dist-verify/ from just verify-reproducible).

.github/workflows/ci.yml (1)

50-55: LGTM!

The job structure and conditions are consistent with the existing build job, and the checkout action is properly pinned.

docs/REPRODUCIBILITY.md (1)

1-67: Well-structured and accurate documentation for reproducible builds.

The documentation correctly reflects the actual build configuration. Verified that the documented Rust version (1.85.0), base image (rust:1.85.0-slim-bookworm), build flags (-C strip=symbols -C codegen-units=1), and SOURCE_DATE_EPOCH setup all match the Dockerfile.reproducible implementation. The --locked flag and Cargo.lock are properly configured. Technical details section accurately describes the reproducibility mechanisms.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}