chore: reproducible builds

* use bldr with support for SOURCE_DATE_EPOCH * use latest tools v1.0.0 + golang 1.17.8 * publish `base` image to be re-used in extras and extensions Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
siderolabs · Mar 4, 2022 · 5f97726 · 5f97726
1 parent 325439e
commit 5f97726
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 7 deletions.
diff --git a/Makefile b/Makefile
@@ -4,6 +4,7 @@ SHA ?= $(shell git describe --match=none --always --abbrev=8 --dirty)
 TAG ?= $(shell git describe --tag --always --dirty)
 BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
 REGISTRY_AND_USERNAME := $(REGISTRY)/$(USERNAME)
+SOURCE_DATE_EPOCH ?= $(shell git log -1 --pretty=%ct)
 
 BUILD := docker buildx build
 PLATFORM ?= linux/amd64,linux/arm64
@@ -14,12 +15,14 @@ COMMON_ARGS += --progress=$(PROGRESS)
 COMMON_ARGS += --platform=$(PLATFORM)
 COMMON_ARGS += --build-arg=http_proxy=$(http_proxy)
 COMMON_ARGS += --build-arg=https_proxy=$(https_proxy)
+COMMON_ARGS += --build-arg=SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH)
 
 , := ,
 empty :=
 space = $(empty) $(empty)
 
 TARGETS = \
+	base \
 	ca-certificates \
 	cni \
 	containerd \

diff --git a/Pkgfile b/Pkgfile
@@ -1,9 +1,9 @@
-# syntax = ghcr.io/talos-systems/bldr:v0.2.0-alpha.6-frontend
+# syntax = ghcr.io/talos-systems/bldr:v0.2.0-alpha.7-frontend
 
 format: v1alpha2
 
 vars:
-  TOOLS_IMAGE: ghcr.io/talos-systems/tools:v0.10.0-alpha.0-5-g8197edb
+  TOOLS_IMAGE: ghcr.io/talos-systems/tools:v1.0.0-1-g4c77d96
 
 labels:
   org.opencontainers.image.source: https://github.com/talos-systems/pkgs
diff --git a/base/pkg.yaml b/base/pkg.yaml
@@ -4,7 +4,6 @@ shell: /toolchain/bin/bash
 dependencies:
   - image: "{{ .TOOLS_IMAGE }}"
   - stage: musl
-    runtime: yes
 steps:
   - prepare:
       - |

diff --git a/openssl/pkg.yaml b/openssl/pkg.yaml
@@ -9,6 +9,8 @@ steps:
         destination: openssl.tar.gz
         sha256: f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96
         sha512: ba0ef99b321546c13385966e4a607734df38b96f6ed45c4c67063a5f8d1482986855279797a6920d9f86c2ec31ce3e104dcc62c37328caacdd78aec59aa66156
+    env:
+      SOURCE_DATE_EPOCH: "1"
     prepare:
       - |
         mkdir openssl
@@ -41,7 +43,7 @@ steps:
     install:
       - |
         cd openssl
-        make DESTDIR=/rootfs install 
+        make DESTDIR=/rootfs install
         rm -rf /rootfs/usr/share
 finalize:
   - from: /rootfs

diff --git a/u-boot/pkg.yaml b/u-boot/pkg.yaml
@@ -24,10 +24,10 @@ steps:
         destination: u-boot.tar.bz2
         sha256: 81b4543227db228c03f8a1bf5ddbc813b0bb8f6555ce46064ef721a6fc680413
         sha512: d83c62bd8f0f51664d2aca329a3ce1379cfd1dfff439dccd6cfc2cb33cfef89a2b01855c97716f591b5550bfdf99e2f3aef7efa33f2e7834c820648f9eef3825
-      - url: https://nv-tegra.nvidia.com/r/gitweb?p=3rdparty/u-boot.git;a=snapshot;h=refs/tags/tegra-l4t-r32.6.1;sf=tgz
+      - url: https://github.com/OE4T/u-boot-tegra/archive/refs/tags/tegra-l4t-r32.6.1.tar.gz
         destination: u-boot-tegra.tar.gz
-        sha256: 99d20c4e461f8c4f95ad9ac0e994d2fce073aadb1ba380b973cc33fe7e326059
-        sha512: 49c9e65d24afac705a69c8c792bfe39cf387c7a4e7ecbca20d90c1badad0544d4d95a220d566ed4255ae294119feea157c3809c28c1ca64c7a650b0a4f3b9fc8
+        sha256: c8737dc20d29586c2c3e6b0232d8c807b3220a22d3f63094c49691b1919636f7
+        sha512: 71e96bb84e8265355735d2e43296ba872de9d641dad92ea6e0a3ec4af2ba283243c3a9fa6bdbb9f028d57e5fb878b356b467ae1fd9a477062efecdb368d1d471
     env:
       SUN50I_A64_ARM_TRUSTED_FIRMWARE: sun50i_a64_arm-trusted-firmware
       RPI_4_A64_ARM_TRUSTED_FIRMWARE: rpi_4_a64_arm-trusted-firmware