Check container reproducibility with diffoci

ericcornelissen · ericcornelissen · commit 7fea392e237b · 2024-11-16T21:33:51.000+01:00
Create a Makefile target to test the reproducibility of the project container using diffoci[1]. This tool provides a way to test for reproducibility of OCI containers by virtue of being able to display the diff between two versions of a container. It also allows for omitting some uninteresting diffs such as timestamps (with the `--semantic` flag). This is an early prototype as the setup currently introduces the Go programming as a dependency and has non-optimal or missing version pinning. -- 1. https://github.com/reproducible-containers/diffoci
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -85,6 +85,20 @@ jobs:
       - name: Lint YAML
         if: ${{ failure() || success() }}
         run: make lint-yml
+  reproducible-container:
+    name: Reproducible container
+    runs-on: ubuntu-22.04
+    needs:
+      - build
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - name: Install Go
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        with:
+          go-version: 1.23
+      - name: Check reproducibility
+        run: make reproducible-build
   test:
     name: Test with ${{ matrix.engine }}
     runs-on: ubuntu-24.04
diff --git a/Makefile b/Makefile
@@ -121,6 +121,18 @@ lint-yml: $(TOOLING) ## Lint .yml files
 		-c .yamllint.yml \
 		.
 
+.PHONY: reproducible-build
+reproducible-build: build ## Check if the container is reproducible
+	@TAG=a make build
+	@TAG=b make build
+	@go run github.com/reproducible-containers/diffoci/cmd/diffoci@v0.1.5 diff \
+		--semantic \
+		docker://$(IMAGE_NAME):a \
+		docker://$(IMAGE_NAME):b
+	@$(ENGINE) rmi --force \
+		$(IMAGE_NAME):a \
+		$(IMAGE_NAME):b
+
 .PHONY: sbom
 sbom: $(SBOM_SPDX_FILE) $(SBOM_SYFT_FILE) ## Generate a Software Bill Of Materials (SBOM)
 
@@ -132,7 +144,7 @@ test: build $(NODE_MODULES) ## Run the tests
 		--experimental-test-snapshots \
 		'tests/*.test.js'
 
-update-test-snapshots: build $(NODE_MODULES) ## Update the test snapsthos
+update-test-snapshots: build $(NODE_MODULES) ## Update the test snapshots
 	@CONTAINER_ENGINE=$(ENGINE) \
 		node --test \
 		--test-timeout=20000 \
