From 455ed380c085cd30e4e4f107e42d59d74f0e8da9 Mon Sep 17 00:00:00 2001
From: Jan Kiszka <jan.kiszka@siemens.com>
Date: Mon, 26 Feb 2024 13:21:59 +0100
Subject: [PATCH] ci: Enable reproducible container builds

Requires to use the upcoming buildkit release 0.13.0 and a number of
extra parameters to build-push-action.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .github/actions/docker-init/action.yml | 12 ++++++++++++
 .github/workflows/master.yml           | 10 ++++++++--
 .github/workflows/next.yml             | 20 ++++++++++++++++----
 .github/workflows/release.yml          | 10 ++++++++--
 4 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/.github/actions/docker-init/action.yml b/.github/actions/docker-init/action.yml
index ad0e4c41..85d1e08d 100644
--- a/.github/actions/docker-init/action.yml
+++ b/.github/actions/docker-init/action.yml
@@ -13,6 +13,8 @@ runs:
       uses: docker/setup-qemu-action@v3
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
+      with:
+        driver-opts: image=moby/buildkit:v0.13.0-rc2
     - name: Login to ghcr.io
       uses: docker/login-action@v3
       with:
@@ -43,3 +45,13 @@ runs:
         cache-source: var-lib-apt
         cache-target: /var/lib/apt
         skip-extraction: ${{ steps.cache-var-lib-apt.outputs.cache-hit }}
+    - name: Set SOURCE_DATE_EPOCH
+      run: |
+        echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+      shell: bash
+    - name: Determine Debian tag
+      run: |
+        DEBIAN_RELEASE=$(grep -m 1 'ARG DEBIAN_TAG=' Dockerfile | sed 's/.*DEBIAN_TAG=\(.*\)-.*/\1/')
+        echo "DEBIAN_TAG=$(podman image search --list-tags debian --limit 1000000000 | \
+                           grep "$DEBIAN_RELEASE-.*-slim" | sort -r | head -1 | sed 's/.*[ ]\+//')" >> $GITHUB_ENV
+      shell: bash
diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
index 5ffc4cc5..c9d45522 100644
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@@ -34,7 +34,10 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           platforms: linux/amd64,linux/arm64
-          push: true
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/kas
       - name: Build kas-isar image
         uses: docker/build-push-action@v5
@@ -44,5 +47,8 @@ jobs:
           cache-to: type=gha,mode=max
           target: kas-isar
           platforms: linux/amd64,linux/arm64
-          push: true
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/kas-isar
diff --git a/.github/workflows/next.yml b/.github/workflows/next.yml
index ff5e3013..48cd2f02 100644
--- a/.github/workflows/next.yml
+++ b/.github/workflows/next.yml
@@ -78,7 +78,10 @@ jobs:
         with:
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          load: true
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=docker,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/kas:next
       - name: Test kas image
         run: |
@@ -90,15 +93,21 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           platforms: linux/amd64,linux/arm64
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/kas:next
-          push: true
       - name: Build kas-isar image
         uses: docker/build-push-action@v5
         with:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           target: kas-isar
-          load: true
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=docker,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/kas-isar:next
       - name: Test kas-isar image
         run: |
@@ -111,5 +120,8 @@ jobs:
           cache-to: type=gha,mode=max
           target: kas-isar
           platforms: linux/amd64,linux/arm64
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/kas-isar:next
-          push: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 70b68b1c..1ee90019 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,10 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           platforms: linux/amd64,linux/arm64
-          push: true
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
           tags: |
             ghcr.io/siemens/kas/kas
             ghcr.io/siemens/kas/kas:${{ env.RELEASE_VERSION }}
@@ -37,7 +40,10 @@ jobs:
           cache-to: type=gha,mode=max
           target: kas-isar
           platforms: linux/amd64,linux/arm64
-          push: true
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
           tags: |
             ghcr.io/siemens/kas/kas-isar
             ghcr.io/siemens/kas/kas-isar:${{ env.RELEASE_VERSION }}