fix: make build reproducible by using commit timestamp (#102)

Author: Djaytan

.github/workflows/ci.yml

@@ -12,10 +12,8 @@ on:
 permissions: {}
 
 # TODO: explore more options: https://docs.docker.com/build/ci/github-actions/
-# TODO: explore more options: https://github.com/docker/build-push-action
 # TODO: Experiment GitHub deployments
 # TODO: do we want to test multi-arch build?
-# TODO: reproductible builds? https://docs.docker.com/build/ci/github-actions/reproducible-builds/
 # TODO: SonarQube integration at both CI and Docker Scout levels?
 # TODO: Migrate from Trivy to Docker Scout
 jobs:

.github/workflows/release.yml

@@ -101,10 +101,14 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
+      - name: Retrieve Git commit timestamp
+        run: echo "GIT_COMMIT_TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+
       - name: Release
         env:
           GITHUB_TOKEN: ${{ github.token }}
           ROOT_PROJECT_DIR: ${{ github.workspace }}
           REVISION: ${{ github.sha }}
+          SOURCE_DATE_EPOCH: ${{ env.GIT_COMMIT_TIMESTAMP }} # Reproducible build: https://reproducible-builds.org/docs/source-date-epoch/
         working-directory: .github/semantic-release/
         run: npx --no-install semantic-release