Skip to content

Reproducible artifact hashes for base builder images #766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 18, 2025
Merged

Reproducible artifact hashes for base builder images #766

merged 1 commit into from
Aug 18, 2025

Conversation

@chowder
Copy link
Contributor

@chowder chowder commented Aug 16, 2025
edited
Loading

I was looking at the build pipeline for the distributions, and was surprised to find the builder image artifacts having different SHA256 hashes across runs.

e.g. compare the output of the "Upload Docker Image" step of two jobs:

https://github.com/chowder/python-build-standalone/actions/runs/17012490960/job/48230404008
https://github.com/chowder/python-build-standalone/actions/runs/17012490960/job/48230532790

For the same image:

SHA256 digest of uploaded artifact zip is d47e11cc1c0e648bed6ec64a3613fa166c317981d252085c241c05745604973b
Finalizing artifact upload
Artifact image-build-linux_x86_64.zip successfully finalized. Artifact ID 3780654566
Artifact image-build-linux_x86_64 has been successfully uploaded! Final size is 80890477 bytes. Artifact ID is 3780654566

SHA256 digest of uploaded artifact zip is 3341d64b1d7efb680db3e4d62ae3dab9bf24e22e384f585aaf3a5b551aee5e7b
Finalizing artifact upload
Artifact image-build-linux_x86_64.zip successfully finalized. Artifact ID 3780667100
Artifact image-build-linux_x86_64 has been successfully uploaded! Final size is 80890477 bytes. Artifact ID is 3780667100

Turns out this is because the upload-artifact step applies a layer of compression to the specified files, but doesn't reset/zero out the mtime, thus making these artifacts non-reproducible.

Given that the docker images are already compressed in a prior step:

      - name: Compress Image
        run: |
          echo ${STEPS_BUILD_IMAGE_OUTPUTS_IMAGEID} > build/image-${MATRIX_NAME}.linux_${MATRIX_ARCH}
          zstd -v -T0 -6 --rm build/image-*.tar

We can skip the compression in the upload-artifact step, and get reproducible artifacts each time.

Test Evidence

See these two runs that include the proposed changes:

https://github.com/chowder/python-build-standalone/actions/runs/17012517183/job/48230459046
https://github.com/chowder/python-build-standalone/actions/runs/17012517183/job/48230772691

Both generate the same digest:

Finished uploading artifact content to blob storage!
SHA256 digest of uploaded artifact zip is c73f01690d74c103f92bd8113ff158e8b8d2d4de19dca96d36b3d6fbc688fe16
Finalizing artifact upload
Artifact image-build-linux_x86_64.zip successfully finalized. Artifact ID 3780661038
Artifact image-build-linux_x86_64 has been successfully uploaded! Final size is 81208314 bytes. Artifact ID is 3780661038

SHA256 digest of uploaded artifact zip is c73f01690d74c103f92bd8113ff158e8b8d2d4de19dca96d36b3d6fbc688fe16
Finalizing artifact upload
Artifact image-build-linux_x86_64.zip successfully finalized. Artifact ID 3780693018
Artifact image-build-linux_x86_64 has been successfully uploaded! Final size is 81208314 bytes. Artifact ID is 3780693018

@chowder chowder closed this Aug 16, 2025
@chowder chowder reopened this Aug 16, 2025
@zanieb zanieb merged commit 947a810 into astral-sh:main Aug 18, 2025
432 of 439 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zanieb zanieb zanieb approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chowder @zanieb