be46795975
This is a step towards making Forgejo's binaries (the one listed in the release tab) reproducible. In order to make the actual binary reproducible, we have to ensure that the release workflow has the correct configuration to produce such reproducible binaries. The release workflow currently uses the Dockerfile to produce binaries, as this is one of the easiest ways to do cross-compiling for Go binaries with CGO enabled (due to SQLite). In the Dockerfile, two new arguments are being given to the build command. `-trimpath` ensures that the workpath directory doesn't get included in the binary; this means that file names (such as for panics) are relative (to the workpath) and not absolute, which shouldn't impact debugging. `-buildid=` is added to the linker flag; it sets the BuildID of the Go linker to be empty; the `-buildid` hashes the input actions and output content; these vary from build to build for unknown reasons, but likely because of the involvement of temporary file names, this doesn't have any effect on the behavior of the resulting binary. The Makefile receives a new command, `reproduce-build#$VERSION` which can be used by people to produce a reproducible Forgejo binary of a particular release; it roughly does what the release workflow also does. Build the Dockerfile and extract the Forgejo binary from it. This doesn't allow to produce a reproducible version for every release, only for those that include this patch, as it needs to call the makefile of that version in order to make a reproducible binary. There's one thing left to do: the Dockerfile pins the Go version to a minor level and not to a patch level. This means that if a new Go patch version is released, that will be used instead and will result in a different binary that isn't bit to bit the same as the one that Forgejo has released.
108 lines
3.4 KiB
Docker
108 lines
3.4 KiB
Docker
FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
|
|
|
|
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.22-alpine3.20 as build-env
|
|
|
|
ARG GOPROXY
|
|
ENV GOPROXY=${GOPROXY:-direct}
|
|
|
|
ARG RELEASE_VERSION
|
|
ARG TAGS="sqlite sqlite_unlock_notify"
|
|
ENV TAGS="bindata timetzdata $TAGS"
|
|
ARG CGO_EXTRA_CFLAGS
|
|
|
|
#
|
|
# Transparently cross compile for the target platform
|
|
#
|
|
COPY --from=xx / /
|
|
ARG TARGETPLATFORM
|
|
RUN apk --no-cache add clang lld
|
|
RUN xx-apk --no-cache add gcc musl-dev
|
|
ENV CGO_ENABLED=1
|
|
RUN xx-go --wrap
|
|
#
|
|
# for go generate and binfmt to find
|
|
# without it the generate phase will fail with
|
|
# #19 25.04 modules/public/public_bindata.go:8: running "go": exit status 1
|
|
# #19 25.39 aarch64-binfmt-P: Could not open '/lib/ld-musl-aarch64.so.1': No such file or directory
|
|
# why exactly is it needed? where is binfmt involved?
|
|
#
|
|
RUN cp /*-alpine-linux-musl*/lib/ld-musl-*.so.1 /lib || true
|
|
|
|
RUN apk --no-cache add build-base git nodejs npm
|
|
|
|
COPY . ${GOPATH}/src/code.gitea.io/gitea
|
|
WORKDIR ${GOPATH}/src/code.gitea.io/gitea
|
|
|
|
RUN make clean
|
|
RUN make frontend
|
|
RUN go build contrib/environment-to-ini/environment-to-ini.go && xx-verify environment-to-ini
|
|
RUN make RELEASE_VERSION=$RELEASE_VERSION GOFLAGS="-trimpath" LDFLAGS="-buildid=" go-check generate-backend static-executable && xx-verify gitea
|
|
|
|
# Copy local files
|
|
COPY docker/root /tmp/local
|
|
|
|
# Set permissions
|
|
RUN chmod 755 /tmp/local/usr/bin/entrypoint \
|
|
/tmp/local/usr/local/bin/gitea \
|
|
/tmp/local/etc/s6/gitea/* \
|
|
/tmp/local/etc/s6/openssh/* \
|
|
/tmp/local/etc/s6/.s6-svscan/* \
|
|
/go/src/code.gitea.io/gitea/gitea \
|
|
/go/src/code.gitea.io/gitea/environment-to-ini
|
|
RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
|
|
|
|
FROM code.forgejo.org/oci/golang:1.22-alpine3.20
|
|
ARG RELEASE_VERSION
|
|
LABEL maintainer="contact@forgejo.org" \
|
|
org.opencontainers.image.authors="Forgejo" \
|
|
org.opencontainers.image.url="https://forgejo.org" \
|
|
org.opencontainers.image.documentation="https://forgejo.org/download/#container-image" \
|
|
org.opencontainers.image.source="https://codeberg.org/forgejo/forgejo" \
|
|
org.opencontainers.image.version="${RELEASE_VERSION}" \
|
|
org.opencontainers.image.vendor="Forgejo" \
|
|
org.opencontainers.image.licenses="MIT" \
|
|
org.opencontainers.image.title="Forgejo. Beyond coding. We forge." \
|
|
org.opencontainers.image.description="Forgejo is a self-hosted lightweight software forge. Easy to install and low maintenance, it just does the job."
|
|
|
|
EXPOSE 22 3000
|
|
|
|
RUN apk --no-cache add \
|
|
bash \
|
|
ca-certificates \
|
|
curl \
|
|
gettext \
|
|
git \
|
|
linux-pam \
|
|
openssh \
|
|
s6 \
|
|
sqlite \
|
|
su-exec \
|
|
gnupg \
|
|
&& rm -rf /var/cache/apk/*
|
|
|
|
RUN addgroup \
|
|
-S -g 1000 \
|
|
git && \
|
|
adduser \
|
|
-S -H -D \
|
|
-h /data/git \
|
|
-s /bin/bash \
|
|
-u 1000 \
|
|
-G git \
|
|
git && \
|
|
echo "git:*" | chpasswd -e
|
|
|
|
ENV USER=git
|
|
ENV GITEA_CUSTOM=/data/gitea
|
|
|
|
VOLUME ["/data"]
|
|
|
|
ENTRYPOINT ["/usr/bin/entrypoint"]
|
|
CMD ["/bin/s6-svscan", "/etc/s6"]
|
|
|
|
COPY --from=build-env /tmp/local /
|
|
RUN cd /usr/local/bin ; ln -s gitea forgejo
|
|
COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
|
|
COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
|
|
COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
|