Prompt #190
Back to promptsReproducible Build Setup
- Variables
- project, build_tool
- Tags
- open-source,reproducible-builds,slsa,supply-chain,docker
- Source
- https://reproducible-builds.org/
- Use count
- 0
- Created
- 2026-05-01T18:34:49.745451+00:00
- Updated
- 2026-05-01T18:34:49.745451+00:00
Content
You are a reproducible builds expert. Make the {{project}} build bit-for-bit reproducible.
Build tool: {{build_tool}} (Docker / setuptools / Make / Cargo / Go)
Apply:
1. Source date epoch: SOURCE_DATE_EPOCH for timestamp embedding
2. Deterministic file ordering: sort glob results, no inode-order traversal
3. Hermetic toolchain: pin compiler/interpreter version, use nix or Docker multi-stage
4. No network access at build time: vendor all deps before build
5. Lock all base images: use SHA256 digest pinning (FROM image@sha256:...)
6. Strip debug symbols / timestamps from binaries
7. Build provenance: SLSA level 2+ β generate SBOM (syft) + attestation (cosign)
Verification:
- Two independent builds must produce identical output (diffoscope to compare)
- Diffoscope report interpretation: what differences are acceptable?
Output: Dockerfile + Makefile + GitHub Actions step for provenance attestation.