How to Produce Reproducible Builds as Evidence
A build that yields the same digest twice is verifiable evidence that the shipped artifact matches the reviewed source.
Reproducibility lets anyone confirm an artifact came from the reviewed source. Pin the toolchain, set SOURCE_DATE_EPOCH to strip timestamps, and rebuild to compare digests. This page shows the pattern; it is educational supply-chain guidance.
Steps
- Pin the toolchain and base image by exact version or digest.
- Set SOURCE_DATE_EPOCH so timestamps are deterministic.
- Rebuild in a second job and assert the digest matches.
Deterministic build and verify
.github/workflows/ci.yml
jobs:
build:
runs-on: ubuntu-latest
env:
SOURCE_DATE_EPOCH: ${{ github.event.repository.pushed_at }}
steps:
- uses: actions/checkout@v4
- run: |
make build
sha256sum dist/app.tgz | tee digest-1.txt
- run: |
make clean && make build
sha256sum dist/app.tgz | tee digest-2.txt
- run: diff <(cut -d' ' -f1 digest-1.txt) <(cut -d' ' -f1 digest-2.txt) \
|| { echo "Build not reproducible"; exit 1; }Notes
- Unpinned dependencies and embedded timestamps are the usual causes of non-determinism.
- Publish the digest alongside provenance so third parties can reproduce and verify.
Related guides
How to Generate an SBOM and Build Provenance in CIProduce a CycloneDX SBOM and SLSA build provenance attestation in GitHub Actions for supply-chain compliance,…
How to Require Signed Commits in CIRequire signed commits with a GitHub ruleset and verify signatures in CI, so every change in the audit trail…
How to Run Automated Compliance Checks With tfsec and CISRun automated compliance checks in GitHub Actions with tfsec for Terraform and a CIS benchmark scan, failing…