ci: Enable reproducible container builds

Requires to use the upcoming buildkit release 0.13.0 and a number of
extra parameters to build-push-action. We also need to avoid layer
caches during the initial builds as those may contain wrong timestamps
(Buildkit issue).

With the debian base image now being selected via the DEBIAN_TAG
variable, we also base our cache key on this one to improve the hit
rate.

Signed-off-by: Jan Kiszka <[email protected]>

.github/actions/docker-init/action.yml

@@ -13,24 +13,36 @@ runs:
       uses: docker/setup-qemu-action@v3
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
+      with:
+        driver-opts: image=moby/buildkit:v0.13.0-rc3
     - name: Login to ghcr.io
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ inputs.deploy-user }}
         password: ${{ inputs.deploy-token }}
+    - name: Set SOURCE_DATE_EPOCH
+      run: |
+        echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+      shell: bash
+    - name: Determine Debian tag
+      run: |
+        DEBIAN_RELEASE=$(grep -m 1 'ARG DEBIAN_TAG=' Dockerfile | sed 's/.*DEBIAN_TAG=\(.*\)-.*/\1/')
+        echo "DEBIAN_TAG=$(podman image search --list-tags debian --limit 1000000000 | \
+                           grep "$DEBIAN_RELEASE-.*-slim" | sort -r | head -1 | sed 's/.*[ ]\+//')" >> $GITHUB_ENV
+      shell: bash
     - name: Cache var-cache-apt
       id: cache-var-cache-apt
       uses: actions/cache@v4
       with:
         path: var-cache-apt
-        key: var-cache-apt-${{ hashFiles('Dockerfile') }}
+        key: var-cache-apt-${{ env.DEBIAN_TAG }}
     - name: Cache var-lib-apt
       id: cache-var-lib-apt
       uses: actions/cache@v4
       with:
         path: var-lib-apt
-        key: var-lib-apt-${{ hashFiles('Dockerfile') }}
+        key: var-lib-apt-${{ env.DEBIAN_TAG }}
     - name: Inject var-cache-apt into docker
       uses: reproducible-containers/[email protected]
       with:

.github/workflows/master.yml

@@ -34,8 +34,12 @@ jobs:
           context: /home/runner/kas-clone
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          no-cache: true
           platforms: linux/amd64,linux/arm64
-          push: true
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/kas
       - name: Build kas-isar image
         uses: docker/build-push-action@v5
@@ -44,7 +48,11 @@ jobs:
           context: /home/runner/kas-clone
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          no-cache: true
           target: kas-isar
           platforms: linux/amd64,linux/arm64
-          push: true
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/kas-isar

.github/workflows/next.yml

@@ -73,47 +73,92 @@ jobs:
         with:
           deploy-user: ${{ secrets.PACKAGE_DEPLOY_USER }}
           deploy-token: ${{ secrets.PACKAGE_DEPLOY_TOKEN }}
-      - name: Build kas image
+
+      - name: Build amd64 kas image
         uses: docker/build-push-action@v5
         with:
           context: /home/runner/kas-clone
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          load: true
+          no-cache: true
+          platforms: linux/amd64
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=docker,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/kas:next
       - name: Test kas image
         run: |
           cd image-tests/poky
           KAS_IMAGE_VERSION=next ../../kas-container build kas.yml
-      - name: Complete build and deploy kas image
+      - name: Deploy amd64 kas image
+        uses: docker/build-push-action@v5
+        with:
+          context: /home/runner/kas-clone
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: linux/amd64
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
+          tags: ghcr.io/siemens/kas/kas:next
+      - name: Build and deploy arm64 kas image
         uses: docker/build-push-action@v5
         with:
           context: /home/runner/kas-clone
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          platforms: linux/amd64,linux/arm64
+          no-cache: true
+          platforms: linux/arm64
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/kas:next
-          push: true
-      - name: Build kas-isar image
+
+      - name: Build amd64 kas-isar image
         uses: docker/build-push-action@v5
         with:
           context: /home/runner/kas-clone
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          no-cache: true
           target: kas-isar
-          load: true
+          platforms: linux/amd64
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=docker,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/kas-isar:next
       - name: Test kas-isar image
         run: |
           cd image-tests/isar
           KAS_IMAGE_VERSION=next ../../kas-container build kas.yml
-      - name: Complete build and deploy kas-isar image
+      - name: Deploy amd64 kas-isar image
+        uses: docker/build-push-action@v5
+        with:
+          context: /home/runner/kas-clone
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          target: kas-isar
+          platforms: linux/amd64
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
+          tags: ghcr.io/siemens/kas/kas-isar:next
+      - name: Build and deploy arm64 kas-isar image
         uses: docker/build-push-action@v5
         with:
           context: /home/runner/kas-clone
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          no-cache: true
           target: kas-isar
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/arm64
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/kas-isar:next
-          push: true

.github/workflows/release.yml

@@ -25,8 +25,12 @@ jobs:
           context: /home/runner/kas-clone
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          no-cache: true
           platforms: linux/amd64,linux/arm64
-          push: true
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
           tags: |
             ghcr.io/siemens/kas/kas
             ghcr.io/siemens/kas/kas:${{ env.RELEASE_VERSION }}
@@ -37,9 +41,13 @@ jobs:
           context: /home/runner/kas-clone
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          no-cache: true
           target: kas-isar
           platforms: linux/amd64,linux/arm64
-          push: true
+          build-args: |
+            SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
+            DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          outputs: type=registry,rewrite-timestamp=true
           tags: |
             ghcr.io/siemens/kas/kas-isar
             ghcr.io/siemens/kas/kas-isar:${{ env.RELEASE_VERSION }}