mirror of
https://github.com/k3s-io/k3s.git
synced 2026-04-11 12:26:44 -04:00
500fd9cfd1
The tar command in package-cli produces a non-reproducible archive because file ordering and timestamps vary between builds. This causes bit-for-bit differences when rebuilding k3s from the same source, which breaks reproducible build systems such as Nix. Sort the archive entries by name and clamp modification times to the Unix epoch so the tarball content is deterministic regardless of filesystem ordering or build time. Ref: NixOS/nixpkgs#430225 Ref: NixOS/nixpkgs#502374 Signed-off-by: Jon Hermansen <jon@jh86.org>
87 lines
2.1 KiB
Bash
Executable file
87 lines
2.1 KiB
Bash
Executable file
#!/bin/bash
|
|
set -e -x
|
|
|
|
cd $(dirname $0)/..
|
|
|
|
. ./scripts/version.sh
|
|
|
|
GO=${GO-go}
|
|
|
|
for i in containerd crictl kubectl k3s-agent k3s-server k3s-token k3s-etcd-snapshot k3s-secrets-encrypt k3s-certificate k3s-completion; do
|
|
rm -f bin/$i${BINARY_POSTFIX}
|
|
ln -s k3s${BINARY_POSTFIX} bin/$i${BINARY_POSTFIX}
|
|
done
|
|
|
|
cni_binaries=(
|
|
"bandwidth"
|
|
"bridge"
|
|
"firewall"
|
|
"flannel"
|
|
"host-local"
|
|
"loopback"
|
|
"portmap"
|
|
)
|
|
|
|
if [ ${OS} = windows ]; then
|
|
cni_binaries=(
|
|
"win-overlay"
|
|
"flannel"
|
|
"host-local"
|
|
)
|
|
fi
|
|
|
|
for i in "${cni_binaries[@]}"; do
|
|
rm -f bin/$i${BINARY_POSTFIX}
|
|
ln -s cni${BINARY_POSTFIX} bin/$i${BINARY_POSTFIX}
|
|
done
|
|
|
|
cp contrib/util/check-config.sh bin/check-config
|
|
|
|
rm -rf build/data
|
|
mkdir -p build/data build/out
|
|
mkdir -p dist/artifacts
|
|
mkdir -p ./etc
|
|
|
|
(
|
|
set +x
|
|
cd bin
|
|
find . -not -path '*/\.*' -type f -exec sha256sum {} \; | sed -e 's| \./| |' | sort -k2 >.sha256sums
|
|
(
|
|
for f in $(find . -type l); do
|
|
echo $f $(readlink $f)
|
|
done
|
|
) | sed -e 's|^\./||' | sort >.links
|
|
set -x
|
|
)
|
|
|
|
# Ensure the embedded tarball is reproducible: sort file order and clamp timestamps
|
|
tar --sort=name --mtime=@0 -cvf ./build/out/data-${OS}.tar ./bin ./etc
|
|
zstd --no-progress -T0 -16 -f --long=25 --rm ./build/out/data-${OS}.tar -o ./build/out/data-${OS}.tar.zst
|
|
HASH=$(sha256sum ./build/out/data-${OS}.tar.zst | awk '{print $1}')
|
|
|
|
cp ./build/out/data-${OS}.tar.zst ./build/data/${HASH}.tar.zst
|
|
|
|
BIN_SUFFIX="-${ARCH}"
|
|
if [ ${ARCH} = amd64 ]; then
|
|
BIN_SUFFIX=""
|
|
elif [ ${ARCH} = arm ]; then
|
|
BIN_SUFFIX="-armhf"
|
|
elif [ ${ARCH} = s390x ]; then
|
|
BIN_SUFFIX="-s390x"
|
|
fi
|
|
|
|
CMD_NAME=dist/artifacts/k3s${BIN_SUFFIX}${BINARY_POSTFIX}
|
|
|
|
LDFLAGS="
|
|
-X github.com/k3s-io/k3s/pkg/version.Version=$VERSION
|
|
-X github.com/k3s-io/k3s/pkg/version.GitCommit=${COMMIT:0:8}
|
|
-w -s
|
|
"
|
|
TAGS="urfave_cli_no_docs"
|
|
STATIC="-extldflags '-static'"
|
|
cp -av build/data/* pkg/data/embed/
|
|
CGO_ENABLED=0 "${GO}" build -tags "$TAGS" -buildvcs=false -ldflags "$LDFLAGS $STATIC" -o ${CMD_NAME} ./cmd/k3s
|
|
|
|
stat ${CMD_NAME}
|
|
|
|
./scripts/build-upload ${CMD_NAME} ${COMMIT}
|