Dev/reproducible container (!105) · Merge requests · histalek.de / Container Images / Nitter

histalek requested to merge dev/reproducible-container into main Oct 02, 2022

This change allows for the container build by apko to be fully reproducible. (And only push a new tag if the newly build image differs from :latest)

The reasoning behind this is that i want to have an automated schedule running to rebuild the image once a day or so, but without pushing a new tag each day even if nothing changed.

The container wasn't reproducible before because i've used a temporary signing key for every apk build. Which in turn led to a different public key being added to the keyring inside the container each time the package/container was built -> changing the image digest.
While having the keymaterial be stored in GitLab CI variables isn't the nicest thing, it will need to suffice until i get some keyless signing going or i can at least get the secret from an external vault.

Edited Oct 02, 2022 by histalek

Dev/reproducible container

Merge request reports