GitHub Actions container not reproducible

[ericcornelissen]

Hey, I'm running a project that attempts to reproduce the builds of GitHub Actions. I'm trying to reproduce the container for this action and am not succeeding. The (semantic) diff I get when comparing my rebuild against mikefarah/yq:4-githubaction (from Docker hub) is as follows:

TYPE     NAME                  INPUT-0                                                             INPUT-1
Cfg      ctx:/config/config    ?                                                                   ?
Layer    ctx:/layer            length mismatch (531 vs 530)                                        
File     etc/shadow            b3dbe351b08638697f2c47f36f572013efcf957361001e634285109f39f6d8dc    51b998b0d307127dcccaa22700b9a9e546b48d0cad93703109767af9f48d1f41
Layer    ctx:/layer            name "entrypoint.sh" only appears in input 0                        

I'm (re)building the image using the command (have tried buildx build --load as well):

docker build --no-cache --file Dockerfile --tag rebuild .

When I try to rebuild locally I get the same result.

I'm not to well-versed in container reproducibility (or interpreting the diffoci output shown above) but would like to ask if I'm building the container correctly or am perhaps missing something obvious.

If I'm not, would you be interested in working on making the container reproducible.

For completeness, I have only tested the GitHub Actions container, not any other containers related to this project. Those might have similar issues.

[ericcornelissen]

A likely culprit (assuming I'm building from the correct Dockerfile) is the use of a float tag as a base image:

yq/Dockerfile

Line 13 in 17f66dc

FROM alpine:3 AS production