WIP: [feat] reproducible build (with source_date_epoch) for source distribution #6773
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found. Additional details and impacted files@@ Coverage Diff @@
## main #6773 +/- ##
=======================================
Coverage 56.49% 56.49%
=======================================
Files 509 509
Lines 32724 32724
Branches 3097 3097
=======================================
Hits 18487 18487
Misses 13379 13379
Partials 858 858 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
github-merge-queue bot
pushed a commit
that referenced
this pull request
May 9, 2025
…inux) (#6947) ### Description This pull request introduces the use of the SOURCE_DATE_EPOCH environment variable to achieve reproducible builds on Linux systems. The pull request modifies four files to introduce the SOURCE_DATE_EPOCH environment variable for achieving reproducible builds on Linux. Key changes include: - Utilizing SOURCE_DATE_EPOCH in the workflow configuration files (main.yml, release_linux.yml) to ensure consistent timestamps. - Adding logic in the manylinux/entrypoint.sh script to handle the new variable and print its value for transparency. - Updating CMakeLists.txt to generate a reproducible build date based on the environment variable. These changes improve build determinism and align with reproducible build standards, enhancing security and auditability. ### Motivation and Context Reproducible builds are a critical aspect of supply chain security as they: - Detect tampering or unauthorized modifications during the build process. - Enhance transparency and trust by allowing verification that the distributed binaries match the original source code. - Mitigate risks of supply chain attacks by ensuring deterministic builds. - Simplify auditing and compliance processes for secure software development practices. This aligns with the ONNX project's commitment to improving build integrity and overall security. More information could be found at: https://reproducible-builds.org/ ### Not part of the PR: - Windows and Mac (planned for a later date) - sou 7287 rce distribution (WIP: #6773) - sboms to store the exact configuration of the pipeline, software usw,... ### Results:  https://github.com/onnx/onnx/actions/runs/14808925839 https://github.com/onnx/onnx/actions/runs/14808354973 are based on the same commits The artifacts could be downloaded with: _gh run download 14808354973 --repo onnx/onnx -D sc_14808354973_ #### Windows:   #### Linux `diffoscope --html 20250503_linux-310_x64.html sc_v0_14808354973/wheels-linux-x64-3.10/onnx_weekly-1.19.0.dev20250503-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl sc_v1_14808925839/wheels-linux-x64-3.10/onnx_weekly-1.19.0.dev20250503-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl`  --------- Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Motivation and Context