ldd on the built binary shows only libz.so.1 is missing from distroless/cc-debian11;
libssl/libcrypto are statically linked by this build and do not need to be copied.
libstdc++.so.6 and libgcc_s.so.1 are already present in the distroless/cc variant.
Also consolidates the mv + mkdir into a single RUN layer.
Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>
The previous final stage used distroless/cc-debian12 (Bookworm) which carries
no libssl and uses OpenSSL 3, making the Bullseye-built binary non-functional.
- Switch to distroless/cc-debian11:nonroot (pinned by index digest) — same
Bullseye ABI as the builder, already includes libc and libgcc
- Copy libssl.so.1.1 and libcrypto.so.1.1 from the builder stage into /usr/lib/
so no package manager is invoked in the final image (stays fully pinned)
- Normalise the arch-specific triplet lib path via a `find` into /libs/ so the
COPY instructions work identically for both amd64 and arm64 builds
Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>
- Replace docker-reproducible.yml with reproducible.yml which produces
three artifacts per arch: Docker image, binary tarball, and AppImage
- Use a single multi-arch index digest in Dockerfile.reproducible as the
sole version tag to maintain; Makefile and CI no longer carry their own
per-arch image references
- Add packaging/appimage/ template (AppRun, .desktop, lighthouse.svg)
Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>
This pull request introduces workflows and updates to ensure reproducible builds for the Lighthouse project. It adds two GitHub Actions workflows for building and testing reproducible Docker images and binaries, updates the `Makefile` to streamline reproducible build configurations, and modifies the `Dockerfile.reproducible` to align with the new build process. Additionally, it removes the `reproducible` profile from `Cargo.toml`.
### New GitHub Actions Workflows:
* [`.github/workflows/docker-reproducible.yml`](diffhunk://#diff-222af23bee616920b04f5b92a83eb5106fce08abd885cd3a3b15b8beb5e789c3R1-R145): Adds a workflow to build and push reproducible multi-architecture Docker images for releases, including support for dry runs without pushing an image.
### Build Configuration Updates:
* [`Makefile`](diffhunk://#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52L85-R143): Refactors reproducible build targets, centralizes environment variables for reproducibility, and updates Docker build arguments for `x86_64` and `aarch64` architectures.
* [`Dockerfile.reproducible`](diffhunk://#diff-587298ff141278ce3be7c54a559f9f31472cc5b384e285e2105b3dee319ba31dL1-R24): Updates the base Rust image to version 1.86, removes hardcoded reproducibility settings, and delegates build logic to the `Makefile`.
* Switch to using jemalloc-sys from Debian repos instead of building it from source. A Debian version is [reproducible](https://tests.reproducible-builds.org/debian/rb-pkg/trixie/amd64/jemalloc.html) which is [hard to achieve](https://github.com/NixOS/nixpkgs/issues/380852) if you build it from source.
### Profile Removal:
* [`Cargo.toml`](diffhunk://#diff-2e9d962a08321605940b5a657135052fbcef87b5e360662bb527c96d9a615542L289-L295): Removes the `reproducible` profile, simplifying build configurations and relying on external tooling for reproducibility.
Co-Authored-By: Moe Mahhouk <mohammed-mahhouk@hotmail.com>
Co-Authored-By: chonghe <44791194+chong-he@users.noreply.github.com>
Co-Authored-By: Michael Sproul <michaelsproul@users.noreply.github.com>
In #7743, rust version was bumped:
- msrv to 1.87
- `Dockerfile` to 1.88
We also need to bump the other docker images as well, and might as well keep them all consistent at 1.88.
Which issue # does this PR address?
This PR addresses reproducible builds. The current dockerfile builds the lighthouse binary but not reproducibly.
You can verify that by following these steps:
```
docker build --no-cache --output=. .
mv usr/local/bin/lighthouse lighthouse1
rm usr/local/bin/lighthouse
docker build --no-cache --output=. .
mv usr/local/bin/lighthouse lighthouse2
sha256sum lighthouse1 lighthouse2
```
You will notice that each one of the binaries has a different checksum upon each build. This is critical for systems that depends on requiring reproducible builds, such as running lighthouse in confidential computing, like Intel TDX.
This PR adds a new build profile as well as a Dockerfile.reproducible that enables building the lighthouse binary reproducibly.
By following the steps I listed above, you will be able to verify that the resulted binary has the same hash upon several subsequent builds for the same version.
How to test it:
```
mkdir output1 output2
docker build --no-cache -f Dockerfile.reproducible --output=output1 .
docker build --no-cache -f Dockerfile.reproducible --output=output2 .
sha256sum output1/lighthouse output2/lighthouse
# hashes should be identical
rm -rf output1 output2
```
