Github Actions Go lambda project different sha256sums

Question content

I have golang aws lambda project. I deployed it on github actinos using terraform script. I have a situation like this: Build #1

-rwxr-xr-x  1 runner docker 14717304 jan  1  2022 atest
-rw-r--r--  1 runner docker  7776780 jan  1  2022 atest.zip

I made 1 change in a file that wasn't even imported in any other file, and Build #2

-rwxr-xr-x  1 runner docker 14717304 jan  1  2022 atest
-rw-r--r--  1 runner docker  7776755 jan  1  2022 atest.zip

zip size changed, but binary not

This is an important part of my makefile

build: ## Build Linux binary with path consistent with passed functionction layere (layer) and functionction name (function)
build: resolve-env
    @$(BUILD_FLAGS) ${GOCMD} build ${LDFLAGS} -o ${BINARY_PATH} ${GO_PKG}
    @touch -t 202201010000.00 ${BINARY_PATH}

.PHONY: package
package: build
    @cd ${DST} && ${ZIPCMD} -X -q --latest-time ${ABS_ZIP_PATH} ${function}
    @touch -t 202201010000.00 ${ABS_ZIP_PATH}

When I make the same changes locally, and run the build using terraform or a tool called "act", there are no such changes.. only on github actions. I need to keep the same size, which affects the sha256sum (to avoid deploying every lambda ). What could be the reason?

Correct Answer

This answer focuses on repeatable builds of go binaries.

Although it shows that the go binaries have the same size, I doubt the contents are different. Please check the hash of the binary first to confirm this.

To get a reproducible build, in addition to the other obvious requirements, you need:

1. Make sure the cgo build is reproducible (toolchain, dependencies, etc.), or disable cgo. You have set CGO_ENABLED=0 (this information was provided by another deleted question).
2. Use the -trimpath flag. Maybe the GitHub action always puts the source code in the same directory. For security reasons, we specify this option.
3. Set -buildvcs=false. By default ("auto") version control information will be tagged into the binary if available. This explains why two commits that differ only in the README produce different binaries.

references:

• Go support for repeatable builds
• x/build/cmd/relui: ensures fully reproducible builds including tar.gz/zip archive
• doc: Add documentation page for reproducible builds
• Copy GO binary file by byte

The above is the detailed content of Github Actions Go lambda project different sha256sums. For more information, please follow other related articles on the PHP Chinese website!