karapace/.cargo/config.toml

# Supply-chain hardening: deterministic builds
#
# Path remapping eliminates local filesystem paths from binaries.
# CI sets RUSTFLAGS env var which OVERRIDES build.rustflags below.
# SOURCE_DATE_EPOCH=0 ensures no build timestamps leak.
#
# NOTE: Local dev builds use build.rustflags for path remapping.
# CI builds use the RUSTFLAGS env var instead (takes precedence).
# This means local builds get local remapping, CI gets CI remapping.

[env]
SOURCE_DATE_EPOCH = "0"

# [build]
# Path remapping for local dev builds is optional.
# CI RUSTFLAGS override build.rustflags entirely.
# strip = true in profile.release removes debug paths from binaries.
# Uncomment and adjust for your system if you want local path remapping:
# rustflags = [
#   "--remap-path-prefix", "/home/YOU/.cargo/registry/src=crate",
#   "--remap-path-prefix", "/home/YOU/Projects/Karapace=src",
# ]
ci: GitHub Actions CI/CD, supply chain hardening, reproducible builds - .github/workflows/ci.yml — 17 jobs: fmt, clippy, test, e2e, enospc, e2e-resolve, build-release (gnu+musl), smoke-test, reproducibility-check (gnu+musl), cross-run-reproducibility (gnu+musl), lockfile-check, cargo-deny, ci-contract - .github/workflows/release.yml — 4 jobs: build, sign (cosign OIDC), verify, publish - .github/workflows/supply-chain-test.yml — 11 adversarial jobs: build-and-sign, verify-signatures, tamper-binary, tamper-sbom, tamper-signature-removal, adversarial-env-injection, adversarial-artifact-tampering, adversarial-build-script, adversarial-credential-injection, adversarial-rustflags-bypass, verify-docs-executable - .github/actions/karapace-build/action.yml — reusable build action - .cargo/config.toml — SOURCE_DATE_EPOCH=0, local path remapping for reproducibility - CI_CONTRACT.md — required jobs list enforced by ci-contract gate job - scripts/generate-sbom.sh — CycloneDX SBOM generation - CARGO_INCREMENTAL=0 globally, cargo clean before all release builds - Cosign keyless signing with GitHub Actions OIDC - 32 total CI jobs across 3 workflows 2026-02-22 17:39:00 +00:00			`# Supply-chain hardening: deterministic builds`
			`#`
			`# Path remapping eliminates local filesystem paths from binaries.`
			`# CI sets RUSTFLAGS env var which OVERRIDES build.rustflags below.`
			`# SOURCE_DATE_EPOCH=0 ensures no build timestamps leak.`
			`#`
			`# NOTE: Local dev builds use build.rustflags for path remapping.`
			`# CI builds use the RUSTFLAGS env var instead (takes precedence).`
			`# This means local builds get local remapping, CI gets CI remapping.`

			`[env]`
			`SOURCE_DATE_EPOCH = "0"`

pre-publish fixes: pin SBOM tool version, remove hardcoded paths, fix changelog - Pin cargo-cyclonedx@0.5.5 in scripts/generate-sbom.sh (matches CI) - Remove hardcoded /home/lateuf paths from .cargo/config.toml - Remove stale 'quick' command reference from CHANGELOG 0.1.0 2026-02-22 18:36:26 +00:00			`# [build]`
			`# Path remapping for local dev builds is optional.`
			`# CI RUSTFLAGS override build.rustflags entirely.`
			`# strip = true in profile.release removes debug paths from binaries.`
			`# Uncomment and adjust for your system if you want local path remapping:`
			`# rustflags = [`
			`# "--remap-path-prefix", "/home/YOU/.cargo/registry/src=crate",`
			`# "--remap-path-prefix", "/home/YOU/Projects/Karapace=src",`
			`# ]`