mirror of
https://github.com/marcoallegretti/karapace.git
synced 2026-03-26 21:43:09 +00:00
bb03d3adad
- .github/workflows/ci.yml — 17 jobs: fmt, clippy, test, e2e, enospc, e2e-resolve, build-release (gnu+musl), smoke-test, reproducibility-check (gnu+musl), cross-run-reproducibility (gnu+musl), lockfile-check, cargo-deny, ci-contract - .github/workflows/release.yml — 4 jobs: build, sign (cosign OIDC), verify, publish - .github/workflows/supply-chain-test.yml — 11 adversarial jobs: build-and-sign, verify-signatures, tamper-binary, tamper-sbom, tamper-signature-removal, adversarial-env-injection, adversarial-artifact-tampering, adversarial-build-script, adversarial-credential-injection, adversarial-rustflags-bypass, verify-docs-executable - .github/actions/karapace-build/action.yml — reusable build action - .cargo/config.toml — SOURCE_DATE_EPOCH=0, local path remapping for reproducibility - CI_CONTRACT.md — required jobs list enforced by ci-contract gate job - scripts/generate-sbom.sh — CycloneDX SBOM generation - CARGO_INCREMENTAL=0 globally, cargo clean before all release builds - Cosign keyless signing with GitHub Actions OIDC - 32 total CI jobs across 3 workflows
21 lines
826 B
TOML
21 lines
826 B
TOML
# Supply-chain hardening: deterministic builds
|
|
#
|
|
# Path remapping eliminates local filesystem paths from binaries.
|
|
# CI sets RUSTFLAGS env var which OVERRIDES build.rustflags below.
|
|
# SOURCE_DATE_EPOCH=0 ensures no build timestamps leak.
|
|
#
|
|
# NOTE: Local dev builds use build.rustflags for path remapping.
|
|
# CI builds use the RUSTFLAGS env var instead (takes precedence).
|
|
# This means local builds get local remapping, CI gets CI remapping.
|
|
|
|
[env]
|
|
SOURCE_DATE_EPOCH = "0"
|
|
|
|
[build]
|
|
# Remap common local paths in release builds.
|
|
# These are best-effort for local dev — CI RUSTFLAGS override this entirely.
|
|
# The $HOME/.cargo/registry/src prefix covers most dependency crate paths.
|
|
rustflags = [
|
|
"--remap-path-prefix", "/home/lateuf/.cargo/registry/src=crate",
|
|
"--remap-path-prefix", "/home/lateuf/Projects/Karapace=src",
|
|
]
|