Skip to content

Lab 11: reproducible quicknotes builds with a nix flake#1329

Open
Dekart-hub wants to merge 13 commits into
inno-devops-labs:mainfrom
Dekart-hub:feature/lab11
Open

Lab 11: reproducible quicknotes builds with a nix flake#1329
Dekart-hub wants to merge 13 commits into
inno-devops-labs:mainfrom
Dekart-hub:feature/lab11

Conversation

@Dekart-hub

Copy link
Copy Markdown

Goal

Build QuickNotes reproducibly with a Nix flake, extend it to a deterministic OCI image, prove both with identical hashes from two independent environments, and (bonus) turn the proof into a CI gate that fails when two parallel runners disagree.

Changes

  • flake.nix + flake.lock at the repo root
    • packages.quicknotes (and default): buildGoModule from app/, nixpkgs pinned to nixos-25.11 (locked to b6018f87), toolchain overridden to go_1_26 = 1.26.4 (the same version the Lab 6 Dockerfile builder uses), CGO_ENABLED=0, ldflags -s -w
    • vendorHash = null, a documented deviation: QuickNotes has zero dependencies and the first failed build refused to emit a hash, demanding null for the empty vendor tree
    • packages.docker: dockerTools.buildImage tarball with exec-form entrypoint, 8080/tcp exposed, nonroot uid 65532, built without Docker
    • devShells.default: go, gopls, golangci-lint
  • .github/workflows/nix-repro.yml (bonus): two parallel build jobs publish sha256sum result as outputs, a third job fails on mismatch; actions pinned by 40-char SHA; two named jobs instead of a matrix because matrix cells share one outputs namespace and would compare a digest with itself
  • submissions/lab11.md: flake, all proofs, size and determinism comparison with the Lab 6 Docker build, design questions a-j
  • The branch carries the Lab 9 hardened app/ and compose.yaml, the "Lab 6 image works" starting point this lab builds on

Testing

  • Task 1: identical store hash sha256:0n7wlzxw...vsinx from environment A (bind-mounted worktree, its own store) and environment B (pristine store, fresh clone); the binary serves /health and the unit tests run inside the sandboxed checkPhase
  • Task 2: identical image tarball digest 093f2295...cb8ab from both environments; the loaded image runs as uid 65532 and serves the seeded notes; two --no-cache builds of the Lab 6 Dockerfile produced two different image IDs on the same machine minutes apart
  • A rebuild with SOURCE_DATE_EPOCH set in the caller environment does not move the digest (the sandbox scrubs the env), which is why the red demo drifts the source instead
  • Bonus green run (two runners agree): https://github.com/Dekart-hub/DevOps-Intro/actions/runs/28701333164
  • Bonus red run (one runner's source deliberately drifted, compare job fails): https://github.com/Dekart-hub/DevOps-Intro/actions/runs/28701345152

Checklist

  • Title is a clear sentence (<= 70 chars)
  • Commits are signed (git log --show-signature)
  • submissions/lab11.md updated

Dekart-hub added 13 commits July 4, 2026 12:09
Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
…orkflow

Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
Signed-off-by: Aleksandr <55945487+Dekart-hub@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant