\u0625\u0630\u0627 \u0644\u0645 \u062a\u062a\u0645\u0643\u0646 \u0645\u0646 \u0625\u0639\u0627\u062f\u0629 \u0625\u0646\u062a\u0627\u062c \u0639\u0645\u0644\u064a\u0629 \u0628\u0646\u0627\u0621\u060c \u0641\u0644\u0646 \u062a\u062a\u0645\u0643\u0646 \u0645\u0646 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627. \u0647\u0630\u0647 \u0627\u0644\u062d\u0642\u064a\u0642\u0629 \u0627\u0644\u0628\u0633\u064a\u0637\u0629 \u062a\u0642\u0639 \u0641\u064a \u0635\u0645\u064a\u0645 \u0623\u0645\u0627\u0646 \u0633\u0644\u0633\u0644\u0629 \u062a\u0648\u0631\u064a\u062f \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a. \u062a\u0636\u0645\u0646 \u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 (build integrity) \u0623\u0646 \u0645\u0627 \u062a\u0646\u0634\u0631\u0647 \u0647\u0648 \u0628\u0627\u0644\u0636\u0628\u0637 \u0645\u0627 \u0643\u0646\u062a \u062a\u0646\u0648\u064a \u0628\u0646\u0627\u0621\u0647 \u2014 \u0644\u0627 \u0634\u064a\u0621 \u0645\u0636\u0627\u0641\u060c \u0644\u0627 \u0634\u064a\u0621 \u0645\u0639\u062f\u0651\u0644\u060c \u0644\u0627 \u0634\u064a\u0621 \u062a\u0645 \u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0647 \u0628\u064a\u0646 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a \u0648\u0627\u0644\u0645\u0646\u062a\u062c \u0627\u0644\u0646\u0647\u0627\u0626\u064a \u0641\u064a \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/p>\n
\u0641\u064a \u0627\u0644\u0633\u0646\u0648\u0627\u062a \u0627\u0644\u0623\u062e\u064a\u0631\u0629\u060c \u0623\u062b\u0628\u062a\u062a \u0647\u062c\u0645\u0627\u062a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0623\u0646 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0646\u0641\u0633\u0647\u0627 \u0647\u064a \u0647\u062f\u0641 \u0639\u0627\u0644\u064a \u0627\u0644\u0642\u064a\u0645\u0629. \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0627\u0644\u0630\u064a\u0646 \u064a\u062e\u062a\u0631\u0642\u0648\u0646 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u0628\u0646\u0627\u0621 (build pipeline) \u062d\u0642\u0646 \u0643\u0648\u062f \u062e\u0628\u064a\u062b \u0641\u064a \u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0645\u0648\u062b\u0648\u0642\u0629\u060c \u0645\u0645\u0627 \u064a\u0624\u062b\u0631 \u0639\u0644\u0649 \u0645\u0644\u0627\u064a\u064a\u0646 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\u064a\u0646 \u0627\u0644\u0646\u0647\u0627\u0626\u064a\u064a\u0646. \u0627\u0644\u062f\u0641\u0627\u0639 \u0627\u0644\u0648\u062d\u064a\u062f \u0627\u0644\u0645\u0648\u062b\u0648\u0642 \u0647\u0648 \u062c\u0639\u0644 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 (reproducible builds): \u0628\u0627\u0644\u0646\u0638\u0631 \u0625\u0644\u0649 \u0646\u0641\u0633 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a\u060c \u064a\u062c\u0628 \u0623\u0646 \u062a\u062d\u0635\u0644 \u062f\u0627\u0626\u0645\u064b\u0627 \u0639\u0644\u0649 \u0646\u0641\u0633 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a. \u0639\u0646\u062f\u0645\u0627 \u064a\u062a\u062d\u0642\u0642 \u0647\u0630\u0627 \u0627\u0644\u0636\u0645\u0627\u0646\u060c \u064a\u0635\u0628\u062d \u0623\u064a \u0627\u0646\u062d\u0631\u0627\u0641 \u0642\u0627\u0628\u0644\u0627\u064b \u0644\u0644\u0627\u0643\u062a\u0634\u0627\u0641.<\/p>\n
\u064a\u0633\u062a\u0639\u0631\u0636 \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u0645\u0628\u0627\u062f\u0626 \u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631\u060c \u0648\u064a\u0634\u0631\u062d \u0623\u0647\u0645\u064a\u062a\u0647\u0627 \u0644\u0623\u0645\u0627\u0646 CI\/CD\u060c \u0648\u064a\u0642\u062f\u0645 \u062a\u0642\u0646\u064a\u0627\u062a \u0639\u0645\u0644\u064a\u0629 \u2014 \u0645\u0646 \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0625\u0644\u0649 \u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u062d\u0643\u0645\u0629 (hermetic build systems) \u2014 \u064a\u0645\u0643\u0646\u0643 \u062a\u0628\u0646\u064a\u0647\u0627 \u062a\u062f\u0631\u064a\u062c\u064a\u064b\u0627 \u0641\u064a \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643.<\/p>\n
\u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0647\u064a \u0627\u0644\u0636\u0645\u0627\u0646 \u0628\u0623\u0646 \u0645\u062f\u062e\u0644\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u062a\u0646\u062a\u062c \u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0628\u0634\u0643\u0644 \u062d\u062a\u0645\u064a. \u0628\u0645\u0639\u0646\u0649 \u0622\u062e\u0631\u060c \u0625\u0630\u0627 \u0623\u062e\u0630\u062a \u0646\u0641\u0633 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a\u060c \u0648\u0646\u0641\u0633 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a\u060c \u0648\u0646\u0641\u0633 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u0623\u062f\u0648\u0627\u062a\u060c \u0648\u0646\u0641\u0633 \u062a\u0639\u0644\u064a\u0645\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u064a\u062c\u0628 \u0623\u0646 \u062a\u062d\u0635\u0644 \u0639\u0644\u0649 \u0645\u0646\u062a\u062c \u0645\u0637\u0627\u0628\u0642 \u0628\u062a-\u0644\u0643\u0644-\u0628\u062a \u0641\u064a \u0643\u0644 \u0645\u0631\u0629\u060c \u0628\u063a\u0636 \u0627\u0644\u0646\u0638\u0631 \u0639\u0646 \u0645\u062a\u0649 \u0623\u0648 \u0623\u064a\u0646 \u062a\u0642\u0648\u0645 \u0628\u062a\u0634\u063a\u064a\u0644 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621.<\/p>\n
\u0639\u0646\u062f\u0645\u0627 \u0644\u0627 \u062a\u0643\u0648\u0646 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631\u060c \u062a\u0641\u0642\u062f \u0627\u0644\u0642\u062f\u0631\u0629 \u0639\u0644\u0649 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627. \u0625\u0630\u0627 \u0623\u0646\u062a\u062c\u062a \u0639\u0645\u0644\u064a\u062a\u0627 \u0628\u0646\u0627\u0621 \u0645\u0646 \u0646\u0641\u0633 \u0627\u0644\u0645\u0635\u062f\u0631 \u0645\u0644\u0641\u0627\u062a \u062b\u0646\u0627\u0626\u064a\u0629 \u0645\u062e\u062a\u0644\u0641\u0629\u060c \u0643\u064a\u0641 \u062a\u0639\u0631\u0641 \u0623\u064a\u0647\u0645\u0627 \u0635\u062d\u064a\u062d\u061f \u0643\u064a\u0641 \u062a\u0643\u062a\u0634\u0641 \u0645\u0627 \u0625\u0630\u0627 \u0643\u0627\u0646 \u0645\u0647\u0627\u062c\u0645 \u0642\u062f \u062d\u0642\u0646 \u0643\u0648\u062f\u064b\u0627 \u0623\u062b\u0646\u0627\u0621 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621\u061f \u0628\u0628\u0633\u0627\u0637\u0629\u060c \u0644\u0627 \u062a\u0633\u062a\u0637\u064a\u0639. \u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u064a\u062e\u0644\u0642 \u0636\u0628\u0627\u0628\u064a\u0629 \u064a\u0633\u062a\u063a\u0644\u0647\u0627 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u0648\u0646.<\/p>\n
\u062e\u0630 \u0628\u0639\u064a\u0646 \u0627\u0644\u0627\u0639\u062a\u0628\u0627\u0631 \u0645\u0634\u0643\u0644\u0629 \u0627\u0644\u062a\u062d\u0642\u0642: \u064a\u0631\u064a\u062f \u0645\u062f\u0642\u0642 \u062a\u0623\u0643\u064a\u062f \u0623\u0646 \u0645\u0644\u0641\u064b\u0627 \u062b\u0646\u0627\u0626\u064a\u064b\u0627 \u0645\u064f\u0635\u062f\u0631\u064b\u0627 \u064a\u062a\u0648\u0627\u0641\u0642 \u0645\u0639 \u0643\u0648\u062f\u0647 \u0627\u0644\u0645\u0635\u062f\u0631\u064a \u0627\u0644\u0645\u0646\u0634\u0648\u0631. \u064a\u0642\u0648\u0645 \u0628\u0633\u062d\u0628 \u0627\u0644\u0625\u064a\u062f\u0627\u0639 (commit) \u0627\u0644\u0645\u0648\u0633\u0648\u0645\u060c \u0648\u064a\u0634\u063a\u0644 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0648\u064a\u0642\u0627\u0631\u0646. \u0625\u0630\u0627 \u0644\u0645 \u064a\u0643\u0646 \u0627\u0644\u0628\u0646\u0627\u0621 \u0642\u0627\u0628\u0644\u0627\u064b \u0644\u0644\u062a\u0643\u0631\u0627\u0631\u060c \u0633\u062a\u062e\u062a\u0644\u0641 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u2014 \u0648\u0644\u0646 \u064a\u0643\u0648\u0646 \u0644\u062f\u0649 \u0627\u0644\u0645\u062f\u0642\u0642 \u0637\u0631\u064a\u0642\u0629 \u0644\u0644\u062a\u0645\u064a\u064a\u0632 \u0628\u064a\u0646 \u0627\u062e\u062a\u0644\u0627\u0641 \u0645\u0634\u0631\u0648\u0639 (\u0646\u0627\u062a\u062c \u0639\u0646 \u0637\u0627\u0628\u0639 \u0632\u0645\u0646\u064a \u0623\u0648 \u062a\u0631\u062a\u064a\u0628 \u0639\u0634\u0648\u0627\u0626\u064a) \u0648\u0628\u064a\u0646 \u062a\u0639\u062f\u064a\u0644 \u062e\u0628\u064a\u062b.<\/p>\n
\u064a\u0639\u0627\u0644\u062c \u0625\u0637\u0627\u0631 \u0639\u0645\u0644 SLSA<\/a> (Supply-chain Levels for Software Artifacts) \u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0645\u0628\u0627\u0634\u0631\u0629 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0645\u0633\u062a\u0648\u064a\u0627\u062a \u0645\u0633\u0627\u0631 \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0647:<\/p>\n \u062a\u0643\u0645\u0644 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0625\u0637\u0627\u0631 SLSA \u0645\u0646 \u062e\u0644\u0627\u0644 \u062a\u0648\u0641\u064a\u0631 \u0622\u0644\u064a\u0629 \u062a\u062d\u0642\u0642 \u0645\u0633\u062a\u0642\u0644\u0629. \u062d\u062a\u0649 \u0644\u0648 \u0643\u0646\u062a \u062a\u062b\u0642 \u0628\u062e\u062f\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 (L2\/L3)\u060c \u0641\u0625\u0646 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u062a\u062a\u064a\u062d \u0644\u0623\u064a \u0634\u062e\u0635 \u0625\u0639\u0627\u062f\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0645\u0646 \u0627\u0644\u0645\u0635\u062f\u0631 \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0637\u0627\u0628\u0642 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a.<\/p>\n SolarWinds (2020):<\/strong> \u0627\u062e\u062a\u0631\u0642 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u0648\u0646 \u0646\u0638\u0627\u0645 \u0628\u0646\u0627\u0621 SolarWinds \u0648\u062d\u0642\u0646\u0648\u0627 \u0628\u0627\u0628\u064b\u0627 \u062e\u0644\u0641\u064a\u064b\u0627 (backdoor) \u0641\u064a \u062a\u062d\u062f\u064a\u062b \u0645\u0646\u0635\u0629 Orion. \u062a\u0645\u062a \u0625\u0636\u0627\u0641\u0629 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u062e\u0628\u064a\u062b \u0623\u062b\u0646\u0627\u0621 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0644\u0630\u0627 \u0628\u062f\u0627 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a \u0646\u0638\u064a\u0641\u064b\u0627. \u0643\u0627\u0646 \u0646\u0638\u0627\u0645 \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0633\u064a\u062c\u0639\u0644 \u0647\u0630\u0627 \u0642\u0627\u0628\u0644\u0627\u064b \u0644\u0644\u0627\u0643\u062a\u0634\u0627\u0641 \u2014 \u0625\u0639\u0627\u062f\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0645\u0646 \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0645\u0646\u0634\u0648\u0631 \u0643\u0627\u0646\u062a \u0633\u062a\u0646\u062a\u062c \u0645\u0646\u062a\u062c\u064b\u0627 \u0645\u062e\u062a\u0644\u0641\u064b\u0627 \u0639\u0646 \u0627\u0644\u0630\u064a \u0648\u064f\u0632\u0639 \u0639\u0644\u0649 \u0627\u0644\u0639\u0645\u0644\u0627\u0621.<\/p>\n XZ Utils (2024):<\/strong> \u0627\u0633\u062a\u0647\u062f\u0641 \u0647\u062c\u0648\u0645 \u0645\u062a\u0637\u0648\u0631 \u0639\u0644\u0649 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0645\u0643\u062a\u0628\u0629 \u0627\u0644\u0636\u063a\u0637 xz. \u0642\u0627\u0645 \u0645\u0634\u0631\u0641 \u062e\u0628\u064a\u062b \u0628\u0625\u062f\u062e\u0627\u0644 \u0643\u0648\u062f \u0628\u0627\u0628 \u062e\u0644\u0641\u064a \u0645\u064f\u0639\u062a\u064e\u0651\u0645 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0644\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0641\u064a \u0646\u0638\u0627\u0645 \u0627\u0644\u0628\u0646\u0627\u0621. \u0635\u064f\u0645\u0645 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u062d\u0642\u0648\u0646 \u0644\u0627\u062e\u062a\u0631\u0627\u0642 \u0645\u0635\u0627\u062f\u0642\u0629 SSH \u0639\u0644\u0649 \u0623\u0646\u0638\u0645\u0629 Linux \u0627\u0644\u0645\u062a\u0623\u062b\u0631\u0629. \u0627\u0633\u062a\u063a\u0644 \u0627\u0644\u0647\u062c\u0648\u0645 \u062a\u0639\u0642\u064a\u062f \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u062d\u064a\u062b \u062d\u0642\u0646 \u062d\u0645\u0648\u0644\u0629 \u062e\u0628\u064a\u062b\u0629 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0645\u0644\u0641\u0627\u062a \u0627\u062e\u062a\u0628\u0627\u0631 \u062b\u0646\u0627\u0626\u064a\u0629 \u062a\u062a\u0645 \u0645\u0639\u0627\u0644\u062c\u062a\u0647\u0627 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621. \u0643\u0627\u0646\u062a \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0648\u0627\u0644\u0645\u0631\u0627\u062c\u0639\u0629 \u0627\u0644\u062f\u0642\u064a\u0642\u0629 \u0644\u0633\u0644\u0648\u0643 \u0648\u0642\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0633\u062a\u062b\u064a\u0631 \u0625\u0634\u0627\u0631\u0627\u062a \u062a\u062d\u0630\u064a\u0631\u064a\u0629 \u0641\u064a \u0648\u0642\u062a \u0623\u0628\u0643\u0631 \u0628\u0643\u062b\u064a\u0631.<\/p>\n \u0641\u0647\u0645 \u0633\u0628\u0628 \u0627\u062e\u062a\u0644\u0627\u0641 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0628\u064a\u0646 \u0627\u0644\u062a\u0634\u063a\u064a\u0644\u0627\u062a \u0647\u0648 \u0627\u0644\u062e\u0637\u0648\u0629 \u0627\u0644\u0623\u0648\u0644\u0649 \u0646\u062d\u0648 \u0625\u0635\u0644\u0627\u062d\u0647\u0627. \u0641\u064a\u0645\u0627 \u064a\u0644\u064a \u0623\u0643\u062b\u0631 \u0645\u0635\u0627\u062f\u0631 \u0639\u062f\u0645 \u0627\u0644\u062d\u062a\u0645\u064a\u0629 \u0634\u064a\u0648\u0639\u064b\u0627 \u0641\u064a \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621:<\/p>\n \u062a\u0642\u0648\u0645 \u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0628\u062a\u0636\u0645\u064a\u0646 \u0627\u0644\u062a\u0627\u0631\u064a\u062e \u0648\u0627\u0644\u0648\u0642\u062a \u0627\u0644\u062d\u0627\u0644\u064a \u0641\u064a \u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0625\u062e\u0631\u0627\u062c. \u062a\u062d\u062a\u0648\u064a \u0645\u0644\u0641\u0627\u062a Java JAR \u0639\u0644\u0649 \u0637\u0648\u0627\u0628\u0639 \u0632\u0645\u0646\u064a\u0629 \u0641\u064a \u0625\u062f\u062e\u0627\u0644\u0627\u062a ZIP \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0647\u0627. \u0642\u062f \u064a\u0633\u062c\u0644 \u0645\u062a\u0631\u062c\u0645\u0648 C\/C++ \u0648\u062d\u062f\u0627\u062a \u0627\u0644\u0645\u0627\u0643\u0631\u0648 \u0644\u0627 \u062a\u0636\u0645\u0646 \u062a\u0646\u0633\u064a\u0642\u0627\u062a \u0627\u0644\u0623\u0631\u0634\u064a\u0641 \u0645\u062b\u0644 tar \u0648 zip \u062a\u0631\u062a\u064a\u0628\u064b\u0627 \u062b\u0627\u0628\u062a\u064b\u0627 \u0644\u0644\u0645\u0644\u0641\u0627\u062a. \u0642\u062f \u064a\u0639\u062a\u0645\u062f \u0627\u0644\u062a\u0631\u062a\u064a\u0628 \u0627\u0644\u0630\u064a \u062a\u064f\u0636\u0627\u0641 \u0628\u0647 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0625\u0644\u0649 \u0627\u0644\u0623\u0631\u0634\u064a\u0641 \u0639\u0644\u0649 \u062a\u0631\u062a\u064a\u0628 \u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u062f\u0644\u064a\u0644 \u0641\u064a \u0646\u0638\u0627\u0645 \u0627\u0644\u0645\u0644\u0641\u0627\u062a\u060c \u0648\u0627\u0644\u0630\u064a \u064a\u0645\u0643\u0646 \u0623\u0646 \u064a\u062e\u062a\u0644\u0641 \u0628\u064a\u0646 \u0627\u0644\u0623\u062c\u0647\u0632\u0629 \u0623\u0648 \u062d\u062a\u0649 \u0628\u064a\u0646 \u0627\u0644\u062a\u0634\u063a\u064a\u0644\u0627\u062a \u0639\u0644\u0649 \u0646\u0641\u0633 \u0627\u0644\u062c\u0647\u0627\u0632. \u064a\u0646\u062a\u062c \u0639\u0646 \u0647\u0630\u0627 \u0623\u0631\u0634\u064a\u0641\u0627\u062a \u0645\u062e\u062a\u0644\u0641\u0629 \u0628\u0645\u062d\u062a\u0648\u064a\u0627\u062a \u0645\u062a\u0637\u0627\u0628\u0642\u0629.<\/p>\n \u0625\u0630\u0627 \u062d\u062f\u062f \u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u064a\u0645\u0643\u0646 \u0623\u0646 \u062a\u0624\u062b\u0631 \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0646\u0638\u0627\u0645 \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0645\u062e\u062a\u0644\u0641\u0629\u060c \u0648\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u0645\u062a\u0631\u062c\u0645\u060c \u0648\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0645\u0643\u062a\u0628\u0627\u062a \u0627\u0644\u0646\u0638\u0627\u0645\u060c \u0648\u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0627\u0644\u0644\u063a\u0629 \u0627\u0644\u0645\u062d\u0644\u064a\u0629\u060c \u0648\u062a\u0643\u0648\u064a\u0646\u0627\u062a \u0627\u0644\u0645\u0646\u0637\u0642\u0629 \u0627\u0644\u0632\u0645\u0646\u064a\u0629\u060c \u0648\u062d\u062a\u0649 \u0639\u062f\u062f \u0623\u0646\u0648\u064a\u0629 \u0627\u0644\u0645\u0639\u0627\u0644\u062c \u0639\u0644\u0649 \u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621. \u0642\u062f \u064a\u062e\u062a\u0644\u0641 \u0627\u0644\u0628\u0646\u0627\u0621 \u0639\u0644\u0649 Ubuntu 22.04 \u0639\u0646\u0647 \u0639\u0644\u0649 Ubuntu 24.04\u060c \u062d\u062a\u0649 \u0645\u0639 \u0646\u0641\u0633 \u0627\u0644\u0645\u0635\u062f\u0631 \u0648\u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a.<\/p>\n \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u062a\u064a \u062a\u0642\u0648\u0645 \u0628\u062a\u0646\u0632\u064a\u0644 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0641\u064a \u0648\u0642\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0647\u064a \u0628\u0637\u0628\u064a\u0639\u062a\u0647\u0627 \u063a\u064a\u0631 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631. \u0642\u062f \u064a\u0642\u062f\u0645 \u0633\u062c\u0644 \u0627\u0644\u062d\u0632\u0645 \u0625\u0635\u062f\u0627\u0631\u064b\u0627 \u0645\u062e\u062a\u0644\u0641\u064b\u0627\u060c \u0648\u0642\u062f \u062a\u0639\u064a\u062f \u0634\u0628\u0643\u0629 \u062a\u0648\u0635\u064a\u0644 \u0627\u0644\u0645\u062d\u062a\u0648\u0649 (CDN) \u0645\u062d\u062a\u0648\u0649 \u0645\u062e\u0632\u0646\u064b\u0627 \u0645\u0624\u0642\u062a\u064b\u0627 \u0623\u0648 \u0645\u062d\u062f\u062b\u064b\u0627\u060c \u0623\u0648 \u0642\u062f \u062a\u0643\u0648\u0646 \u0627\u0644\u0634\u0628\u0643\u0629 \u063a\u064a\u0631 \u0645\u062a\u0648\u0641\u0631\u0629 \u062a\u0645\u0627\u0645\u064b\u0627. \u0623\u064a \u0628\u0646\u0627\u0621 \u064a\u062a\u0637\u0644\u0628 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0634\u0628\u0643\u0629 \u064a\u0643\u0648\u0646 \u062a\u062d\u062a \u0631\u062d\u0645\u0629 \u0627\u0644\u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u062e\u0627\u0631\u062c\u064a\u0629.<\/p>\n \u062a\u0642\u0648\u0645 \u0628\u0639\u0636 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0628\u062a\u0636\u0645\u064a\u0646 \u0645\u0639\u0631\u0641\u0627\u062a UUID \u0639\u0634\u0648\u0627\u0626\u064a\u0629\u060c \u0623\u0648 \u062a\u0633\u062a\u062e\u062f\u0645 \u062a\u0631\u062a\u064a\u0628 \u062a\u0643\u0631\u0627\u0631 \u063a\u064a\u0631 \u062d\u062a\u0645\u064a \u0644\u062c\u062f\u0627\u0648\u0644 \u0627\u0644\u062a\u062c\u0632\u0626\u0629 (hash maps)\u060c \u0623\u0648 \u062a\u062a\u0636\u0645\u0646 \u0639\u0646\u0627\u0648\u064a\u0646 \u0630\u0627\u0643\u0631\u0629 \u0641\u064a \u0645\u062e\u0631\u062c\u0627\u062a\u0647\u0627. \u064a\u0645\u0643\u0646 \u0623\u0646 \u062a\u064f\u062f\u062e\u0644 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u062a\u0646\u0645\u064a\u0637 \u0648\u062a\u063a\u0637\u064a\u0629 \u0627\u0644\u0643\u0648\u062f \u0648\u0631\u0645\u0648\u0632 \u0627\u0644\u062a\u0635\u062d\u064a\u062d \u062c\u0645\u064a\u0639\u0647\u0627 \u0639\u0634\u0648\u0627\u0626\u064a\u0629 \u0641\u064a \u0645\u0646\u062a\u062c\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621.<\/p>\n \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u062d\u0643\u0645 (hermetic build) \u0647\u0648 \u0628\u0646\u0627\u0621 \u0645\u0643\u062a\u0641\u064d \u0630\u0627\u062a\u064a\u064b\u0627 \u0628\u0627\u0644\u0643\u0627\u0645\u0644: \u0644\u0627 \u064a\u0648\u062c\u062f \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0634\u0628\u0643\u0629\u060c \u0648\u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a \u0645\u0639\u0644\u0646\u0629 \u0635\u0631\u0627\u062d\u0629\u060c \u0648\u0628\u064a\u0626\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0645\u062d\u062f\u062f\u0629 \u0628\u0627\u0644\u0643\u0627\u0645\u0644. \u062a\u0639\u062a\u0628\u0631 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u062d\u0643\u0645\u0629 \u0627\u0644\u0645\u0639\u064a\u0627\u0631 \u0627\u0644\u0630\u0647\u0628\u064a \u0644\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0644\u0623\u0646\u0647\u0627 \u062a\u0642\u0636\u064a \u0639\u0644\u0649 \u0641\u0626\u0627\u062a \u0643\u0627\u0645\u0644\u0629 \u0645\u0646 \u0639\u062f\u0645 \u0627\u0644\u062d\u062a\u0645\u064a\u0629 \u0628\u0627\u0644\u062a\u0635\u0645\u064a\u0645.<\/p>\n \u0641\u064a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u062d\u0643\u0645:<\/p>\n \u0635\u064f\u0645\u0645 Bazel \u0645\u0646 \u0627\u0644\u0623\u0644\u0641 \u0625\u0644\u0649 \u0627\u0644\u064a\u0627\u0621 \u0644\u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u062d\u0643\u0645\u0629 \u0648\u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631. \u064a\u0639\u0632\u0644 \u0643\u0644 \u0625\u062c\u0631\u0627\u0621 \u0628\u0646\u0627\u0621 \u0641\u064a \u0635\u0646\u062f\u0648\u0642 \u0631\u0645\u0644\u060c \u0648\u064a\u0639\u0644\u0646 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a \u0648\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0635\u0631\u0627\u062d\u0629\u060c \u0648\u064a\u062e\u0632\u0646 \u0627\u0644\u0646\u062a\u0627\u0626\u062c \u0645\u0624\u0642\u062a\u064b\u0627 \u0628\u0646\u0627\u0621\u064b \u0639\u0644\u0649 \u062a\u062c\u0632\u0626\u0629 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a (input hashes) \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0637\u0648\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u0629. \u062a\u062d\u0627\u0641\u0638 \u0645\u064a\u0632\u0627\u062a \u0627\u0644\u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u0645\u0624\u0642\u062a \u0639\u0646 \u0628\u064f\u0639\u062f \u0648\u0627\u0644\u062a\u0646\u0641\u064a\u0630 \u0639\u0646 \u0628\u064f\u0639\u062f \u0641\u064a Bazel \u0639\u0644\u0649 \u0627\u0644\u0625\u062d\u0643\u0627\u0645 \u062d\u062a\u0649 \u0641\u064a \u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u0648\u0632\u0639\u0629.<\/p>\n \u064a\u0645\u0643\u0646 \u0623\u0646 \u062a\u0642\u062a\u0631\u0628 Docker multi-stage builds \u0645\u0646 \u0627\u0644\u0625\u062d\u0643\u0627\u0645 \u0639\u0646\u062f \u062f\u0645\u062c\u0647\u0627 \u0645\u0639 \u0635\u0648\u0631 \u0623\u0633\u0627\u0633\u064a\u0629 \u0645\u062b\u0628\u062a\u0629 \u0648\u062a\u0628\u0639\u064a\u0627\u062a \u0645\u064f\u062c\u0644\u0628\u0629 \u0645\u0633\u0628\u0642\u064b\u0627:<\/p>\n \u0644\u0627\u062d\u0638 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0642\u0641\u0644 \u0647\u064a \u0627\u0644\u0623\u062f\u0627\u0629 \u0627\u0644\u0623\u0643\u062b\u0631 \u0633\u0647\u0648\u0644\u0629 \u0644\u062a\u062d\u0633\u064a\u0646 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631. \u062a\u0633\u062c\u0644 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u062f\u0642\u064a\u0642\u0629 \u0627\u0644\u0645\u062d\u0644\u0648\u0644\u0629 \u0644\u062c\u0645\u064a\u0639 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a\u060c \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u0645\u062a\u0639\u062f\u064a\u0629:<\/p>\n \u064a\u062c\u0628 \u062f\u0627\u0626\u0645\u064b\u0627 \u0625\u064a\u062f\u0627\u0639 \u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0642\u0641\u0644 \u0641\u064a \u0646\u0638\u0627\u0645 \u0627\u0644\u062a\u062d\u0643\u0645 \u0628\u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a. \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0630\u064a \u064a\u062a\u062c\u0627\u0647\u0644 \u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0642\u0641\u0644 \u0647\u0648 \u0628\u0646\u0627\u0621 \u0644\u0627 \u064a\u0645\u0643\u0646\u0643 \u062a\u0643\u0631\u0627\u0631\u0647.<\/p>\n \u064a\u0630\u0647\u0628 \u062a\u0636\u0645\u064a\u0646 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0623\u0628\u0639\u062f \u0645\u0646 \u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0642\u0641\u0644 \u0639\u0646 \u0637\u0631\u064a\u0642 \u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a \u0627\u0644\u0641\u0639\u0644\u064a \u0644\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0641\u064a \u0645\u0633\u062a\u0648\u062f\u0639\u0643. \u0647\u0630\u0627 \u064a\u0632\u064a\u0644 \u0623\u064a \u0627\u0639\u062a\u0645\u0627\u062f \u0639\u0644\u0649 \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0627\u0644\u062e\u0627\u0631\u062c\u064a\u0629 \u0641\u064a \u0648\u0642\u062a \u0627\u0644\u0628\u0646\u0627\u0621:<\/p>\n \u064a\u0642\u0627\u064a\u0636 \u0627\u0644\u062a\u0636\u0645\u064a\u0646 \u062d\u062c\u0645 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0645\u0642\u0627\u0628\u0644 \u0627\u0644\u0645\u0648\u062b\u0648\u0642\u064a\u0629 \u0648\u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631. \u0648\u0647\u0648 \u0630\u0648 \u0642\u064a\u0645\u0629 \u062e\u0627\u0635\u0629 \u0644\u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u062a\u064a \u064a\u062c\u0628 \u0623\u0646 \u062a\u0639\u0645\u0644 \u0641\u064a \u0628\u064a\u0626\u0627\u062a \u0645\u0639\u0632\u0648\u0644\u0629 \u0639\u0646 \u0627\u0644\u0634\u0628\u0643\u0629 (air-gapped) \u0623\u0648 \u0644\u0644\u0645\u0634\u0627\u0631\u064a\u0639 \u0627\u0644\u062a\u064a \u062a\u0647\u0645 \u0641\u064a\u0647\u0627 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0645\u062f\u0649.<\/p>\n \u0627\u0644\u0625\u062d\u0643\u0627\u0645 \u0627\u0644\u0643\u0627\u0645\u0644 \u064a\u0623\u062a\u064a \u0628\u062a\u0643\u0644\u0641\u0629. Bazel \u0644\u062f\u064a\u0647 \u0645\u0646\u062d\u0646\u0649 \u062a\u0639\u0644\u0645 \u062d\u0627\u062f. \u0627\u0644\u062a\u0636\u0645\u064a\u0646 \u064a\u0632\u064a\u062f \u0645\u0646 \u062d\u062c\u0645 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639. \u0627\u0644\u062c\u0644\u0628 \u0627\u0644\u0645\u0633\u0628\u0642 \u0644\u0643\u0644 \u062a\u0628\u0639\u064a\u0629 \u064a\u062a\u0637\u0644\u0628 \u0628\u0646\u064a\u0629 \u062a\u062d\u062a\u064a\u0629. \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0647\u0648 \u062a\u0628\u0646\u064a \u0627\u0644\u0625\u062d\u0643\u0627\u0645 \u062a\u062f\u0631\u064a\u062c\u064a\u064b\u0627: \u0627\u0628\u062f\u0623 \u0628\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0642\u0641\u0644 \u0648\u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u0645\u062b\u0628\u062a\u0629\u060c \u062b\u0645 \u0623\u0636\u0641 \u0627\u0644\u062a\u0636\u0645\u064a\u0646 \u0648\u0627\u0644\u0639\u0632\u0644 \u062d\u0633\u0628 \u0645\u0627 \u062a\u062a\u0637\u0644\u0628\u0647 \u0627\u062d\u062a\u064a\u0627\u062c\u0627\u062a\u0643 \u0627\u0644\u0623\u0645\u0646\u064a\u0629.<\/p>\n \u0627\u0644\u062a\u062b\u0628\u064a\u062a (pinning) \u0647\u0648 \u0645\u0645\u0627\u0631\u0633\u0629 \u062a\u062d\u062f\u064a\u062f \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u062f\u0642\u064a\u0642\u0629 \u0648\u063a\u064a\u0631 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0644\u0643\u0644 \u0645\u0643\u0648\u0646 \u0641\u064a \u0628\u0646\u0627\u0626\u0643. \u0627\u0644\u0648\u0633\u0648\u0645 (tags) \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u2014 \u064a\u0645\u0643\u0646 \u0646\u0642\u0644\u0647\u0627 \u0644\u0644\u0625\u0634\u0627\u0631\u0629 \u0625\u0644\u0649 \u0645\u062d\u062a\u0648\u0649 \u0645\u062e\u062a\u0644\u0641. \u0627\u0644\u0628\u0635\u0645\u0627\u062a (digests) \u0648\u0645\u0639\u0631\u0641\u0627\u062a SHA \u0644\u0644\u0625\u064a\u062f\u0627\u0639\u0627\u062a \u063a\u064a\u0631 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631. \u062b\u0628\u0651\u062a \u062f\u0627\u0626\u0645\u064b\u0627 \u0639\u0644\u0649 \u0645\u0631\u0627\u062c\u0639 \u063a\u064a\u0631 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631.<\/p>\n \u0648\u0633\u0648\u0645 \u0635\u0648\u0631 Docker \u0645\u062b\u0644 \u064a\u0645\u0643\u0646\u0643 \u0625\u064a\u062c\u0627\u062f \u0627\u0644\u0628\u0635\u0645\u0629 \u0627\u0644\u062d\u0627\u0644\u064a\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645:<\/p>\n \u0648\u0633\u0648\u0645 GitHub Actions \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631. \u064a\u0645\u0643\u0646 \u0644\u0625\u062c\u0631\u0627\u0621 \u0645\u062e\u062a\u0631\u0642 \u062f\u0641\u0639 \u0643\u0648\u062f \u062e\u0628\u064a\u062b \u0625\u0644\u0649 \u0648\u0633\u0645 \u0645\u0648\u062c\u0648\u062f. \u062b\u0628\u0651\u062a \u062f\u0627\u0626\u0645\u064b\u0627 \u0639\u0644\u0649 \u0645\u0639\u0631\u0641 SHA \u0627\u0644\u0643\u0627\u0645\u0644 \u0644\u0644\u0625\u064a\u062f\u0627\u0639:<\/p>\n \u0627\u0633\u062a\u062e\u062f\u0645 \u0623\u062f\u0648\u0627\u062a \u0645\u062b\u0644 ratchet<\/a> \u0623\u0648 pinact<\/a> \u0644\u0623\u062a\u0645\u062a\u0629 \u062a\u062b\u0628\u064a\u062a SHA \u0639\u0628\u0631 \u0645\u0644\u0641\u0627\u062a \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u0648\u0627\u0644\u0627\u062d\u062a\u0641\u0627\u0638 \u0628\u062a\u0639\u0644\u064a\u0642\u0627\u062a \u0645\u0639 \u0648\u0633\u0645 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0644\u0633\u0647\u0648\u0644\u0629 \u0627\u0644\u0642\u0631\u0627\u0621\u0629.<\/p>\n \u0633\u0644\u0633\u0644\u0629 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u2014 \u0627\u0644\u0645\u062a\u0631\u062c\u0645\u060c \u0628\u064a\u0626\u0629 \u0627\u0644\u062a\u0634\u063a\u064a\u0644\u060c \u0645\u062f\u064a\u0631 \u0627\u0644\u062d\u0632\u0645 \u2014 \u064a\u062c\u0628 \u0623\u0646 \u062a\u0643\u0648\u0646 \u0645\u062b\u0628\u062a\u0629 \u0627\u0644\u0625\u0635\u062f\u0627\u0631. \u0627\u0633\u062a\u062e\u062f\u0645 \u0645\u0644\u0641\u0627\u062a \u062a\u0643\u0648\u064a\u0646 \u0645\u062f\u064a\u0631 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0644\u0625\u0639\u0644\u0627\u0646 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u062f\u0642\u064a\u0642\u0629:<\/p>\n \u064a\u0648\u0641\u0631 Nix \u0627\u0644\u0646\u0647\u062c \u0627\u0644\u0623\u0643\u062b\u0631 \u0635\u0631\u0627\u0645\u0629 \u0644\u062a\u0643\u0631\u0627\u0631 \u0627\u0644\u0628\u064a\u0626\u0629. \u064a\u0639\u0644\u0646 Nix flake \u0639\u0646 \u0628\u064a\u0626\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0643\u062f\u0627\u0644\u0629 \u0644\u0645\u062f\u062e\u0644\u0627\u062a\u0647\u0627:<\/p>\n \u0645\u0639 Nix\u060c \u064a\u062d\u0635\u0644 \u0643\u0644 \u0645\u0637\u0648\u0631 \u0648\u0643\u0644 \u0645\u0634\u063a\u0644 CI \u0639\u0644\u0649 \u0646\u0641\u0633 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u062f\u0642\u064a\u0642\u0629 \u0644\u0643\u0644 \u0623\u062f\u0627\u0629\u060c \u062d\u062a\u0649 \u0645\u0643\u062a\u0628\u0627\u062a \u0627\u0644\u0646\u0638\u0627\u0645. \u064a\u062b\u0628\u062a \u0645\u0644\u0641 \u062a\u062d\u0642\u064a\u0642 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0644\u064a\u0633 \u0633\u0648\u0649 \u0646\u0635\u0641 \u0627\u0644\u0645\u0639\u0631\u0643\u0629. \u062a\u062d\u062a\u0627\u062c \u0623\u064a\u0636\u064b\u0627 \u0625\u0644\u0649 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627 \u2014 \u0644\u062a\u0623\u0643\u064a\u062f \u0623\u0646 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u0633\u062a\u0642\u0644\u0629 \u0645\u0646 \u0646\u0641\u0633 \u0627\u0644\u0645\u0635\u062f\u0631 \u062a\u0646\u062a\u062c \u0628\u0627\u0644\u0641\u0639\u0644 \u0645\u0646\u062a\u062c\u0627\u062a \u0645\u062a\u0637\u0627\u0628\u0642\u0629.<\/p>\n \u0623\u0628\u0633\u0637 \u0639\u0645\u0644\u064a\u0629 \u062a\u062d\u0642\u0642 \u0647\u064a \u0628\u0646\u0627\u0621 \u0646\u0641\u0633 \u0627\u0644\u0645\u0646\u062a\u062c \u0641\u064a \u0628\u064a\u0626\u062a\u064a\u0646 \u0645\u062e\u062a\u0644\u0641\u062a\u064a\u0646 \u0648\u0645\u0642\u0627\u0631\u0646\u0629 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a:<\/p>\n \u0625\u0630\u0627 \u062a\u0637\u0627\u0628\u0642\u062a \u0627\u0644\u062a\u062c\u0632\u0626\u0627\u062a\u060c \u0641\u0625\u0646 \u0627\u0644\u0628\u0646\u0627\u0621 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631. \u0625\u0630\u0627 \u0644\u0645 \u062a\u062a\u0637\u0627\u0628\u0642\u060c \u0641\u0623\u0646\u062a \u0628\u062d\u0627\u062c\u0629 \u0625\u0644\u0649 \u0627\u0644\u062a\u062d\u0642\u064a\u0642 \u0641\u064a \u0645\u0627 \u064a\u062e\u062a\u0644\u0641.<\/p>\n \u064a\u064f\u0638\u0647\u0631 \u062a\u0642\u0631\u064a\u0631 HTML \u0627\u0644\u0627\u062e\u062a\u0644\u0627\u0641\u0627\u062a \u0639\u0644\u0649 \u0643\u0644 \u0645\u0633\u062a\u0648\u0649: \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0623\u0631\u0634\u064a\u0641 \u0627\u0644\u0648\u0635\u0641\u064a\u0629\u060c \u0645\u062d\u062a\u0648\u064a\u0627\u062a \u0627\u0644\u0645\u0644\u0641\u0627\u062a\u060c \u0623\u0642\u0633\u0627\u0645 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u062b\u0646\u0627\u0626\u064a\u0629\u060c \u0648\u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0627\u0644\u0645\u0636\u0645\u0646\u0629. \u0647\u0630\u0627 \u0644\u0627 \u064a\u0642\u062f\u0631 \u0628\u062b\u0645\u0646 \u0644\u062a\u062d\u062f\u064a\u062f \u0645\u0635\u0627\u062f\u0631 \u0639\u062f\u0645 \u0627\u0644\u062d\u062a\u0645\u064a\u0629 \u0648\u0627\u0644\u0642\u0636\u0627\u0621 \u0639\u0644\u064a\u0647\u0627 \u0648\u0627\u062d\u062f\u0629 \u062a\u0644\u0648 \u0627\u0644\u0623\u062e\u0631\u0649.<\/p>\n \u062d\u062a\u0649 \u0642\u0628\u0644 \u062a\u062d\u0642\u064a\u0642 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631\u060c \u064a\u0648\u0641\u0631 \u062a\u0633\u062c\u064a\u0644 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0648\u0635\u0641\u064a\u0629 \u0625\u0645\u0643\u0627\u0646\u064a\u0629 \u0627\u0644\u062a\u062a\u0628\u0639. \u0627\u0644\u062a\u0642\u0637 \u0648\u062e\u0632\u0646:<\/p>\n SLSA provenance \u0647\u0648 \u062a\u0646\u0633\u064a\u0642 \u0645\u0648\u062d\u062f \u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0648\u0635\u0641\u064a\u0629. \u064a\u0633\u062c\u0644 \u0645\u0627 \u062a\u0645 \u0628\u0646\u0627\u0624\u0647\u060c \u0648\u0645\u0646 \u0623\u064a \u0645\u0635\u062f\u0631\u060c \u0648\u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0623\u064a \u0639\u0645\u0644\u064a\u0629 \u0628\u0646\u0627\u0621\u060c \u0648\u0641\u064a \u0623\u064a \u0628\u064a\u0626\u0629. \u064a\u0645\u0643\u0646 \u0644\u0623\u062f\u0648\u0627\u062a \u0645\u062b\u0644 slsa-github-generator<\/a> \u062a\u0648\u0644\u064a\u062f provenance \u0645\u0648\u0642\u0639\u0629 \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627 \u0644\u0628\u0646\u064a\u0627\u062a GitHub Actions \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643:<\/p>\n \u0628\u0627\u0644\u0646\u0633\u0628\u0629 \u0644\u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a\u060c \u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0633\u0644\u0627\u0645\u0629 \u0639\u0646 \u0637\u0631\u064a\u0642 \u0641\u062d\u0635 \u0637\u0628\u0642\u0627\u062a \u0627\u0644\u0635\u0648\u0631\u0629 \u0628\u062d\u062b\u064b\u0627 \u0639\u0646 \u0645\u062d\u062a\u0648\u0649 \u063a\u064a\u0631 \u0645\u062a\u0648\u0642\u0639:<\/p>\n \u062a\u064f\u062f\u062e\u0644 \u0645\u0646\u0635\u0627\u062a CI\/CD \u062a\u062d\u062f\u064a\u0627\u062a \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0647\u0627. \u062a\u062a\u063a\u064a\u0631 \u0635\u0648\u0631 \u0627\u0644\u0645\u0634\u063a\u0644\u0627\u062a\u060c \u0648\u062a\u0646\u062a\u0647\u064a \u0635\u0644\u0627\u062d\u064a\u0629 \u0630\u0627\u0643\u0631\u0629 \u0627\u0644\u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u0645\u0624\u0642\u062a\u060c \u0648\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0632\u0627\u0626\u0644\u0629. \u0625\u0644\u064a\u0643 \u0643\u064a\u0641\u064a\u0629 \u062a\u062d\u0642\u064a\u0642 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0639\u0644\u0649 \u0627\u0644\u0645\u0646\u0635\u0627\u062a \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629.<\/p>\n \u064a\u062b\u0628\u062a \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0643\u0644 \u0645\u0643\u0648\u0646 \u062e\u0627\u0631\u062c\u064a:<\/p>\n \u0641\u064a GitLab CI\u060c \u0627\u0633\u062a\u062e\u062f\u0645 \u0635\u0648\u0631 Docker \u062b\u0627\u0628\u062a\u0629 \u0644\u0644\u0645\u0634\u063a\u0644\u0627\u062a \u0648\u062b\u0628\u0651\u062a \u062c\u0645\u064a\u0639 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a:<\/p>\n \u064a\u0648\u0641\u0631 Nix \u0623\u0642\u0648\u0649 \u0636\u0645\u0627\u0646\u0627\u062a \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0641\u064a CI \u0645\u0646 \u062e\u0644\u0627\u0644 \u062a\u062d\u062f\u064a\u062f \u0625\u063a\u0644\u0627\u0642 \u0627\u0644\u0628\u0646\u0627\u0621 \u0628\u0627\u0644\u0643\u0627\u0645\u0644 (build closure):<\/p>\n \u0645\u0639 Nix\u060c \u064a\u062b\u0628\u062a \u0645\u0644\u0641 \u064a\u062a\u0637\u0644\u0628 \u0628\u0646\u0627\u0621 \u0635\u0648\u0631 \u062d\u0627\u0648\u064a\u0627\u062a \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0639\u0646\u0627\u064a\u0629 \u062e\u0627\u0635\u0629. \u064a\u0636\u0645\u0646 \u0645\u062a\u063a\u064a\u0631 \u0627\u0644\u0628\u064a\u0626\u0629 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0628\u062a-\u0644\u0643\u0644-\u0628\u062a \u0647\u064a \u0627\u0644\u0645\u062b\u0627\u0644 \u0627\u0644\u0623\u0639\u0644\u0649\u060c \u0644\u0643\u0646\u0647\u0627 \u0644\u064a\u0633\u062a \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u062d\u0642\u064a\u0642 \u062f\u0627\u0626\u0645\u064b\u0627 \u2014 \u0648\u0647\u0630\u0627 \u0645\u0642\u0628\u0648\u0644. \u0627\u0644\u0645\u0647\u0645 \u0647\u0648 \u0641\u0647\u0645 \u0645\u0648\u0642\u0639\u0643 \u0639\u0644\u0649 \u0637\u064a\u0641 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0648\u062a\u0637\u0628\u064a\u0642 \u0636\u0648\u0627\u0628\u0637 \u062a\u0639\u0648\u064a\u0636\u064a\u0629 \u062d\u064a\u062b \u0644\u0632\u0645 \u0627\u0644\u0623\u0645\u0631.<\/p>\n \u0628\u0639\u0636 \u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u063a\u064a\u0631 \u0636\u0627\u0631. \u0637\u0627\u0628\u0639 \u0632\u0645\u0646\u064a \u0644\u0644\u0628\u0646\u0627\u0621 \u0641\u064a \u0645\u0644\u0641 \u0628\u064a\u0627\u0646\u0627\u062a \u0648\u0635\u0641\u064a\u0629 \u0644\u0627 \u064a\u064f\u0646\u0641\u064e\u0651\u0630 \u0623\u0628\u062f\u064b\u0627 \u0644\u0627 \u064a\u0624\u062b\u0631 \u0639\u0644\u0649 \u0623\u0645\u0627\u0646 \u0627\u0644\u0645\u0646\u062a\u062c. \u0625\u062f\u062e\u0627\u0644 \u0633\u062c\u0644 \u064a\u0633\u062c\u0644 \u0645\u062a\u0649 \u062a\u0645 \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0628\u0646\u0627\u0621 \u0644\u064a\u0633 \u062e\u0637\u0631\u064b\u0627 \u0623\u0645\u0646\u064a\u064b\u0627. \u0627\u0644\u062a\u0645\u064a\u064a\u0632 \u0627\u0644\u0631\u0626\u064a\u0633\u064a \u0647\u0648 \u0645\u0627 \u0625\u0630\u0627 \u0643\u0627\u0646 \u0627\u0644\u0639\u0646\u0635\u0631 \u063a\u064a\u0631 \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0641\u064a \u0627\u0644\u0645\u0646\u062a\u062c \u0646\u0641\u0633\u0647 (\u062e\u0637\u0631) \u0623\u0648 \u0641\u0642\u0637 \u0641\u064a \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0648\u0635\u0641\u064a\u0629 \u0627\u0644\u0645\u0631\u0627\u0641\u0642\u0629 \u0644\u0647 (\u0645\u0642\u0628\u0648\u0644).<\/p>\n \u0628\u0627\u0644\u0646\u0633\u0628\u0629 \u0644\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0627\u0644\u0641\u0631\u0642\u060c \u0627\u0644\u0647\u062f\u0641 \u0627\u0644\u0639\u0645\u0644\u064a \u0647\u0648 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0627\u0644\u0648\u0638\u064a\u0641\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631: \u0646\u0641\u0633 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a \u062a\u0646\u062a\u062c \u0646\u0641\u0633 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0648\u0638\u064a\u0641\u064a\u0629. \u0642\u062f \u062a\u062e\u062a\u0644\u0641 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u062b\u0646\u0627\u0626\u064a\u0629 \u0641\u064a \u0627\u0644\u0637\u0648\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u0629 \u0627\u0644\u0645\u0636\u0645\u0646\u0629 \u0623\u0648 \u0631\u0645\u0648\u0632 \u0627\u0644\u062a\u0635\u062d\u064a\u062d\u060c \u0644\u0643\u0646\u0647\u0627 \u062a\u062a\u0635\u0631\u0641 \u0628\u0634\u0643\u0644 \u0645\u062a\u0637\u0627\u0628\u0642. \u0647\u0630\u0627 \u0627\u0644\u0645\u0633\u062a\u0648\u0649 \u0645\u0646 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u062d\u0642\u064a\u0642 \u0628\u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0648\u0627\u0644\u0645\u0645\u0627\u0631\u0633\u0627\u062a \u0627\u0644\u0642\u064a\u0627\u0633\u064a\u0629:<\/p>\n \u0639\u0646\u062f\u0645\u0627 \u0644\u0627 \u062a\u0643\u0648\u0646 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0645\u0645\u0643\u0646\u0629\u060c \u062a\u0648\u0641\u0631 \u0627\u0644\u0636\u0648\u0627\u0628\u0637 \u0627\u0644\u062a\u0639\u0648\u064a\u0636\u064a\u0629 \u0636\u0645\u0627\u0646\u0627\u062a \u0628\u062f\u064a\u0644\u0629:<\/p>\n \u0641\u0643\u0631 \u0641\u064a \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0643\u0637\u064a\u0641\u060c \u0648\u0644\u064a\u0633 \u062d\u0627\u0644\u0629 \u062b\u0646\u0627\u0626\u064a\u0629:<\/p>\n \u0643\u0644 \u0645\u0633\u062a\u0648\u0649 \u064a\u0628\u0646\u064a \u0639\u0644\u0649 \u0633\u0627\u0628\u0642\u0647. \u0627\u0644\u0627\u0646\u062a\u0642\u0627\u0644 \u0645\u0646 \u0627\u0644\u0645\u0633\u062a\u0648\u0649 0 \u0625\u0644\u0649 \u0627\u0644\u0645\u0633\u062a\u0648\u0649 1 \u063a\u0627\u0644\u0628\u064b\u0627 \u0645\u0627 \u064a\u0643\u0648\u0646 \u0627\u0644\u062a\u062d\u0633\u064a\u0646 \u0627\u0644\u0623\u0639\u0644\u0649 \u062a\u0623\u062b\u064a\u0631\u064b\u0627 \u0627\u0644\u0630\u064a \u064a\u0645\u0643\u0646\u0643 \u0625\u062c\u0631\u0627\u0624\u0647\u060c \u0648\u064a\u062a\u0637\u0644\u0628 \u062c\u0647\u062f\u064b\u0627 \u0636\u0626\u064a\u0644\u0627\u064b.<\/p>\n \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0647\u064a \u0623\u0633\u0627\u0633 \u0627\u0644\u062b\u0642\u0629 \u0641\u064a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f. \u0628\u062f\u0648\u0646\u0647\u0627\u060c \u0623\u0646\u062a \u062a\u0639\u062a\u0645\u062f \u0639\u0644\u0649 \u0625\u064a\u0645\u0627\u0646 \u0623\u0639\u0645\u0649 \u0628\u0623\u0646 \u0646\u0638\u0627\u0645 \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0644\u0645 \u064a\u062a\u0639\u0631\u0636 \u0644\u0644\u0627\u062e\u062a\u0631\u0627\u0642 \u2014 \u0648\u0647\u0648 \u0625\u064a\u0645\u0627\u0646 \u062a\u0639\u0644\u0645 \u0639\u0645\u0644\u0627\u0621 SolarWinds \u0648\u0645\u0633\u062a\u062e\u062f\u0645\u0648 XZ Utils \u0648\u0639\u062f\u062f \u0644\u0627 \u064a\u062d\u0635\u0649 \u0645\u0646 \u0627\u0644\u0622\u062e\u0631\u064a\u0646 \u0623\u0646\u0647 \u0641\u064a \u063a\u064a\u0631 \u0645\u062d\u0644\u0647.<\/p>\n \u0627\u0644\u062e\u0628\u0631 \u0627\u0644\u062c\u064a\u062f \u0647\u0648 \u0623\u0646\u0643 \u0644\u0633\u062a \u0628\u062d\u0627\u062c\u0629 \u0625\u0644\u0649 \u062a\u062d\u0642\u064a\u0642 \u0627\u0644\u0643\u0645\u0627\u0644 \u0645\u0646 \u0627\u0644\u064a\u0648\u0645 \u0627\u0644\u0623\u0648\u0644. \u0627\u0628\u062f\u0623 \u0628\u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0627\u062a:<\/p>\n \u062b\u0645 \u0623\u0636\u0641 \u0627\u0644\u0625\u062d\u0643\u0627\u0645 \u062a\u062f\u0631\u064a\u062c\u064a\u064b\u0627: \u0636\u0645\u0651\u0646 \u062a\u0628\u0639\u064a\u0627\u062a\u0643\u060c \u0648\u0627\u0633\u062a\u062e\u062f\u0645 Nix \u0623\u0648 Bazel \u0644\u0639\u0632\u0644 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0648\u0623\u0632\u0644 \u0627\u0644\u0637\u0648\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u0629 \u0645\u0646 \u0645\u0646\u062a\u062c\u0627\u062a\u0643\u060c \u0648\u0623\u0639\u062f \u0648\u0638\u0627\u0626\u0641 \u062a\u062d\u0642\u0642 \u062a\u0639\u064a\u062f \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u062a\u0642\u0627\u0631\u0646.<\/p>\n \u0643\u0644 \u062e\u0637\u0648\u0629 \u0639\u0644\u0649 \u0637\u064a\u0641 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u062a\u062c\u0639\u0644 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0623\u0643\u062b\u0631 \u062c\u062f\u0627\u0631\u0629 \u0628\u0627\u0644\u062b\u0642\u0629\u060c \u0648\u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0623\u0643\u062b\u0631 \u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u062f\u0642\u064a\u0642\u060c \u0648\u0628\u0631\u0645\u062c\u064a\u0627\u062a\u0643 \u0623\u0643\u062b\u0631 \u0623\u0645\u0627\u0646\u064b\u0627. \u0641\u064a \u0639\u0627\u0644\u0645 \u062a\u064f\u0639\u062f \u0641\u064a\u0647 \u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0646\u0627\u0642\u0644 \u0647\u062c\u0648\u0645 \u0623\u0633\u0627\u0633\u064a\u060c \u0641\u0625\u0646 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0644\u064a\u0633\u062a \u0627\u062e\u062a\u064a\u0627\u0631\u064a\u0629 \u2014 \u0625\u0646\u0647\u0627 \u0636\u0631\u0648\u0631\u064a\u0629.<\/p>\n","protected":false},"excerpt":{"rendered":" \u0645\u0642\u062f\u0645\u0629 \u0625\u0630\u0627 \u0644\u0645 \u062a\u062a\u0645\u0643\u0646 \u0645\u0646 \u0625\u0639\u0627\u062f\u0629 \u0625\u0646\u062a\u0627\u062c \u0639\u0645\u0644\u064a\u0629 \u0628\u0646\u0627\u0621\u060c \u0641\u0644\u0646 \u062a\u062a\u0645\u0643\u0646 \u0645\u0646 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627. \u0647\u0630\u0647 \u0627\u0644\u062d\u0642\u064a\u0642\u0629 \u0627\u0644\u0628\u0633\u064a\u0637\u0629 \u062a\u0642\u0639 \u0641\u064a \u0635\u0645\u064a\u0645 \u0623\u0645\u0627\u0646 \u0633\u0644\u0633\u0644\u0629 \u062a\u0648\u0631\u064a\u062f \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a. \u062a\u0636\u0645\u0646 \u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 (build integrity) \u0623\u0646 \u0645\u0627 \u062a\u0646\u0634\u0631\u0647 \u0647\u0648 \u0628\u0627\u0644\u0636\u0628\u0637 \u0645\u0627 \u0643\u0646\u062a \u062a\u0646\u0648\u064a \u0628\u0646\u0627\u0621\u0647 \u2014 \u0644\u0627 \u0634\u064a\u0621 \u0645\u0636\u0627\u0641\u060c \u0644\u0627 \u0634\u064a\u0621 \u0645\u0639\u062f\u0651\u0644\u060c \u0644\u0627 \u0634\u064a\u0621 \u062a\u0645 \u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0647 \u0628\u064a\u0646 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a \u0648\u0627\u0644\u0645\u0646\u062a\u062c \u0627\u0644\u0646\u0647\u0627\u0626\u064a … \u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,27],"tags":[],"post_folder":[],"class_list":["post-791","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-software-supply-chain"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/791","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=791"}],"version-history":[{"count":1,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/791\/revisions"}],"predecessor-version":[{"id":793,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/791\/revisions\/793"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=791"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\u0623\u0645\u062b\u0644\u0629 \u0645\u0646 \u0627\u0644\u0648\u0627\u0642\u0639<\/h3>\n
\u0645\u0635\u0627\u062f\u0631 \u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631<\/h2>\n
\u0627\u0644\u0637\u0648\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u0629 \u0627\u0644\u0645\u0636\u0645\u0646\u0629 \u0641\u064a \u0627\u0644\u0645\u0646\u062a\u062c\u0627\u062a<\/h3>\n
__DATE__<\/code> \u0648 __TIME__<\/code>. \u062a\u062a\u0636\u0645\u0646 \u0645\u0644\u0641\u0627\u062a PE \u0627\u0644\u062a\u0646\u0641\u064a\u0630\u064a\u0629 \u0639\u0644\u0649 Windows \u0637\u0627\u0628\u0639\u064b\u0627 \u0632\u0645\u0646\u064a\u064b\u0627 \u0641\u064a \u062a\u0631\u0648\u064a\u0633\u0627\u062a\u0647\u0627. \u0641\u064a \u0643\u0644 \u0645\u0631\u0629 \u062a\u0628\u0646\u064a \u0641\u064a\u0647\u0627\u060c \u064a\u062a\u063a\u064a\u0631 \u0627\u0644\u0637\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u060c \u0645\u0645\u0627 \u064a\u0646\u062a\u062c \u0645\u062e\u0631\u062c\u0627\u062a \u0645\u062e\u062a\u0644\u0641\u0629.<\/p>\n\u062a\u0631\u062a\u064a\u0628 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u062d\u062a\u0645\u064a<\/h3>\n
\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u0639\u0627\u0626\u0645\u0629<\/h3>\n
express: ^4.18.0<\/code> \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0625\u0635\u062f\u0627\u0631 \u0645\u062d\u062f\u062f\u060c \u0641\u0642\u062f \u062a\u062d\u0635\u0644 \u0639\u0644\u0649 4.18.1 \u0627\u0644\u064a\u0648\u0645 \u0648 4.18.2 \u063a\u062f\u064b\u0627. \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0645\u062b\u0628\u062a\u0629 \u0647\u064a \u0623\u062d\u062f \u0623\u0643\u062b\u0631 \u0645\u0635\u0627\u062f\u0631 \u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0634\u064a\u0648\u0639\u064b\u0627 \u0648\u062a\u0623\u062b\u064a\u0631\u064b\u0627.<\/p>\n\u0627\u062e\u062a\u0644\u0627\u0641\u0627\u062a \u0628\u064a\u0626\u0629 \u0627\u0644\u0628\u0646\u0627\u0621<\/h3>\n
\u0627\u0644\u062a\u0646\u0632\u064a\u0644\u0627\u062a \u0645\u0646 \u0627\u0644\u0634\u0628\u0643\u0629 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621<\/h3>\n
\u0627\u0644\u0642\u064a\u0645 \u0627\u0644\u0639\u0634\u0648\u0627\u0626\u064a\u0629 \u0648\u0639\u0646\u0627\u0648\u064a\u0646 \u0627\u0644\u0630\u0627\u0643\u0631\u0629<\/h3>\n
\u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u062d\u0643\u0645: \u0627\u0644\u0645\u0639\u064a\u0627\u0631 \u0627\u0644\u0630\u0647\u0628\u064a<\/h2>\n
\u0645\u0627\u0630\u0627 \u064a\u0639\u0646\u064a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u062d\u0643\u0645<\/h3>\n
\n
Bazel \u0643\u0646\u0638\u0627\u0645 \u0628\u0646\u0627\u0621 \u0645\u062d\u0643\u0645<\/h3>\n
# Bazel WORKSPACE file: all external dependencies declared\nload(\"@bazel_tools\/\/tools\/build_defs\/repo:http.bzl\", \"http_archive\")\n\nhttp_archive(\n name = \"com_google_protobuf\",\n sha256 = \"a79d19dcdf9139fa4b81206e318e33d245c4c9da1ffed21c87288f9142c5f4ef\",\n strip_prefix = \"protobuf-23.2\",\n urls = [\"https:\/\/github.com\/protocolbuffers\/protobuf\/archive\/v23.2.tar.gz\"],\n)<\/code><\/pre>\nDocker Multi-Stage Builds \u0645\u0639 \u0635\u0648\u0631 \u0623\u0633\u0627\u0633\u064a\u0629 \u0645\u062b\u0628\u062a\u0629<\/h3>\n
# Stage 1: Build with all dependencies pre-installed\nFROM golang@sha256:2c3f3c4a1f8e4c2b7d5e1a9f8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b AS builder\n\nWORKDIR \/app\nCOPY go.mod go.sum .\/\nRUN go mod download\n\nCOPY . .\nRUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \\\n go build -trimpath -ldflags='-s -w -buildid=' \\\n -o \/app\/server .\/cmd\/server\n\n# Stage 2: Minimal runtime image\nFROM gcr.io\/distroless\/static@sha256:1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b AS runtime\nCOPY --from=builder \/app\/server \/server\nENTRYPOINT [\"\/server\"]<\/code><\/pre>\n-trimpath<\/code> \u0644\u0625\u0632\u0627\u0644\u0629 \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0645\u062d\u0644\u064a\u0629 \u0645\u0646 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u062b\u0646\u0627\u0626\u064a\u060c \u0648 -buildid=<\/code> \u0644\u0645\u0633\u062d \u0645\u0639\u0631\u0641 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0648 -s -w<\/code> \u0644\u062a\u062c\u0631\u064a\u062f \u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0627\u0644\u062a\u0635\u062d\u064a\u062d. \u0647\u0630\u0647 \u0627\u0644\u0623\u0639\u0644\u0627\u0645 \u0636\u0631\u0648\u0631\u064a\u0629 \u0644\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0641\u064a \u0628\u0646\u064a\u0627\u062a Go.<\/p>\n\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0642\u0641\u0644 (Lock Files)<\/h3>\n
\n
package-lock.json<\/code> \u0623\u0648 yarn.lock<\/code> \u2014 \u0627\u0633\u062a\u062e\u062f\u0645 \u062f\u0627\u0626\u0645\u064b\u0627 npm ci<\/code> \u0628\u062f\u0644\u0627\u064b \u0645\u0646 npm install<\/code><\/li>\ngo.sum<\/code> \u2014 \u064a\u0633\u062c\u0644 \u062a\u062c\u0632\u0626\u0627\u062a \u062a\u0634\u0641\u064a\u0631\u064a\u0629 \u0644\u062c\u0645\u064a\u0639 \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u0648\u062d\u062f\u0627\u062a<\/li>\npoetry.lock<\/code> \u0623\u0648 \u0645\u062e\u0631\u062c\u0627\u062a pip-compile<\/code> \u2014 \u064a\u062b\u0628\u062a \u0643\u0644 \u062a\u0628\u0639\u064a\u0629 \u0645\u062a\u0639\u062f\u064a\u0629<\/li>\nCargo.lock<\/code> \u2014 \u064a\u064f\u0644\u062a\u0632\u0645 \u0628\u0647 \u062f\u0627\u0626\u0645\u064b\u0627 \u0644\u0644\u0645\u0634\u0627\u0631\u064a\u0639 \u0627\u0644\u062b\u0646\u0627\u0626\u064a\u0629<\/li>\n<\/ul>\n\u062a\u0636\u0645\u064a\u0646 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a (Vendoring)<\/h3>\n
# Go: vendor all dependencies\ngo mod vendor\n\n# Build using vendored dependencies\ngo build -mod=vendor .\/cmd\/server<\/code><\/pre>\n\u0645\u0642\u0627\u064a\u0636\u0627\u062a \u0639\u0645\u0644\u064a\u0629: \u0627\u0644\u0625\u062d\u0643\u0627\u0645 \u0645\u0642\u0627\u0628\u0644 \u062a\u062c\u0631\u0628\u0629 \u0627\u0644\u0645\u0637\u0648\u0631<\/h3>\n
\u062a\u062b\u0628\u064a\u062a \u0643\u0644 \u0634\u064a\u0621<\/h2>\n
\u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0628\u0627\u0644\u0628\u0635\u0645\u0629<\/h3>\n
node:20<\/code> \u0623\u0648 python:3.12-slim<\/code> \u064a\u0645\u0643\u0646 \u0623\u0646 \u062a\u062a\u063a\u064a\u0631 \u0641\u064a \u0623\u064a \u0648\u0642\u062a. \u064a\u0645\u0643\u0646 \u0644\u0644\u0633\u062c\u0644 \u062f\u0641\u0639 \u0635\u0648\u0631\u0629 \u062c\u062f\u064a\u062f\u0629 \u0628\u0646\u0641\u0633 \u0627\u0644\u0648\u0633\u0645. \u062b\u0628\u0651\u062a \u0628\u0627\u0644\u0628\u0635\u0645\u0629 (digest) \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643:<\/p>\n# BAD: tag can change at any time\nFROM node:20-alpine\n\n# GOOD: pinned to an immutable digest\nFROM node@sha256:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2\n\n# BETTER: tag for readability, digest for immutability\nFROM node:20-alpine@sha256:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2<\/code><\/pre>\ndocker inspect --format='{{index .RepoDigests 0}}' node:20-alpine<\/code><\/pre>\n\u062a\u062b\u0628\u064a\u062a GitHub Actions \u0628\u0645\u0639\u0631\u0641 SHA<\/h3>\n
# BAD: tag can be moved to malicious commit\n- uses: actions\/checkout@v4\n\n# GOOD: pinned to immutable commit SHA\n- uses: actions\/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1<\/code><\/pre>\n\u062a\u062b\u0628\u064a\u062a \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u0623\u062f\u0648\u0627\u062a<\/h3>\n
# .tool-versions (used by asdf version manager)\nnodejs 20.11.0\npython 3.12.1\ngolang 1.22.0\nrust 1.75.0<\/code><\/pre>\n# .nvmrc (Node version manager)\n20.11.0<\/code><\/pre>\n# rust-toolchain.toml\n[toolchain]\nchannel = \"1.75.0\"\ncomponents = [\"rustfmt\", \"clippy\"]\ntargets = [\"x86_64-unknown-linux-gnu\"]<\/code><\/pre>\n\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Nix \u0644\u062a\u0643\u0631\u0627\u0631 \u0628\u064a\u0626\u0629 \u0627\u0644\u0628\u0646\u0627\u0621<\/h3>\n
# flake.nix\n{\n inputs = {\n nixpkgs.url = \"github:NixOS\/nixpkgs\/nixos-24.05\";\n flake-utils.url = \"github:numtide\/flake-utils\";\n };\n outputs = { self, nixpkgs, flake-utils }:\n flake-utils.lib.eachDefaultSystem (system:\n let pkgs = nixpkgs.legacyPackages.${system}; in {\n devShells.default = pkgs.mkShell {\n buildInputs = [ pkgs.go_1_22 pkgs.nodejs_20 pkgs.protobuf ];\n };\n });\n}<\/code><\/pre>\nflake.lock<\/code> \u0634\u062c\u0631\u0629 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0628\u0623\u0643\u0645\u0644\u0647\u0627 \u0639\u0644\u0649 \u0645\u0631\u0627\u062c\u0639\u0627\u062a Git \u0645\u062d\u062f\u062f\u0629.<\/p>\n\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621<\/h2>\n
\u0645\u0642\u0627\u0631\u0646\u0629 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0639\u0628\u0631 \u0627\u0644\u0628\u064a\u0626\u0627\u062a<\/h3>\n
# Build in CI\nsha256sum build\/output\/myapp.tar.gz\n# Output: a1b2c3d4... build\/output\/myapp.tar.gz\n\n# Rebuild locally from the same commit\ngit checkout v1.2.3\nmake build\nsha256sum build\/output\/myapp.tar.gz\n# Output should match: a1b2c3d4...<\/code><\/pre>\n\u0627\u0633\u062a\u062e\u062f\u0627\u0645 diffoscope \u0644\u0644\u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u0639\u0645\u064a\u0642<\/h3>\n
diffoscope<\/code> \u0647\u064a \u0623\u062f\u0627\u0629 \u0623\u0633\u0627\u0633\u064a\u0629 \u0644\u062a\u0634\u062e\u064a\u0635 \u0645\u0634\u0643\u0644\u0627\u062a \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631. \u062a\u0641\u0643 \u062d\u0632\u0645 \u0627\u0644\u0623\u0631\u0634\u064a\u0641\u0627\u062a \u0628\u0634\u0643\u0644 \u0645\u062a\u0643\u0631\u0631\u060c \u0648\u062a\u0641\u0643\u0643 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u062b\u0646\u0627\u0626\u064a\u0629\u060c \u0648\u062a\u064f\u0638\u0647\u0631 \u0644\u0643 \u0628\u0627\u0644\u0636\u0628\u0637 \u0623\u064a\u0646 \u064a\u062e\u062a\u0644\u0641 \u0628\u0646\u0627\u0621\u0627\u0646:<\/p>\n# Install diffoscope\npip install diffoscope\n\n# Compare two builds\ndiffoscope build-1\/myapp.tar.gz build-2\/myapp.tar.gz --html report.html\n\n# Compare two container images\ndiffoscope image-1.tar image-2.tar --html report.html<\/code><\/pre>\n\u062a\u062e\u0632\u064a\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0648\u0635\u0641\u064a\u0629<\/h3>\n
\n
SLSA Provenance<\/h3>\n
# .github\/workflows\/release.yml\njobs:\n build:\n outputs:\n digest: ${{ steps.hash.outputs.digest }}\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@b4ffde65f46336ab88eb53be808477a3936bae11\n - run: make build\n - id: hash\n run: echo \"digest=$(sha256sum myapp | cut -d' ' -f1)\" >> \"$GITHUB_OUTPUT\"\n\n provenance:\n needs: build\n permissions:\n actions: read\n id-token: write\n contents: write\n uses: slsa-framework\/slsa-github-generator\/.github\/workflows\/generator_generic_slsa3.yml@v1.9.0\n with:\n base64-subjects: ${{ needs.build.outputs.digest }}<\/code><\/pre>\n\u0641\u062d\u0635 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a<\/h3>\n
# List all layers in an image\ndocker history myapp:latest --no-trunc\n\n# Export and inspect image contents\ndocker save myapp:latest -o image.tar\ntar -tf image.tar\n\n# Use dive to inspect layer contents interactively\ndive myapp:latest<\/code><\/pre>\n\u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0641\u064a CI\/CD<\/h2>\n
GitHub Actions<\/h3>\n
name: Reproducible Build\non:\n push:\n branches: [main]\n\njobs:\n build:\n # Pin the runner image (or use a self-hosted runner with a known image)\n runs-on: ubuntu-22.04\n\n steps:\n # Pin action by SHA\n - uses: actions\/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1\n\n # Pin setup action and toolchain version\n - uses: actions\/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0\n with:\n go-version: '1.22.0' # Exact version, not '1.22.x'\n\n # Cache with hash-based key for determinism\n - uses: actions\/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1\n with:\n path: ~\/go\/pkg\/mod\n key: go-mod-${{ hashFiles('go.sum') }}\n\n # Build with reproducibility flags\n - run: |\n CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \\\n go build -trimpath -ldflags='-s -w -buildid=' \\\n -o myapp .\/cmd\/server\n\n # Record artifact hash\n - run: sha256sum myapp >> checksums.txt\n\n - uses: actions\/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1\n with:\n name: build-artifacts\n path: |\n myapp\n checksums.txt<\/code><\/pre>\nGitLab CI<\/h3>\n
# .gitlab-ci.yml\nvariables:\n # Use a specific image digest for the build environment\n BUILD_IMAGE: golang@sha256:2c3f3c4a1f8e4c2b7d5e1a9f8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b\n\nstages:\n - build\n - verify\n\nbuild:\n stage: build\n image: $BUILD_IMAGE\n script:\n - go mod download\n - CGO_ENABLED=0 GOOS=linux GOARCH=amd64\n go build -trimpath -ldflags='-s -w -buildid='\n -o myapp .\/cmd\/server\n - sha256sum myapp | tee checksums.txt\n artifacts:\n paths:\n - myapp\n - checksums.txt\n cache:\n key:\n files:\n - go.sum\n paths:\n - \/go\/pkg\/mod\n\nverify-reproducibility:\n stage: verify\n image: $BUILD_IMAGE\n script:\n - go mod download\n - CGO_ENABLED=0 GOOS=linux GOARCH=amd64\n go build -trimpath -ldflags='-s -w -buildid='\n -o myapp-verify .\/cmd\/server\n - sha256sum myapp-verify\n - diff <(sha256sum myapp | cut -d' ' -f1) <(sha256sum myapp-verify | cut -d' ' -f1)<\/code><\/pre>\n\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Nix \u0641\u064a CI \u0644\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631<\/h3>\n
# GitHub Actions with Nix\nname: Nix Build\non: push\n\njobs:\n build:\n runs-on: ubuntu-22.04\n steps:\n - uses: actions\/checkout@b4ffde65f46336ab88eb53be808477a3936bae11\n - uses: cachix\/install-nix-action@ba0dd844c9180cbf77aa557a09b7b0d890fbd0fb # v26\n with:\n nix_path: nixpkgs=channel:nixos-24.05\n - run: nix build .#myapp\n - run: sha256sum result\/bin\/myapp<\/code><\/pre>\nflake.lock<\/code> \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u062f\u0642\u064a\u0642 \u0644\u0643\u0644 \u062d\u0632\u0645\u0629 \u0641\u064a \u0625\u063a\u0644\u0627\u0642 \u0627\u0644\u0628\u0646\u0627\u0621. \u0633\u064a\u062d\u0635\u0644 \u0645\u0637\u0648\u0631\u0627\u0646 \u064a\u0634\u063a\u0644\u0627\u0646 nix build<\/code> \u0639\u0644\u0649 \u0623\u062c\u0647\u0632\u0629 \u0645\u062e\u062a\u0644\u0641\u0629 \u0639\u0644\u0649 \u0645\u062e\u0631\u062c\u0627\u062a \u0645\u062a\u0637\u0627\u0628\u0642\u0629\u060c \u0644\u0623\u0646 \u0631\u0633\u0645 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0628\u0627\u0644\u0643\u0627\u0645\u0644 \u2014 \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 \u0645\u062a\u0631\u062c\u0645 C \u0648\u0645\u0643\u062a\u0628\u0627\u062a \u0627\u0644\u0646\u0638\u0627\u0645 \u0648\u0643\u0644 \u062a\u0628\u0639\u064a\u0629 \u0645\u062a\u0639\u062f\u064a\u0629 \u2014 \u0645\u062d\u062f\u062f \u0628\u062f\u0642\u0629.<\/p>\n\u0628\u0646\u0627\u0621 \u0635\u0648\u0631 \u062d\u0627\u0648\u064a\u0627\u062a \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631<\/h3>\n
docker build<\/code> \u0627\u0644\u062a\u0642\u0644\u064a\u062f\u064a \u0637\u0648\u0627\u0628\u0639 \u0632\u0645\u0646\u064a\u0629 \u0641\u064a \u0643\u0644 \u0637\u0628\u0642\u0629. \u062a\u0648\u0641\u0631 \u0623\u062f\u0648\u0627\u062a \u0645\u062b\u0644 kaniko<\/a> \u0648 BuildKit<\/a> \u0648 ko<\/a> \u0642\u0627\u0628\u0644\u064a\u0629 \u062a\u0643\u0631\u0627\u0631 \u0623\u0641\u0636\u0644:<\/p>\n# Using BuildKit with reproducible output\nDOCKER_BUILDKIT=1 docker build \\\n --build-arg SOURCE_DATE_EPOCH=$(git log -1 --format=%ct) \\\n --output type=docker,rewrite-timestamp=true \\\n -t myapp:latest .<\/code><\/pre>\nSOURCE_DATE_EPOCH<\/code> \u0647\u0648 \u0622\u0644\u064a\u0629 \u0645\u0648\u062d\u062f\u0629<\/a> \u0644\u0625\u062e\u0628\u0627\u0631 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0637\u0627\u0628\u0639 \u0632\u0645\u0646\u064a \u062b\u0627\u0628\u062a \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0648\u0642\u062a \u0627\u0644\u062d\u0627\u0644\u064a. \u062a\u062d\u062a\u0631\u0645\u0647 \u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0627\u0644\u0623\u062f\u0648\u0627\u062a\u060c \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 GCC \u0648 dpkg \u0648 tar \u0648 zip.<\/p>\n\u0639\u0646\u062f\u0645\u0627 \u0644\u0627 \u062a\u0643\u0648\u0646 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0627\u0644\u0645\u062b\u0627\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0645\u0645\u0643\u0646\u0629<\/h2>\n
\u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0627\u0644\u0645\u0642\u0628\u0648\u0644<\/h3>\n
\u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \"\u0627\u0644\u0643\u0627\u0641\u064a\u0629\"<\/h3>\n
\n
\u0627\u0644\u0636\u0648\u0627\u0628\u0637 \u0627\u0644\u062a\u0639\u0648\u064a\u0636\u064a\u0629<\/h3>\n
\n
\u0637\u064a\u0641 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631<\/h3>\n
\n
\u0627\u0644\u062e\u0627\u062a\u0645\u0629<\/h2>\n
\n
npm ci<\/code> \u0628\u062f\u0644\u0627\u064b \u0645\u0646 npm install<\/code>.<\/li>\n.tool-versions<\/code> \u0623\u0648 rust-toolchain.toml<\/code> \u0623\u0648 \u0645\u0627 \u0634\u0627\u0628\u0647.<\/li>\n<\/ul>\n