\u0625\u0630\u0627 \u0642\u0645\u062a \u0628\u0628\u0646\u0627\u0621 \u0646\u0641\u0633 \u0645\u0644\u0641 Dockerfile \u0645\u0631\u062a\u064a\u0646 \u0648\u062d\u0635\u0644\u062a \u0639\u0644\u0649 \u0635\u0648\u0631 \u0645\u062e\u062a\u0644\u0641\u0629\u060c \u0641\u0644\u0646 \u062a\u062a\u0645\u0643\u0646 \u0645\u0646 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621. \u0627\u0644\u0628\u0646\u0627\u0621 \u063a\u064a\u0631 \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u064a\u0639\u0646\u064a \u0623\u0646\u0647 \u0644\u0627 \u062a\u0648\u062c\u062f \u0644\u062f\u064a\u0643 \u0637\u0631\u064a\u0642\u0629 \u0644\u0644\u062a\u0623\u0643\u062f \u0645\u0646 \u0623\u0646 \u0627\u0644\u0639\u0646\u0635\u0631 \u0627\u0644\u0628\u0631\u0645\u062c\u064a \u0627\u0644\u0630\u064a \u064a\u0639\u0645\u0644 \u0641\u064a \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u0642\u062f \u062a\u0645 \u0625\u0646\u062a\u0627\u062c\u0647 \u0641\u0639\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a \u0627\u0644\u0630\u064a \u0642\u0645\u062a \u0628\u0645\u0631\u0627\u062c\u0639\u062a\u0647. \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0647\u0630\u0627 \u0627\u0644\u063a\u0645\u0648\u0636 \u0644\u062d\u0642\u0646 \u0643\u0648\u062f \u062e\u0628\u064a\u062b \u0623\u062b\u0646\u0627\u0621 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u062f\u0648\u0646 \u0627\u0643\u062a\u0634\u0627\u0641\u0647.<\/p>\n
\u064a\u0631\u0634\u062f\u0643 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0627\u0644\u0639\u0645\u0644\u064a \u0639\u0628\u0631 \u0645\u0635\u0627\u062f\u0631 \u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0641\u064a \u0628\u0646\u0627\u0621 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a\u060c \u0648\u064a\u0648\u0636\u062d \u062a\u0642\u0646\u064a\u0627\u062a \u0644\u0644\u0642\u0636\u0627\u0621 \u0639\u0644\u0649 \u0643\u0644 \u0645\u0646\u0647\u0627\u060c \u0648\u064a\u0628\u064a\u0651\u0646 \u0643\u064a\u0641\u064a\u0629 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0641\u064a \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD. \u0628\u0646\u0647\u0627\u064a\u0629 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u0633\u064a\u0643\u0648\u0646 \u0644\u062f\u064a\u0643 \u0645\u0644\u0641 Dockerfile \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0628\u0627\u0644\u0643\u0627\u0645\u0644 \u0648\u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u064a\u062b\u0628\u062a \u0630\u0644\u0643 \u0645\u0639 \u0643\u0644 commit.<\/p>\n
docker buildx version<\/code>.<\/li>\n- diffoscope<\/strong> \u2014 \u0642\u0645 \u0628\u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645
pip install diffoscope<\/code>. \u0647\u0630\u0647 \u0627\u0644\u0623\u062f\u0627\u0629 \u062a\u0642\u0648\u0645 \u0628\u0645\u0642\u0627\u0631\u0646\u0629 \u0639\u0645\u064a\u0642\u0629 \u0648\u0645\u062a\u0643\u0631\u0631\u0629 \u0644\u0644\u0645\u0644\u0641\u0627\u062a \u0648\u0627\u0644\u0623\u0631\u0634\u064a\u0641\u0627\u062a.<\/li>\n- crane<\/strong> \u2014 \u0642\u0645 \u0628\u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0645\u0646 go-containerregistry<\/a>. \u062a\u064f\u0633\u062a\u062e\u062f\u0645 \u0644\u0641\u062d\u0635 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0648\u0627\u0644\u062a\u0639\u0627\u0645\u0644 \u0645\u0639\u0647\u0627.<\/li>\n
- Cosign<\/strong> \u2014 \u0642\u0645 \u0628\u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0645\u0646 Sigstore<\/a>. \u062a\u064f\u0633\u062a\u062e\u062f\u0645 \u0644\u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627.<\/li>\n
- \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u062e\u062a\u0628\u0627\u0631<\/strong> \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 Dockerfile (\u0633\u0646\u0642\u0648\u0645 \u0628\u0625\u0646\u0634\u0627\u0626\u0647 \u0641\u064a \u062e\u0637\u0648\u0629 \u0627\u0644\u0625\u0639\u062f\u0627\u062f).<\/li>\n
- Go 1.22+<\/strong> \u0645\u062b\u0628\u062a \u0645\u062d\u0644\u064a\u0627\u064b (\u0627\u062e\u062a\u064a\u0627\u0631\u064a\u060c \u0644\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0645\u062d\u0644\u064a \u062e\u0627\u0631\u062c Docker).<\/li>\n<\/ul>\n
\u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0628\u064a\u0626\u0629<\/h2>\n
\u0623\u0646\u0634\u0626 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u062e\u062a\u0628\u0627\u0631 \u062c\u062f\u064a\u062f \u0645\u0639 \u062a\u0637\u0628\u064a\u0642 Go \u0628\u0633\u064a\u0637. \u0647\u0630\u0627 \u064a\u0645\u0646\u062d\u0646\u0627 \u0645\u0634\u0631\u0648\u0639\u0627\u064b \u0648\u0627\u0642\u0639\u064a\u0627\u064b \u0648\u0645\u0628\u0633\u0637\u0627\u064b \u0644\u0644\u0639\u0645\u0644 \u0645\u0639\u0647 \u062e\u0644\u0627\u0644 \u0627\u0644\u0645\u062e\u062a\u0628\u0631.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u062a\u0647\u064a\u0626\u0629 \u0627\u0644\u0645\u0634\u0631\u0648\u0639<\/h3>\nmkdir repro-build-lab && cd repro-build-lab\ngit init\ngo mod init github.com\/example\/repro-build-lab<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0625\u0646\u0634\u0627\u0621 \u062a\u0637\u0628\u064a\u0642 Go<\/h3>\n
\u0623\u0646\u0634\u0626 \u0627\u0644\u0645\u0644\u0641 cmd\/app\/main.go<\/code>:<\/p>\npackage main\n\nimport (\n\t\"fmt\"\n\t\"net\/http\"\n\t\"os\"\n)\n\nfunc main() {\n\tport := os.Getenv(\"PORT\")\n\tif port == \"\" {\n\t\tport = \"8080\"\n\t}\n\n\thttp.HandleFunc(\"\/\", func(w http.ResponseWriter, r *http.Request) {\n\t\tfmt.Fprintf(w, \"Hello from repro-build-lab v1\\n\")\n\t})\n\n\thttp.HandleFunc(\"\/healthz\", func(w http.ResponseWriter, r *http.Request) {\n\t\tw.WriteHeader(http.StatusOK)\n\t\tfmt.Fprintf(w, \"ok\\n\")\n\t})\n\n\tfmt.Printf(\"Listening on :%s\\n\", port)\n\thttp.ListenAndServe(\":\"+port, nil)\n}<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0625\u0646\u0634\u0627\u0621 Dockerfile \u063a\u064a\u0631 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0639\u0645\u062f\u0627\u064b<\/h3>\n
\u064a\u062d\u062a\u0648\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u0644\u0641 Dockerfile \u0639\u0644\u0649 \u0643\u0644 \u062e\u0637\u0623 \u0634\u0627\u0626\u0639 \u064a\u0624\u062f\u064a \u0625\u0644\u0649 \u0628\u0646\u0627\u0621\u0627\u062a \u063a\u064a\u0631 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631:<\/p>\n
# Intentionally non-reproducible Dockerfile\nFROM golang:latest\n\nWORKDIR \/src\n\n# Floating package versions\nRUN apt-get update && apt-get install -y curl\n\n# Embeds current timestamp into the image\nRUN echo \"Built at $(date)\" > \/build-info\n\nCOPY . .\n\nRUN go build -o \/app .\/cmd\/app\n\nEXPOSE 8080\nCMD [\"\/app\"]<\/code><\/pre>\n\u0644\u0627\u062d\u0638 \u0627\u0644\u0645\u0634\u0627\u0643\u0644:<\/p>\n
\nFROM golang:latest<\/code> \u2014 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u062a\u062a\u063a\u064a\u0631 \u062f\u0648\u0646 \u062a\u062d\u0630\u064a\u0631.<\/li>\napt-get install -y curl<\/code> \u2014 \u0644\u0627 \u064a\u0648\u062c\u062f \u062a\u062b\u0628\u064a\u062a \u0625\u0635\u062f\u0627\u0631 \u0645\u062d\u062f\u062f\u060c \u0644\u0630\u0627 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0645\u062b\u0628\u062a \u064a\u062a\u063a\u064a\u0631.<\/li>\necho \"Built at $(date)\"<\/code> \u2014 \u064a\u062d\u0642\u0646 \u0637\u0627\u0628\u0639\u0627\u064b \u0632\u0645\u0646\u064a\u0627\u064b \u0645\u062e\u062a\u0644\u0641\u0627\u064b \u0641\u064a \u0643\u0644 \u0628\u0646\u0627\u0621.<\/li>\n- \u0644\u0627 \u064a\u0648\u062c\u062f
.dockerignore<\/code> \u2014 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0645\u062d\u0644\u064a\u0629 \u0645\u062b\u0644 .git\/<\/code> \u062a\u062a\u0633\u0631\u0628 \u0625\u0644\u0649 \u0633\u064a\u0627\u0642 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0645\u0645\u0627 \u064a\u063a\u064a\u0631 \u062a\u062c\u0632\u0626\u0627\u062a \u0627\u0644\u0637\u0628\u0642\u0627\u062a.<\/li>\n<\/ul>\n\u0642\u0645 \u0628\u0639\u0645\u0644 commit \u0644\u0644\u0645\u0634\u0631\u0648\u0639 \u0627\u0644\u0623\u0648\u0644\u064a:<\/p>\n
git add -A\ngit commit -m \"Initial non-reproducible project\"<\/code><\/pre>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 1: \u0625\u062b\u0628\u0627\u062a \u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631<\/h2>\n
\u0642\u0628\u0644 \u0625\u0635\u0644\u0627\u062d \u0623\u064a \u0634\u064a\u0621\u060c \u062f\u0639\u0646\u0627 \u0646\u062b\u0628\u062a \u0623\u0646 \u0645\u0644\u0641 Dockerfile \u0627\u0644\u062d\u0627\u0644\u064a \u064a\u0646\u062a\u062c \u0635\u0648\u0631\u0627\u064b \u0645\u062e\u062a\u0644\u0641\u0629 \u0641\u064a \u0643\u0644 \u0628\u0646\u0627\u0621.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0628\u0646\u0627\u0621 \u0627\u0644\u0635\u0648\u0631\u0629 \u0645\u0631\u062a\u064a\u0646<\/h3>\n# First build\ndocker build --no-cache -t myapp:build1 .\n\n# Wait a moment so the timestamp differs\nsleep 2\n\n# Second build\ndocker build --no-cache -t myapp:build2 .<\/code><\/pre>\n\u0639\u0644\u0627\u0645\u0629 --no-cache<\/code> \u062a\u062c\u0628\u0631 Docker \u0639\u0644\u0649 \u062a\u0646\u0641\u064a\u0630 \u0643\u0644 \u0637\u0628\u0642\u0629 \u0645\u0646 \u0627\u0644\u0635\u0641\u0631\u060c \u0648\u0647\u0648 \u0623\u0645\u0631 \u0636\u0631\u0648\u0631\u064a \u0644\u0647\u0630\u0647 \u0627\u0644\u0645\u0642\u0627\u0631\u0646\u0629. \u0641\u064a \u0628\u064a\u0626\u0629 CI\/CD \u062d\u0642\u064a\u0642\u064a\u0629\u060c \u063a\u0627\u0644\u0628\u0627\u064b \u0645\u0627 \u062a\u0639\u0645\u0644 \u0627\u0644\u0628\u0646\u0627\u0621\u0627\u062a \u0639\u0644\u0649 runners \u062c\u062f\u064a\u062f\u0629 \u0628\u062f\u0648\u0646 \u0630\u0627\u0643\u0631\u0629 \u062a\u062e\u0632\u064a\u0646 \u0645\u0624\u0642\u062a.<\/p>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0645\u0642\u0627\u0631\u0646\u0629 \u0628\u0635\u0645\u0627\u062a \u0627\u0644\u0635\u0648\u0631<\/h3>\ndocker inspect --format='{{.Id}}' myapp:build1\n# sha256:a1b2c3d4e5f6... (example)\n\ndocker inspect --format='{{.Id}}' myapp:build2\n# sha256:f6e5d4c3b2a1... (different!)<\/code><\/pre>\n\u0627\u0644\u0628\u0635\u0645\u0627\u062a \u0645\u062e\u062a\u0644\u0641\u0629<\/strong> \u0639\u0644\u0649 \u0627\u0644\u0631\u063a\u0645 \u0645\u0646 \u0623\u0646\u0647 \u0644\u0645 \u064a\u062a\u063a\u064a\u0631 \u0634\u064a\u0621 \u0641\u064a \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a. \u0647\u0630\u0627 \u064a\u0639\u0646\u064a \u0623\u0646\u0643 \u0644\u0627 \u062a\u0633\u062a\u0637\u064a\u0639 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646 \u0635\u0648\u0631\u0629 \u0645\u0639\u064a\u0646\u0629 \u062a\u0645 \u0625\u0646\u062a\u0627\u062c\u0647\u0627 \u0645\u0646 commit \u0645\u062d\u062f\u062f.<\/p>\n\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0627\u0633\u062a\u062e\u062f\u0627\u0645 diffoscope \u0644\u062a\u062d\u062f\u064a\u062f \u0627\u0644\u0627\u062e\u062a\u0644\u0627\u0641\u0627\u062a<\/h3>\n# Export both images as tarballs\ndocker save myapp:build1 -o build1.tar\ndocker save myapp:build2 -o build2.tar\n\n# Run diffoscope\ndiffoscope build1.tar build2.tar --html-dir diff-report<\/code><\/pre>\n\u0627\u0641\u062a\u062d diff-report\/index.html<\/code> \u0641\u064a \u0627\u0644\u0645\u062a\u0635\u0641\u062d. \u064a\u0643\u0634\u0641 \u0627\u0644\u062a\u0642\u0631\u064a\u0631 \u0628\u0627\u0644\u0636\u0628\u0637 \u0645\u0627 \u064a\u062e\u062a\u0644\u0641 \u0628\u064a\u0646 \u0627\u0644\u0628\u0646\u0627\u0621\u064a\u0646:<\/p>\n\n- \u0627\u0644\u0637\u0648\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u0629<\/strong> \u2014 \u0645\u0644\u0641
\/build-info<\/code> \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u062a\u0648\u0627\u0631\u064a\u062e \u0645\u062e\u062a\u0644\u0641\u0629.<\/li>\n- \u0628\u064a\u0627\u0646\u0627\u062a \u0648\u0635\u0641\u064a\u0629 \u0644\u062d\u0632\u0645 apt<\/strong> \u2014 \u0642\u0648\u0627\u0626\u0645 \u0627\u0644\u062d\u0632\u0645 \u0648\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0630\u0627\u0643\u0631\u0629 \u0627\u0644\u0645\u0624\u0642\u062a\u0629 \u062a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0637\u0648\u0627\u0628\u0639 \u0632\u0645\u0646\u064a\u0629 \u0648\u0642\u062f \u062a\u0633\u062d\u0628 \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0641\u0631\u0639\u064a\u0629 \u0645\u062e\u062a\u0644\u0641\u0629.<\/li>\n
- \u0645\u0644\u0641 Go \u0627\u0644\u062b\u0646\u0627\u0626\u064a<\/strong> \u2014 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u062b\u0646\u0627\u0626\u064a \u0627\u0644\u0645\u064f\u062c\u0645\u064e\u0651\u0639 \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0645\u0633\u0627\u0631\u0627\u062a \u0628\u0646\u0627\u0621 \u0645\u0636\u0645\u0646\u0629 \u0648\u0645\u0639\u0631\u0651\u0641\u0627\u062a \u0628\u0646\u0627\u0621.<\/li>\n
- \u062a\u0631\u062a\u064a\u0628 \u0627\u0644\u0637\u0628\u0642\u0627\u062a \u0648\u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0648\u0635\u0641\u064a\u0629<\/strong> \u2014 Docker \u064a\u0636\u0645\u0651\u0646 \u0637\u0648\u0627\u0628\u0639 \u0632\u0645\u0646\u064a\u0629 \u0644\u0644\u0625\u0646\u0634\u0627\u0621 \u0641\u064a \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0648\u0635\u0641\u064a\u0629 \u0644\u0644\u0637\u0628\u0642\u0627\u062a.<\/li>\n<\/ul>\n
\u0643\u0644 \u0645\u0646 \u0647\u0630\u0647 \u064a\u0645\u062b\u0644 \u0645\u0635\u062f\u0631\u0627\u064b \u0644\u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0633\u0646\u0642\u0648\u0645 \u0628\u0627\u0644\u0642\u0636\u0627\u0621 \u0639\u0644\u064a\u0647 \u0641\u064a \u0627\u0644\u062a\u0645\u0627\u0631\u064a\u0646 \u0627\u0644\u062a\u0627\u0644\u064a\u0629.<\/p>\n
\u0627\u0644\u062a\u0645\u0631\u064a\u0646 2: \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0628\u0648\u0627\u0633\u0637\u0629 Digest<\/h2>\n
\u0623\u0643\u0628\u0631 \u0645\u0635\u062f\u0631 \u0644\u0644\u0627\u0646\u062d\u0631\u0627\u0641 \u0647\u0648 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629. golang:latest<\/code> \u0647\u0648 \u0647\u062f\u0641 \u0645\u062a\u062d\u0631\u0643 \u2014 \u064a\u0645\u0643\u0646 \u0623\u0646 \u064a\u062a\u063a\u064a\u0631 \u0628\u064a\u0646 \u0627\u0644\u0628\u0646\u0627\u0621\u0627\u062a\u060c \u0628\u064a\u0646 \u062a\u0634\u063a\u064a\u0644\u0627\u062a CI\u060c \u0623\u0648 \u062d\u062a\u0649 \u0628\u064a\u0646 \u0627\u0644\u0645\u0646\u0627\u0637\u0642 \u0625\u0630\u0627 \u0643\u0627\u0646 \u0627\u0644\u0633\u062c\u0644 \u0645\u062a\u0633\u0642\u0627\u064b \u0641\u064a \u0627\u0644\u0646\u0647\u0627\u064a\u0629.<\/p>\n\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0627\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 digest \u0627\u0644\u062d\u0627\u0644\u064a<\/h3>\ncrane digest golang:1.22\n# sha256:d0902bacefdde1cf45079803dc16feeb58f3aa9df52052cc00deb2c3e5de367b<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629<\/h3>\n
\u062d\u062f\u0651\u062b \u0633\u0637\u0631 FROM<\/code> \u0641\u064a \u0645\u0644\u0641 Dockerfile:<\/p>\nFROM golang:1.22@sha256:d0902bacefdde1cf45079803dc16feeb58f3aa9df52052cc00deb2c3e5de367b<\/code><\/pre>\n\u0627\u0644\u062a\u0646\u0633\u064a\u0642 \u0647\u0648 image:tag@sha256:digest<\/code>. \u0633\u064a\u0642\u0648\u0645 Docker \u0628\u0627\u0644\u0633\u062d\u0628 \u0639\u0628\u0631 digest\u060c \u0645\u062a\u062c\u0627\u0647\u0644\u0627\u064b \u0627\u0644\u0648\u0633\u0645. \u064a\u062a\u0645 \u0627\u0644\u0627\u062d\u062a\u0641\u0627\u0638 \u0628\u0627\u0644\u0648\u0633\u0645 \u0644\u0633\u0647\u0648\u0644\u0629 \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0628\u0634\u0631\u064a\u0629.<\/p>\n\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0625\u0639\u0627\u062f\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u0645\u0642\u0627\u0631\u0646\u0629<\/h3>\ndocker build --no-cache -t myapp:pinned1 .\nsleep 2\ndocker build --no-cache -t myapp:pinned2 .\n\ndocker inspect --format='{{.Id}}' myapp:pinned1\ndocker inspect --format='{{.Id}}' myapp:pinned2<\/code><\/pre>\n\u0627\u0644\u0628\u0635\u0645\u0627\u062a \u0644\u0627 \u062a\u0632\u0627\u0644 \u0645\u062e\u062a\u0644\u0641\u0629 \u2014 \u0645\u0635\u0627\u062f\u0631 \u0623\u062e\u0631\u0649 \u0644\u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0644\u0627 \u062a\u0632\u0627\u0644 \u0645\u0648\u062c\u0648\u062f\u0629. \u0644\u0643\u0646 \u0625\u0630\u0627 \u0642\u0627\u0631\u0646\u062a \u0627\u0644\u0637\u0628\u0642\u0627\u062a\u060c \u0641\u0625\u0646 \u0637\u0628\u0642\u0629 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0623\u0635\u0628\u062d\u062a \u0627\u0644\u0622\u0646 \u0645\u062a\u0637\u0627\u0628\u0642\u0629 \u0628\u064a\u0646 \u0627\u0644\u0628\u0646\u0627\u0621\u064a\u0646. \u0644\u0642\u062f \u0642\u0636\u064a\u062a \u0639\u0644\u0649 \u0623\u0643\u0628\u0631 \u0645\u0635\u062f\u0631 \u0644\u0644\u0627\u0646\u062d\u0631\u0627\u0641.<\/p>\n
\u0644\u0645\u0627\u0630\u0627 \u0647\u0630\u0627 \u0645\u0647\u0645<\/h3>\n
\u0628\u062f\u0648\u0646 \u062a\u062b\u0628\u064a\u062a digest\u060c \u064a\u0645\u0643\u0646 \u0644\u0648\u0633\u0645 \u0645\u062e\u062a\u0631\u0642 \u0623\u0648 \u0645\u062e\u062a\u0637\u0641 \u0623\u0646 \u064a\u0633\u062a\u0628\u062f\u0644 \u0635\u0648\u0631\u062a\u0643 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0628\u0635\u0648\u0631\u0629 \u062e\u0628\u064a\u062b\u0629 \u0628\u0635\u0645\u062a. \u062a\u062b\u0628\u064a\u062a digest \u0647\u0648 \u0636\u0645\u0627\u0646 \u062a\u0634\u0641\u064a\u0631\u064a: \u062a\u062d\u0635\u0644 \u0639\u0644\u0649 \u0627\u0644\u0628\u0627\u064a\u062a\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u062a\u0648\u0642\u0639\u0647\u0627 \u0628\u0627\u0644\u0636\u0628\u0637\u060c \u0623\u0648 \u064a\u0641\u0634\u0644 \u0627\u0644\u0628\u0646\u0627\u0621.<\/p>\n
\u0627\u0644\u062a\u0645\u0631\u064a\u0646 3: \u062a\u062b\u0628\u064a\u062a \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u062d\u0632\u0645<\/h2>\n
\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u0645\u062a\u063a\u064a\u0631\u0629 \u062a\u064f\u062f\u062e\u0644 \u0639\u062f\u0645 \u0627\u0644\u062d\u062a\u0645\u064a\u0629 \u0641\u064a \u0637\u0628\u0642\u0629 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a. \u0641\u064a \u0643\u0644 \u0645\u0631\u0629 \u064a\u062a\u0645 \u062a\u0634\u063a\u064a\u0644 apt-get update<\/code>\u060c \u064a\u062c\u0644\u0628 \u0641\u0647\u0631\u0633 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u062d\u0627\u0644\u064a\u060c \u0627\u0644\u0630\u064a \u0642\u062f \u064a\u0633\u0631\u062f \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u062d\u0632\u0645 \u0645\u062e\u062a\u0644\u0641\u0629.<\/p>\n\u0627\u0644\u062e\u064a\u0627\u0631 \u0623: \u062a\u062b\u0628\u064a\u062a \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u062d\u0632\u0645 Debian<\/h3>\nRUN apt-get update && \\\n apt-get install -y --no-install-recommends \\\n curl=7.88.1-10+deb12u8 && \\\n rm -rf \/var\/lib\/apt\/lists\/*<\/code><\/pre>\n\u0644\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0645\u062a\u0627\u062d \u062d\u0627\u0644\u064a\u0627\u064b \u0641\u064a \u0635\u0648\u0631\u062a\u0643 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629:<\/p>\n
docker run --rm golang:1.22 apt-cache policy curl<\/code><\/pre>\n\u0627\u0644\u062e\u064a\u0627\u0631 \u0628: \u0627\u0633\u062a\u062e\u062f\u0627\u0645 Alpine \u0645\u0639 \u062d\u0632\u0645 \u0645\u062b\u0628\u062a\u0629<\/h3>\n
\u062d\u0632\u0645 Alpine \u0644\u062f\u064a\u0647\u0627 \u0633\u0644\u0627\u0633\u0644 \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0623\u0628\u0633\u0637 \u0648\u0635\u0648\u0631 \u0623\u0635\u063a\u0631:<\/p>\n
FROM golang:1.22-alpine@sha256:<alpine-digest>\n\nRUN apk add --no-cache curl=8.5.0-r0<\/code><\/pre>\n\u0627\u0644\u062e\u064a\u0627\u0631 \u062c: \u0628\u0646\u0627\u0621 \u0645\u062a\u0639\u062f\u062f \u0627\u0644\u0645\u0631\u0627\u062d\u0644 (\u0645\u064f\u0641\u0636\u064e\u0651\u0644)<\/h3>\n
\u0623\u0641\u0636\u0644 \u0646\u0647\u062c \u0647\u0648 \u062a\u062c\u0646\u0628 \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u062d\u0632\u0645 \u0641\u064a \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0646\u0647\u0627\u0626\u064a\u0629 \u062a\u0645\u0627\u0645\u0627\u064b. \u0627\u0633\u062a\u062e\u062f\u0645 \u0628\u0646\u0627\u0621\u064b \u0645\u062a\u0639\u062f\u062f \u0627\u0644\u0645\u0631\u0627\u062d\u0644 \u062d\u064a\u062b \u062a\u062d\u062a\u0648\u064a \u0645\u0631\u062d\u0644\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0639\u0644\u0649 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0648\u062a\u0643\u0648\u0646 \u0645\u0631\u062d\u0644\u0629 \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0628\u0633\u064a\u0637\u0629:<\/p>\n
# Build stage \u2014 tools are only needed here\nFROM golang:1.22@sha256:d0902bacefdde1cf45079803dc16feeb58f3aa9df52052cc00deb2c3e5de367b AS builder\nWORKDIR \/src\nCOPY go.mod go.sum .\/\nRUN go mod download\nCOPY . .\nRUN go build -o \/app .\/cmd\/app\n\n# Runtime stage \u2014 no apt-get, no floating packages\nFROM gcr.io\/distroless\/static-debian12:nonroot\nCOPY --from=builder \/app \/app\nCMD [\"\/app\"]<\/code><\/pre>\n\u0645\u0639 \u0647\u0630\u0627 \u0627\u0644\u0646\u0647\u062c\u060c \u0644\u0627 \u062a\u062d\u062a\u0648\u064a \u0635\u0648\u0631\u0629 \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0639\u0644\u0649 \u0623\u064a \u0627\u0633\u062a\u062f\u0639\u0627\u0621\u0627\u062a \u0644\u0645\u062f\u064a\u0631 \u0627\u0644\u062d\u0632\u0645\u060c \u0645\u0645\u0627 \u064a\u0642\u0636\u064a \u0639\u0644\u0649 \u0641\u0626\u0629 \u0643\u0627\u0645\u0644\u0629 \u0645\u0646 \u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631.<\/p>\n
\u0625\u0639\u0627\u062f\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u0645\u0642\u0627\u0631\u0646\u0629<\/h3>\ndocker build --no-cache -t myapp:pinpkg1 .\nsleep 2\ndocker build --no-cache -t myapp:pinpkg2 .\n\ndocker inspect --format='{{.Id}}' myapp:pinpkg1\ndocker inspect --format='{{.Id}}' myapp:pinpkg2<\/code><\/pre>\n\u0637\u0628\u0642\u0627\u062a \u0627\u0644\u062d\u0632\u0645 \u0623\u0635\u0628\u062d\u062a \u0627\u0644\u0622\u0646 \u0645\u062a\u0637\u0627\u0628\u0642\u0629 \u0628\u064a\u0646 \u0627\u0644\u0628\u0646\u0627\u0621\u064a\u0646. \u0627\u0644\u0627\u062e\u062a\u0644\u0627\u0641\u0627\u062a \u0627\u0644\u0645\u062a\u0628\u0642\u064a\u0629 \u062a\u0623\u062a\u064a \u0645\u0646 \u0627\u0644\u0637\u0648\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u0629 \u0648\u0645\u0644\u0641 Go \u0627\u0644\u062b\u0646\u0627\u0626\u064a \u0646\u0641\u0633\u0647.<\/p>\n
\u0627\u0644\u062a\u0645\u0631\u064a\u0646 4: \u0625\u0632\u0627\u0644\u0629 \u0627\u0644\u0637\u0648\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u0629 \u0648\u0627\u0644\u0645\u062d\u062a\u0648\u0649 \u063a\u064a\u0631 \u0627\u0644\u062d\u062a\u0645\u064a<\/h2>\n
\u0627\u0644\u0637\u0648\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u0629 \u0647\u064a \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0623\u0643\u062b\u0631 \u0648\u0636\u0648\u062d\u0627\u064b \u0644\u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631. \u0623\u064a \u0623\u0645\u0631 \u064a\u0644\u062a\u0642\u0637 \u0627\u0644\u0648\u0642\u062a \u0627\u0644\u062d\u0627\u0644\u064a \u064a\u0646\u062a\u062c \u0646\u062a\u064a\u062c\u0629 \u0645\u062e\u062a\u0644\u0641\u0629 \u0641\u064a \u0643\u0644 \u0628\u0646\u0627\u0621.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0632\u0627\u0644\u0629 \u0627\u0644\u0637\u0648\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u0629 \u0627\u0644\u0635\u0631\u064a\u062d\u0629<\/h3>\n
\u0627\u062d\u0630\u0641 \u0627\u0644\u0633\u0637\u0631 \u0627\u0644\u0630\u064a \u064a\u0643\u062a\u0628 \u0648\u0642\u062a \u0627\u0644\u0628\u0646\u0627\u0621:<\/p>\n
# REMOVE this line:\n# RUN echo \"Built at $(date)\" > \/build-info<\/code><\/pre>\n\u0625\u0630\u0627 \u0643\u0646\u062a \u0628\u062d\u0627\u062c\u0629 \u0625\u0644\u0649 \u0628\u064a\u0627\u0646\u0627\u062a \u0648\u0635\u0641\u064a\u0629 \u0644\u0644\u0628\u0646\u0627\u0621\u060c \u0645\u0631\u0631\u0647\u0627 \u0643\u062a\u0633\u0645\u064a\u0629 \u0628\u0642\u064a\u0645\u0629 \u062b\u0627\u0628\u062a\u0629 \u0645\u0634\u062a\u0642\u0629 \u0645\u0646 \u0627\u0644\u0645\u0635\u062f\u0631:<\/p>\n
ARG BUILD_COMMIT\nLABEL org.opencontainers.image.revision=${BUILD_COMMIT}<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u0639\u064a\u064a\u0646 SOURCE_DATE_EPOCH<\/h3>\n
SOURCE_DATE_EPOCH<\/code> \u0647\u0648 \u0645\u062a\u063a\u064a\u0631 \u0628\u064a\u0626\u0629 \u0645\u0648\u062d\u062f<\/a> \u064a\u062e\u0628\u0631 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0637\u0627\u0628\u0639 \u0632\u0645\u0646\u064a \u062b\u0627\u0628\u062a \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0648\u0642\u062a \u0627\u0644\u062d\u0627\u0644\u064a. \u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u062a\u062d\u062a\u0631\u0645\u0647\u060c \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 tar<\/code> \u0648 gzip<\/code> \u0648 zip<\/code> \u0648\u0645\u064f\u062c\u0645\u0650\u0651\u0639 Go.<\/p>\nARG SOURCE_DATE_EPOCH\nENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}<\/code><\/pre>\n\u0642\u0645 \u0628\u0627\u0644\u0628\u0646\u0627\u0621 \u0645\u0639 \u0627\u0644\u0637\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a \u0644\u0622\u062e\u0631 git commit:<\/p>\n
docker build \\\n --build-arg SOURCE_DATE_EPOCH=$(git log -1 --format=%ct) \\\n --no-cache \\\n -t myapp:repro .<\/code><\/pre>\n\u0647\u0630\u0627 \u064a\u0636\u0645\u0646 \u0623\u0646 \u0627\u0644\u0628\u0646\u0627\u0621\u0627\u062a \u0645\u0646 \u0646\u0641\u0633 \u0627\u0644\u0640 commit \u062a\u0633\u062a\u062e\u062f\u0645 \u062f\u0627\u0626\u0645\u0627\u064b \u0646\u0641\u0633 \u0627\u0644\u0637\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u060c \u0628\u063a\u0636 \u0627\u0644\u0646\u0638\u0631 \u0639\u0646 \u0648\u0642\u062a \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0628\u0646\u0627\u0621 \u0641\u0639\u0644\u064a\u0627\u064b.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0645\u062e\u0631\u062c\u0627\u062a BuildKit OCI<\/h3>\n
\u064a\u0645\u0643\u0646 \u0644\u0640 BuildKit \u0625\u0646\u062a\u0627\u062c \u0635\u0648\u0631 \u0628\u062a\u0646\u0633\u064a\u0642 OCI \u0645\u0639 \u0625\u0646\u0634\u0627\u0621 \u0637\u0628\u0642\u0627\u062a \u0623\u0643\u062b\u0631 \u062d\u062a\u0645\u064a\u0629:<\/p>\n
docker buildx build \\\n --build-arg SOURCE_DATE_EPOCH=$(git log -1 --format=%ct) \\\n --output type=oci,dest=myapp.tar \\\n --no-cache \\\n .<\/code><\/pre>\n\u062a\u0646\u0633\u064a\u0642 \u0645\u062e\u0631\u062c\u0627\u062a OCI \u064a\u062a\u062c\u0646\u0628 \u0628\u0639\u0636 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0648\u0635\u0641\u064a\u0629 \u063a\u064a\u0631 \u0627\u0644\u062d\u062a\u0645\u064a\u0629 \u0627\u0644\u062a\u064a \u064a\u062a\u0636\u0645\u0646\u0647\u0627 \u062a\u0646\u0633\u064a\u0642 \u0635\u0648\u0631\u0629 Docker \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a.<\/p>\n
\u0627\u0644\u062a\u0645\u0631\u064a\u0646 5: \u0628\u0646\u0627\u0621\u0627\u062a Go \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631<\/h2>\n
\u064a\u0636\u0645\u0651\u0646 Go \u0639\u062f\u0629 \u0623\u062c\u0632\u0627\u0621 \u0645\u0646 \u0627\u0644\u0645\u0639\u0644\u0648\u0645\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u062d\u062a\u0645\u064a\u0629 \u0641\u064a \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u062b\u0646\u0627\u0626\u064a\u0629 \u0627\u0644\u0645\u064f\u062c\u0645\u064e\u0651\u0639\u0629 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0627\u064b: \u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0645\u062d\u0644\u064a\u0629\u060c \u0648\u0645\u0639\u0631\u0651\u0641 \u0628\u0646\u0627\u0621 \u0641\u0631\u064a\u062f\u060c \u0648\u0631\u0645\u0648\u0632 \u062a\u0635\u062d\u064a\u062d \u0627\u0644\u0623\u062e\u0637\u0627\u0621 \u0627\u0644\u062a\u064a \u062a\u0634\u064a\u0631 \u0625\u0644\u0649 \u0628\u064a\u0626\u0629 \u0627\u0644\u0628\u0646\u0627\u0621.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0639\u0644\u0627\u0645\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631<\/h3>\nRUN CGO_ENABLED=0 go build \\\n -trimpath \\\n -ldflags=\"-s -w -buildid=\" \\\n -o \/app .\/cmd\/app<\/code><\/pre>\n\u0625\u0644\u064a\u0643 \u0645\u0627 \u064a\u0641\u0639\u0644\u0647 \u0643\u0644 \u0639\u0644\u0645:<\/p>\n
\n\n\n\u0627\u0644\u0639\u0644\u0645<\/th>\n \u0627\u0644\u063a\u0631\u0636<\/th>\n<\/tr>\n<\/thead>\n \n\nCGO_ENABLED=0<\/code><\/td>\n\u064a\u0639\u0637\u0651\u0644 cgo\u060c \u0645\u0645\u0627 \u064a\u0646\u062a\u062c \u0645\u0644\u0641\u0627\u064b \u062b\u0646\u0627\u0626\u064a\u0627\u064b \u0645\u0631\u062a\u0628\u0637\u0627\u064b \u0627\u0633\u062a\u0627\u062a\u064a\u0643\u064a\u0627\u064b. \u064a\u062a\u062c\u0646\u0628 \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0639\u0644\u0649 \u0645\u0643\u062a\u0628\u0627\u062a C \u0627\u0644\u0646\u0638\u0627\u0645\u064a\u0629 \u0627\u0644\u062a\u064a \u0642\u062f \u062a\u062e\u062a\u0644\u0641 \u0628\u064a\u0646 \u0627\u0644\u0628\u0646\u0627\u0621\u0627\u062a.<\/td>\n<\/tr>\n \n-trimpath<\/code><\/td>\n\u064a\u0632\u064a\u0644 \u062c\u0645\u064a\u0639 \u0645\u0633\u0627\u0631\u0627\u062a \u0646\u0638\u0627\u0645 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0645\u062d\u0644\u064a \u0645\u0646 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u062b\u0646\u0627\u0626\u064a \u0627\u0644\u0645\u064f\u062c\u0645\u064e\u0651\u0639. \u0628\u062f\u0648\u0646 \u0647\u0630\u0627\u060c \u064a\u062d\u062a\u0648\u064a \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u062b\u0646\u0627\u0626\u064a \u0639\u0644\u0649 \u0645\u0633\u0627\u0631\u0627\u062a \u0645\u062b\u0644 \/src\/cmd\/app\/main.go<\/code> \u0645\u0646 \u0628\u064a\u0626\u0629 \u0627\u0644\u0628\u0646\u0627\u0621.<\/td>\n<\/tr>\n\n-ldflags=\"-s -w\"<\/code><\/td>\n\u064a\u0632\u064a\u0644 \u062c\u062f\u0648\u0644 \u0627\u0644\u0631\u0645\u0648\u0632 (-s<\/code>) \u0648\u0645\u0639\u0644\u0648\u0645\u0627\u062a \u062a\u0635\u062d\u064a\u062d DWARF (-w<\/code>). \u0647\u0630\u0647 \u062a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0628\u064a\u0627\u0646\u0627\u062a \u062e\u0627\u0635\u0629 \u0628\u0628\u064a\u0626\u0629 \u0627\u0644\u0628\u0646\u0627\u0621.<\/td>\n<\/tr>\n\n-ldflags=\"-buildid=\"<\/code><\/td>\n\u064a\u0639\u064a\u0651\u0646 \u0645\u0639\u0631\u0651\u0641 \u0627\u0644\u0628\u0646\u0627\u0621 \u0625\u0644\u0649 \u0641\u0627\u0631\u063a. \u0639\u0627\u062f\u0629\u064b \u0645\u0627 \u064a\u0646\u0634\u0626 Go \u0645\u0639\u0631\u0651\u0641 \u0628\u0646\u0627\u0621 \u0641\u0631\u064a\u062f \u064a\u062a\u063a\u064a\u0631 \u0628\u064a\u0646 \u0627\u0644\u0628\u0646\u0627\u0621\u0627\u062a \u062d\u062a\u0649 \u0645\u0639 \u0645\u0635\u062f\u0631 \u0645\u062a\u0637\u0627\u0628\u0642.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0642\u0627\u0628\u0644\u064a\u0629 \u062a\u0643\u0631\u0627\u0631 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u062b\u0646\u0627\u0626\u064a<\/h3>\n# Build twice\ndocker build --no-cache -t myapp:go1 .\ndocker build --no-cache -t myapp:go2 .\n\n# Extract and hash the binary from each image\ndocker create --name tmp1 myapp:go1\ndocker cp tmp1:\/app .\/app1\ndocker rm tmp1\n\ndocker create --name tmp2 myapp:go2\ndocker cp tmp2:\/app .\/app2\ndocker rm tmp2\n\nsha256sum app1 app2<\/code><\/pre>\n\u064a\u062c\u0628 \u0623\u0646 \u062a\u0643\u0648\u0646 \u062a\u062c\u0632\u0626\u0627\u062a SHA-256 \u0644\u0640 app1<\/code> \u0648 app2<\/code> \u0645\u062a\u0637\u0627\u0628\u0642\u0629. \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u062b\u0646\u0627\u0626\u064a \u0644\u0640 Go \u0623\u0635\u0628\u062d \u0627\u0644\u0622\u0646 \u0642\u0627\u0628\u0644\u0627\u064b \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0628\u062a \u0628\u0628\u062a.<\/p>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 6: \u0645\u0644\u0641 Dockerfile \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0628\u0627\u0644\u0643\u0627\u0645\u0644<\/h2>\n
\u0627\u0644\u0622\u0646 \u062f\u0639\u0646\u0627 \u0646\u062c\u0645\u0639 \u0643\u0644 \u062a\u0642\u0646\u064a\u0629 \u0641\u064a \u0645\u0644\u0641 Dockerfile \u0648\u0627\u062d\u062f \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0628\u0627\u0644\u0643\u0627\u0645\u0644.<\/p>\n
\u0645\u0644\u0641 Dockerfile \u0627\u0644\u0643\u0627\u0645\u0644<\/h3>\n# syntax=docker\/dockerfile:1\n\n# ---- Build Stage ----\nFROM golang:1.22@sha256:d0902bacefdde1cf45079803dc16feeb58f3aa9df52052cc00deb2c3e5de367b AS builder\n\nARG SOURCE_DATE_EPOCH\nENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}\n\nWORKDIR \/src\n\n# Cache dependency downloads\nCOPY go.mod go.sum .\/\nRUN go mod download && go mod verify\n\n# Copy source and build\nCOPY . .\nRUN CGO_ENABLED=0 go build \\\n -trimpath \\\n -ldflags=\"-s -w -buildid=\" \\\n -o \/app .\/cmd\/app\n\n# ---- Runtime Stage ----\nFROM gcr.io\/distroless\/static-debian12:nonroot@sha256:6ec5aa99dc335b19f6c2bcb8e09cf92404e56f0db4e2f58cf92c4536e1548415\n\nARG SOURCE_DATE_EPOCH\nENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}\n\nCOPY --from=builder \/app \/app\n\nUSER nonroot:nonroot\nEXPOSE 8080\nENTRYPOINT [\"\/app\"]<\/code><\/pre>\n\u0645\u0644\u0641 .dockerignore \u0627\u0644\u0643\u0627\u0645\u0644<\/h3>\n.git\n.github\n.gitignore\n*.md\nREADME*\nLICENSE\ndocker-compose*.yml\nMakefile\n.env\n.env.*\n*.tar\n*.log\ntmp\/\nbuild\/\ndiff-report\/\n<\/code><\/pre>\n\u0645\u0644\u0641 .dockerignore<\/code> \u0628\u0627\u0644\u063a \u0627\u0644\u0623\u0647\u0645\u064a\u0629. \u0628\u062f\u0648\u0646\u0647\u060c \u064a\u062a\u0633\u0631\u0628 \u0645\u062c\u0644\u062f .git\/<\/code> \u0625\u0644\u0649 \u0633\u064a\u0627\u0642 \u0627\u0644\u0628\u0646\u0627\u0621. \u0628\u0645\u0627 \u0623\u0646 .git\/<\/code> \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0637\u0648\u0627\u0628\u0639 \u0632\u0645\u0646\u064a\u0629 \u0648\u0645\u0644\u0641\u0627\u062a \u0642\u0641\u0644 \u0648\u0628\u064a\u0627\u0646\u0627\u062a \u0648\u0635\u0641\u064a\u0629 \u0645\u062a\u063a\u064a\u0631\u0629 \u0623\u062e\u0631\u0649\u060c \u0641\u0625\u0646\u0647 \u064a\u062c\u0639\u0644 \u0643\u0644 \u0633\u064a\u0627\u0642 \u0628\u0646\u0627\u0621 \u0641\u0631\u064a\u062f\u0627\u064b \u062d\u062a\u0649 \u0639\u0646\u062f\u0645\u0627 \u064a\u0643\u0648\u0646 \u0627\u0644\u0645\u0635\u062f\u0631 \u0645\u062a\u0637\u0627\u0628\u0642\u0627\u064b.<\/p>\n\u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u062a\u062d\u0642\u0642<\/h3>\nSOURCE_EPOCH=$(git log -1 --format=%ct)\n\n# Build twice\ndocker buildx build \\\n --build-arg SOURCE_DATE_EPOCH=${SOURCE_EPOCH} \\\n --output type=oci,dest=build1.tar \\\n --no-cache .\n\ndocker buildx build \\\n --build-arg SOURCE_DATE_EPOCH=${SOURCE_EPOCH} \\\n --output type=oci,dest=build2.tar \\\n --no-cache .\n\n# Compare\nsha256sum build1.tar build2.tar<\/code><\/pre>\n\u0645\u0639 \u062a\u0637\u0628\u064a\u0642 \u062c\u0645\u064a\u0639 \u062a\u0642\u0646\u064a\u0627\u062a \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631\u060c \u064a\u062c\u0628 \u0623\u0646 \u062a\u062a\u0637\u0627\u0628\u0642 \u062a\u062c\u0632\u0626\u0627\u062a SHA-256 \u0644\u0623\u0631\u0634\u064a\u0641\u064a OCI \u0623\u0648 \u062a\u0643\u0648\u0646 \u0642\u0631\u064a\u0628\u0629 \u062c\u062f\u0627\u064b. \u0623\u064a \u0627\u062e\u062a\u0644\u0627\u0641\u0627\u062a \u0645\u062a\u0628\u0642\u064a\u0629 \u0633\u062a\u0643\u0648\u0646 \u0641\u064a \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0648\u0635\u0641\u064a\u0629 \u0644\u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u0635\u0648\u0631\u0629 \u0648\u064a\u0645\u0643\u0646 \u062d\u0644\u0647\u0627 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0639\u0644\u0627\u0645\u0629 --source-date-epoch<\/code> \u0641\u064a BuildKit (\u0645\u062a\u0627\u062d\u0629 \u0641\u064a BuildKit 0.13+):<\/p>\ndocker buildx build \\\n --build-arg SOURCE_DATE_EPOCH=${SOURCE_EPOCH} \\\n --source-date-epoch ${SOURCE_EPOCH} \\\n --output type=oci,dest=build-final.tar \\\n --no-cache .<\/code><\/pre>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 7: \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0641\u064a CI\/CD<\/h2>\n
\u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u062a\u0643\u0648\u0646 \u0630\u0627\u062a \u0642\u064a\u0645\u0629 \u0641\u0642\u0637 \u0625\u0630\u0627 \u062a\u062d\u0642\u0642\u062a \u0645\u0646\u0647\u0627 \u0628\u0627\u0633\u062a\u0645\u0631\u0627\u0631. \u0628\u0646\u0627\u0621 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0627\u0644\u064a\u0648\u0645 \u064a\u0645\u0643\u0646 \u0623\u0646 \u064a\u0635\u0628\u062d \u063a\u064a\u0631 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u063a\u062f\u0627\u064b \u0625\u0630\u0627 \u0623\u0636\u0627\u0641 \u0634\u062e\u0635 \u0645\u0627 \u062a\u0628\u0639\u064a\u0629 \u0645\u062a\u063a\u064a\u0631\u0629 \u0623\u0648 \u0637\u0627\u0628\u0639\u0627\u064b \u0632\u0645\u0646\u064a\u0627\u064b. \u0627\u0644\u062d\u0644 \u0647\u0648 \u0627\u0644\u0628\u0646\u0627\u0621 \u0645\u0631\u062a\u064a\u0646 \u0641\u064a \u0643\u0644 \u062a\u0634\u063a\u064a\u0644 CI \u0648\u0627\u0644\u062a\u0623\u0643\u062f \u0645\u0646 \u0623\u0646 \u0627\u0644\u0646\u062a\u0627\u0626\u062c \u0645\u062a\u0637\u0627\u0628\u0642\u0629.<\/p>\n
\u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions<\/h3>\n
\u0623\u0646\u0634\u0626 \u0627\u0644\u0645\u0644\u0641 .github\/workflows\/reproducible-build.yml<\/code>:<\/p>\nname: Verify Reproducible Build\n\non:\n push:\n branches: [main]\n pull_request:\n branches: [main]\n\njobs:\n verify-reproducibility:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout code\n uses: actions\/checkout@v4\n\n - name: Set up Docker Buildx\n uses: docker\/setup-buildx-action@v3\n\n - name: Compute SOURCE_DATE_EPOCH\n id: epoch\n run: echo \"value=$(git log -1 --format=%ct)\" >> \"$GITHUB_OUTPUT\"\n\n - name: Build image (first pass)\n run: |\n docker buildx build \\\n --build-arg SOURCE_DATE_EPOCH=${{ steps.epoch.outputs.value }} \\\n --output type=oci,dest=build-pass1.tar \\\n --no-cache \\\n .\n\n - name: Record first digest\n id: digest1\n run: echo \"sha=$(sha256sum build-pass1.tar | awk '{print $1}')\" >> \"$GITHUB_OUTPUT\"\n\n - name: Build image (second pass)\n run: |\n docker buildx build \\\n --build-arg SOURCE_DATE_EPOCH=${{ steps.epoch.outputs.value }} \\\n --output type=oci,dest=build-pass2.tar \\\n --no-cache \\\n .\n\n - name: Record second digest\n id: digest2\n run: echo \"sha=$(sha256sum build-pass2.tar | awk '{print $1}')\" >> \"$GITHUB_OUTPUT\"\n\n - name: Compare digests\n run: |\n echo \"Build 1: ${{ steps.digest1.outputs.sha }}\"\n echo \"Build 2: ${{ steps.digest2.outputs.sha }}\"\n if [ \"${{ steps.digest1.outputs.sha }}\" != \"${{ steps.digest2.outputs.sha }}\" ]; then\n echo \"::error::Builds are NOT reproducible! Digests differ.\"\n echo \"Running diffoscope to identify differences...\"\n pip install diffoscope\n diffoscope build-pass1.tar build-pass2.tar --text diff-output.txt || true\n cat diff-output.txt\n exit 1\n fi\n echo \"Builds are reproducible. Digests match.\"\n\n - name: Upload diff report on failure\n if: failure()\n uses: actions\/upload-artifact@v4\n with:\n name: reproducibility-diff\n path: diff-output.txt\n\n - name: Sign the verified image\n if: github.ref == 'refs\/heads\/main'\n env:\n COSIGN_EXPERIMENTAL: \"true\"\n run: |\n # Load the OCI image into Docker\n docker load -i build-pass1.tar\n # In production, push to a registry and sign with Cosign:\n # cosign sign --yes $REGISTRY\/$IMAGE@$DIGEST\n echo \"Image verified as reproducible and ready for signing.\"\n<\/code><\/pre>\n\u064a\u0642\u0648\u0645 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0647\u0630\u0627 \u0628\u0645\u0627 \u064a\u0644\u064a \u0641\u064a \u0643\u0644 push \u0648 pull request:<\/p>\n
\n- \u064a\u0633\u062d\u0628 \u0627\u0644\u0643\u0648\u062f \u0648\u064a\u064f\u0639\u062f\u0651 BuildKit.<\/li>\n
- \u064a\u062d\u0633\u0628
SOURCE_DATE_EPOCH<\/code> \u0645\u0646 \u0627\u0644\u0637\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a \u0644\u0622\u062e\u0631 commit.<\/li>\n- \u064a\u0628\u0646\u064a \u0627\u0644\u0635\u0648\u0631\u0629 \u0645\u0646 \u0627\u0644\u0635\u0641\u0631 (\u0627\u0644\u0645\u0631\u0648\u0631 \u0627\u0644\u0623\u0648\u0644) \u0648\u064a\u0633\u062c\u0644 \u0627\u0644\u0628\u0635\u0645\u0629.<\/li>\n
- \u064a\u0628\u0646\u064a \u0627\u0644\u0635\u0648\u0631\u0629 \u0645\u0646 \u0627\u0644\u0635\u0641\u0631 \u0645\u0631\u0629 \u0623\u062e\u0631\u0649 (\u0627\u0644\u0645\u0631\u0648\u0631 \u0627\u0644\u062b\u0627\u0646\u064a) \u0648\u064a\u0633\u062c\u0644 \u0627\u0644\u0628\u0635\u0645\u0629.<\/li>\n
- \u064a\u0642\u0627\u0631\u0646 \u0627\u0644\u0628\u0635\u0645\u062a\u064a\u0646. \u0625\u0630\u0627 \u0627\u062e\u062a\u0644\u0641\u062a\u0627\u060c \u062a\u0641\u0634\u0644 \u0627\u0644\u0645\u0647\u0645\u0629 \u0648\u064a\u062a\u0645 \u062a\u0634\u063a\u064a\u0644
diffoscope<\/code> \u0644\u0625\u0646\u062a\u0627\u062c \u062a\u0642\u0631\u064a\u0631 \u0641\u0631\u0648\u0642\u0627\u062a \u0645\u0641\u0635\u0644.<\/li>\n- \u0639\u0646\u062f \u0627\u0644\u0646\u062c\u0627\u062d \u0639\u0644\u0649 \u0627\u0644\u0641\u0631\u0639 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u060c \u062a\u0643\u0648\u0646 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0645\u064f\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627 \u062c\u0627\u0647\u0632\u0629 \u0644\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Cosign.<\/li>\n<\/ol>\n
\u0647\u0630\u0627 \u0647\u0648 \u0623\u0642\u0648\u0649 \u0636\u0645\u0627\u0646 \u064a\u0645\u0643\u0646\u0643 \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u064a\u0647: \u0643\u0644 \u062a\u0634\u063a\u064a\u0644 CI \u064a\u062b\u0628\u062a \u0623\u0646 \u0628\u0646\u0627\u0621\u0643 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631. \u0625\u0630\u0627 \u0623\u062f\u062e\u0644 \u0645\u0637\u0648\u0631 \u0639\u062f\u0645 \u062d\u062a\u0645\u064a\u0629\u060c \u064a\u0646\u0643\u0633\u0631 \u0627\u0644\u0628\u0646\u0627\u0621 \u0641\u0648\u0631\u0627\u064b.<\/p>\n
\u0627\u0644\u062a\u0645\u0631\u064a\u0646 8: \u0645\u0642\u0627\u0631\u0646\u0629 \u0627\u0644\u0635\u0648\u0631 \u0628\u064a\u0646 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a<\/h2>\n
\u0627\u0644\u0628\u0646\u0627\u0621\u0627\u062a \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u062a\u0645\u0646\u062d\u0643 \u0623\u064a\u0636\u0627\u064b \u0627\u0644\u0642\u062f\u0631\u0629 \u0639\u0644\u0649 \u0645\u0642\u0627\u0631\u0646\u0629 \u0627\u0644\u0641\u0631\u0648\u0642\u0627\u062a \u0628\u064a\u0646 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646 \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629 \u0641\u0642\u0637 \u0647\u064a \u0627\u0644\u0645\u0648\u062c\u0648\u062f\u0629. \u0647\u0630\u0627 \u0623\u0645\u0631 \u0628\u0627\u0644\u063a \u0627\u0644\u0623\u0647\u0645\u064a\u0629 \u0644\u062a\u062f\u0642\u064a\u0642 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a: \u062a\u0631\u064a\u062f \u0627\u0644\u062a\u0623\u0643\u062f \u0645\u0646 \u0623\u0646 \u062a\u0631\u0642\u064a\u0629 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u063a\u064a\u0651\u0631\u062a \u0641\u0642\u0637 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u062b\u0646\u0627\u0626\u064a \u0644\u0644\u062a\u0637\u0628\u064a\u0642\u060c \u0648\u0644\u064a\u0633 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0623\u0648 \u062d\u0632\u0645 \u0627\u0644\u0646\u0638\u0627\u0645.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0628\u0646\u0627\u0621 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 1<\/h3>\nSOURCE_EPOCH=$(git log -1 --format=%ct)\n\ndocker buildx build \\\n --build-arg SOURCE_DATE_EPOCH=${SOURCE_EPOCH} \\\n --output type=oci,dest=image-v1.tar \\\n --no-cache .<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0625\u062c\u0631\u0627\u0621 \u062a\u063a\u064a\u064a\u0631 \u0641\u064a \u0627\u0644\u0643\u0648\u062f<\/h3>\n
\u0639\u062f\u0651\u0644 cmd\/app\/main.go<\/code> \u0644\u062a\u063a\u064a\u064a\u0631 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u0625\u0635\u062f\u0627\u0631:<\/p>\nfmt.Fprintf(w, \"Hello from repro-build-lab v2\\n\")<\/code><\/pre>\n\u0642\u0645 \u0628\u0639\u0645\u0644 commit \u0644\u0644\u062a\u063a\u064a\u064a\u0631:<\/p>\n
git add cmd\/app\/main.go\ngit commit -m \"Bump to v2\"<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0628\u0646\u0627\u0621 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 2<\/h3>\nSOURCE_EPOCH=$(git log -1 --format=%ct)\n\ndocker buildx build \\\n --build-arg SOURCE_DATE_EPOCH=${SOURCE_EPOCH} \\\n --output type=oci,dest=image-v2.tar \\\n --no-cache .<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 4: \u0627\u0644\u0645\u0642\u0627\u0631\u0646\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 diffoscope<\/h3>\ndiffoscope image-v1.tar image-v2.tar --html-dir version-diff-report<\/code><\/pre>\n\u0627\u0641\u062a\u062d \u0627\u0644\u062a\u0642\u0631\u064a\u0631. \u064a\u062c\u0628 \u0623\u0646 \u062a\u0631\u0649 \u0623\u0646 \u0627\u0644\u0627\u062e\u062a\u0644\u0627\u0641\u0627\u062a \u0627\u0644\u0648\u062d\u064a\u062f\u0629 \u0647\u064a:<\/p>\n
\n- \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u062b\u0646\u0627\u0626\u064a \u0644\u062a\u0637\u0628\u064a\u0642 Go \u2014 \u0644\u0623\u0646\u0646\u0627 \u063a\u064a\u0651\u0631\u0646\u0627 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a.<\/li>\n
- \u0642\u064a\u0645\u0629
SOURCE_DATE_EPOCH<\/code> \u2014 \u0644\u0623\u0646 \u0627\u0644\u0637\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a \u0644\u0640 commit \u062a\u063a\u064a\u0631.<\/li>\n<\/ul>\n\u0637\u0628\u0642\u0627\u062a \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0648\u0628\u064a\u0626\u0629 \u0627\u0644\u062a\u0634\u063a\u064a\u0644 distroless \u0648\u062c\u0645\u064a\u0639 \u0627\u0644\u0637\u0628\u0642\u0627\u062a \u0627\u0644\u0623\u062e\u0631\u0649 \u064a\u062c\u0628 \u0623\u0646 \u062a\u0643\u0648\u0646 \u0645\u062a\u0637\u0627\u0628\u0642\u0629 \u062a\u0645\u0627\u0645\u0627\u064b.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 5: \u0645\u0642\u0627\u0631\u0646\u0629 \u0627\u0644\u0637\u0628\u0642\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 crane<\/h3>\n# Load images and push to a local registry for crane inspection\ndocker run -d -p 5000:5000 --name registry registry:2\n\n# Load and push v1\ndocker load -i image-v1.tar\ndocker tag myapp:latest localhost:5000\/myapp:v1\ndocker push localhost:5000\/myapp:v1\n\n# Load and push v2\ndocker load -i image-v2.tar\ndocker tag myapp:latest localhost:5000\/myapp:v2\ndocker push localhost:5000\/myapp:v2\n\n# List layers for each version\ncrane manifest localhost:5000\/myapp:v1 | jq '.layers[].digest'\ncrane manifest localhost:5000\/myapp:v2 | jq '.layers[].digest'<\/code><\/pre>\n\u0642\u0627\u0631\u0646 \u0628\u0635\u0645\u0627\u062a \u0627\u0644\u0637\u0628\u0642\u0627\u062a. \u0633\u062a\u0631\u0649 \u0623\u0646 \u062c\u0645\u064a\u0639 \u0627\u0644\u0637\u0628\u0642\u0627\u062a \u0645\u062a\u0637\u0627\u0628\u0642\u0629 \u0628\u0627\u0633\u062a\u062b\u0646\u0627\u0621 \u0627\u0644\u0637\u0628\u0642\u0629 \u0627\u0644\u062a\u064a \u062a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0645\u0644\u0641 Go \u0627\u0644\u062b\u0646\u0627\u0626\u064a. \u0647\u0630\u0627 \u0628\u0627\u0644\u0636\u0628\u0637 \u0645\u0627 \u062a\u0631\u064a\u062f\u0647: \u062a\u0631\u0642\u064a\u0629 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u064a\u062c\u0628 \u0623\u0646 \u062a\u063a\u064a\u0631 \u0641\u0642\u0637 \u0637\u0628\u0642\u0629 \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u060c \u0644\u0627 \u0634\u064a\u0621 \u0622\u062e\u0631.<\/p>\n
\u0625\u0630\u0627 \u0631\u0623\u064a\u062a \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u063a\u064a\u0631 \u0645\u062a\u0648\u0642\u0639\u0629 \u0641\u064a \u0627\u0644\u0637\u0628\u0642\u0627\u062a (\u0639\u0644\u0649 \u0633\u0628\u064a\u0644 \u0627\u0644\u0645\u062b\u0627\u0644\u060c \u0637\u0628\u0642\u0629 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u062a\u062e\u062a\u0644\u0641)\u060c \u0641\u0647\u0630\u0627 \u064a\u0639\u0646\u064a \u0623\u0646 \u0634\u064a\u0626\u0627\u064b \u0645\u0627 \u0643\u0633\u0631 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0648\u064a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u062a\u062d\u0642\u064a\u0642. \u0647\u0630\u0647 \u0627\u0644\u0645\u0642\u0627\u0631\u0646\u0629 \u0637\u0628\u0642\u0629 \u0628\u0637\u0628\u0642\u0629 \u0647\u064a \u062a\u0642\u0646\u064a\u0629 \u062a\u062f\u0642\u064a\u0642 \u0642\u0648\u064a\u0629 \u062a\u0639\u0645\u0644 \u0641\u0642\u0637 \u0639\u0646\u062f\u0645\u0627 \u062a\u0643\u0648\u0646 \u0628\u0646\u0627\u0621\u0627\u062a\u0643 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631.<\/p>\n
\u0627\u0644\u062a\u0646\u0638\u064a\u0641<\/h2>\n# Remove test images\ndocker rmi myapp:build1 myapp:build2 myapp:pinned1 myapp:pinned2 \\\n myapp:pinpkg1 myapp:pinpkg2 myapp:go1 myapp:go2 myapp:repro 2>\/dev\/null\n\n# Remove OCI tarballs\nrm -f build1.tar build2.tar build-pass1.tar build-pass2.tar \\\n image-v1.tar image-v2.tar myapp.tar\n\n# Remove extracted binaries\nrm -f app1 app2\n\n# Remove diff reports\nrm -rf diff-report version-diff-report\n\n# Stop and remove the local registry\ndocker stop registry && docker rm registry 2>\/dev\/null\n\n# Remove the test project (optional)\ncd .. && rm -rf repro-build-lab<\/code><\/pre>\n\u0627\u0644\u0646\u0642\u0627\u0637 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629<\/h2>\n\n- \u062b\u0628\u0651\u062a \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0628\u0648\u0627\u0633\u0637\u0629 digest \u0648\u0644\u064a\u0633 \u0628\u0627\u0644\u0648\u0633\u0645.<\/strong> \u0627\u0644\u0648\u0633\u0648\u0645 \u0647\u064a \u0645\u0624\u0634\u0631\u0627\u062a \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631. \u0627\u0644\u0628\u0635\u0645\u0627\u062a \u0647\u064a \u0636\u0645\u0627\u0646\u0627\u062a \u062a\u0634\u0641\u064a\u0631\u064a\u0629. \u0627\u0633\u062a\u062e\u062f\u0645
crane digest<\/code> \u0644\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 digest \u0627\u0644\u062d\u0627\u0644\u064a \u0648\u0642\u0645 \u0628\u062a\u062d\u062f\u064a\u062b\u0647 \u0639\u0645\u062f\u0627\u064b \u0645\u0646 \u062e\u0644\u0627\u0644 PR\u060c \u0648\u0644\u064a\u0633 \u0628\u0635\u0645\u062a \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621.<\/li>\n- \u062b\u0628\u0651\u062a \u062c\u0645\u064a\u0639 \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u062d\u0632\u0645 \u0623\u0648 \u062a\u062c\u0646\u0628 \u0645\u062f\u064a\u0631\u064a \u0627\u0644\u062d\u0632\u0645 \u0641\u064a \u0635\u0648\u0631\u0629 \u0627\u0644\u062a\u0634\u063a\u064a\u0644.<\/strong> \u0627\u0644\u0628\u0646\u0627\u0621\u0627\u062a \u0645\u062a\u0639\u062f\u062f\u0629 \u0627\u0644\u0645\u0631\u0627\u062d\u0644 \u0645\u0639 \u0635\u0648\u0631 \u062a\u0634\u063a\u064a\u0644 distroless \u0623\u0648 scratch \u062a\u0642\u0636\u064a \u0639\u0644\u0649 \u0641\u0626\u0629 \u0643\u0627\u0645\u0644\u0629 \u0645\u0646 \u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631.<\/li>\n
- \u0623\u0632\u0644 \u062c\u0645\u064a\u0639 \u0645\u0635\u0627\u062f\u0631 \u0627\u0644\u0637\u0648\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u0629.<\/strong> \u0627\u0633\u062a\u062e\u062f\u0645
SOURCE_DATE_EPOCH<\/code> \u0627\u0644\u0645\u0634\u062a\u0642 \u0645\u0646 \u0627\u0644\u0637\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a \u0644\u0640 git commit. \u0644\u0627 \u062a\u0642\u0645 \u0623\u0628\u062f\u0627\u064b \u0628\u062a\u0634\u063a\u064a\u0644 date<\/code> \u0623\u0648 timestamp<\/code> \u0623\u0648 \u0623\u0648\u0627\u0645\u0631 \u0645\u0634\u0627\u0628\u0647\u0629 \u0641\u064a Dockerfile.<\/li>\n- \u0627\u0633\u062a\u062e\u062f\u0645 \u0639\u0644\u0627\u0645\u0627\u062a \u0627\u0644\u0645\u064f\u062c\u0645\u0650\u0651\u0639 \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631.<\/strong> \u0644\u0640 Go:
-trimpath<\/code> \u0648 -ldflags=\"-s -w -buildid=\"<\/code> \u0648 CGO_ENABLED=0<\/code>. \u0627\u0644\u0644\u063a\u0627\u062a \u0627\u0644\u0623\u062e\u0631\u0649 \u0644\u062f\u064a\u0647\u0627 \u062e\u064a\u0627\u0631\u0627\u062a \u0645\u0634\u0627\u0628\u0647\u0629.<\/li>\n- \u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0641\u064a CI\/CD \u0628\u0627\u0644\u0628\u0646\u0627\u0621 \u0645\u0631\u062a\u064a\u0646 \u0648\u0627\u0644\u0645\u0642\u0627\u0631\u0646\u0629.<\/strong> \u0647\u0630\u0647 \u0647\u064a \u0627\u0644\u0637\u0631\u064a\u0642\u0629 \u0627\u0644\u0648\u062d\u064a\u062f\u0629 \u0644\u0636\u0645\u0627\u0646 \u0628\u0642\u0627\u0621 \u0628\u0646\u0627\u0626\u0643 \u0642\u0627\u0628\u0644\u0627\u064b \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0645\u0639 \u062a\u0637\u0648\u0631 \u0627\u0644\u0645\u0634\u0631\u0648\u0639. \u0625\u0630\u0627 \u0627\u062e\u062a\u0644\u0641\u062a \u0627\u0644\u0628\u0635\u0645\u0627\u062a\u060c \u0623\u0641\u0634\u0644 \u0627\u0644\u0628\u0646\u0627\u0621.<\/li>\n
- \u0627\u0633\u062a\u062e\u062f\u0645 diffoscope \u0644\u062a\u062f\u0642\u064a\u0642 \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0628\u064a\u0646 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a.<\/strong> \u0627\u0644\u0628\u0646\u0627\u0621\u0627\u062a \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u062a\u0645\u0643\u0651\u0646 \u0645\u0642\u0627\u0631\u0646\u0627\u062a \u0635\u0648\u0631 \u0630\u0627\u062a \u0645\u0639\u0646\u0649. \u064a\u0645\u0643\u0646\u0643 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u064a\u062d\u062a\u0648\u064a \u0641\u0642\u0637 \u0639\u0644\u0649 \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u062a\u064a \u0642\u0635\u062f\u062a\u0647\u0627 \u2014 \u0644\u0627 \u0634\u064a\u0621 \u0623\u0643\u062b\u0631.<\/li>\n<\/ul>\n
\u0627\u0644\u062e\u0637\u0648\u0627\u062a \u0627\u0644\u062a\u0627\u0644\u064a\u0629<\/h2>\n
\u0627\u0644\u0622\u0646 \u0628\u0639\u062f \u0623\u0646 \u0623\u0635\u0628\u062d \u0628\u0625\u0645\u0643\u0627\u0646\u0643 \u0625\u0646\u062a\u0627\u062c \u0635\u0648\u0631 \u062d\u0627\u0648\u064a\u0627\u062a \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631\u060c \u0627\u0633\u062a\u0643\u0634\u0641 \u0643\u064a\u0641\u064a\u0629 \u0628\u0646\u0627\u0621 \u0633\u0644\u0633\u0644\u0629 \u0643\u0627\u0645\u0644\u0629 \u0644\u0644\u0633\u0644\u0627\u0645\u0629 \u0648\u0627\u0644\u0645\u0635\u062f\u0631 \u062d\u0648\u0644\u0647\u0627:<\/p>\n
\n- \u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u0628\u0646\u0627\u0621\u0627\u062a \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631<\/a> \u2014 \u062a\u0639\u0645\u0642 \u0641\u064a \u0627\u0644\u0646\u0638\u0631\u064a\u0629 \u0648\u0631\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621\u0627\u062a \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631\u060c \u0648\u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0645\u0633\u062a\u0648\u0649 \u0628\u0646\u0627\u0621 SLSA\u060c \u0648\u0643\u064a\u0641 \u062a\u062a\u0646\u0627\u0633\u0628 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u0636\u0645\u0646 \u0625\u0637\u0627\u0631 \u0623\u0648\u0633\u0639 \u0644\u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621.<\/li>\n
- \u0645\u0635\u062f\u0631 \u0627\u0644\u0639\u0646\u0627\u0635\u0631 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u0648\u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a: \u0645\u0646 SLSA \u0625\u0644\u0649 in-toto<\/a> \u2014 \u062a\u0639\u0644\u0645 \u0643\u064a\u0641\u064a\u0629 \u0625\u0646\u0634\u0627\u0621 \u0634\u0647\u0627\u062f\u0627\u062a \u0627\u0644\u0645\u0635\u062f\u0631 \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627 \u0644\u0628\u0646\u0627\u0621\u0627\u062a\u0643 \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0643\u0631\u0627\u0631\u060c \u0645\u0645\u0627 \u064a\u062e\u0644\u0642 \u0633\u0644\u0633\u0644\u0629 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u062f\u0642\u064a\u0642 \u0645\u0646 \u0627\u0644\u0645\u0635\u062f\u0631 \u0625\u0644\u0649 \u0627\u0644\u0646\u0634\u0631.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629 \u0625\u0630\u0627 \u0642\u0645\u062a \u0628\u0628\u0646\u0627\u0621 \u0646\u0641\u0633 \u0645\u0644\u0641 Dockerfile \u0645\u0631\u062a\u064a\u0646 \u0648\u062d\u0635\u0644\u062a \u0639\u0644\u0649 \u0635\u0648\u0631 \u0645\u062e\u062a\u0644\u0641\u0629\u060c \u0641\u0644\u0646 \u062a\u062a\u0645\u0643\u0646 \u0645\u0646 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621. \u0627\u0644\u0628\u0646\u0627\u0621 \u063a\u064a\u0631 \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u064a\u0639\u0646\u064a \u0623\u0646\u0647 \u0644\u0627 \u062a\u0648\u062c\u062f \u0644\u062f\u064a\u0643 \u0637\u0631\u064a\u0642\u0629 \u0644\u0644\u062a\u0623\u0643\u062f \u0645\u0646 \u0623\u0646 \u0627\u0644\u0639\u0646\u0635\u0631 \u0627\u0644\u0628\u0631\u0645\u062c\u064a \u0627\u0644\u0630\u064a \u064a\u0639\u0645\u0644 \u0641\u064a \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u0642\u062f \u062a\u0645 \u0625\u0646\u062a\u0627\u062c\u0647 \u0641\u0639\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a \u0627\u0644\u0630\u064a \u0642\u0645\u062a \u0628\u0645\u0631\u0627\u062c\u0639\u062a\u0647. \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0647\u0630\u0627 \u0627\u0644\u063a\u0645\u0648\u0636 \u0644\u062d\u0642\u0646 … \u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,67,27],"tags":[],"post_folder":[],"class_list":["post-823","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-labs","category-software-supply-chain"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/823","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=823"}],"version-history":[{"count":0,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/823\/revisions"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=823"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=823"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=823"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=823"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}