feat: add GitHub Actions workflow for verifying reproducible builds

[Evrard-Nil]

Note

Low Risk
CI-only change that doesn’t affect runtime code paths, but it can introduce new build flakiness or longer CI times due to multi-runner builds and Docker pruning.

Overview
Adds a new GitHub Actions workflow (verify-reproducible-build.yml) that validates container build reproducibility by running ./build-image.sh on multiple Ubuntu runners and comparing the resulting OCI image digest.

The workflow also performs two sequential builds on the same runner with aggressive Docker/buildx cleanup to catch nondeterminism, uploads digests (and the OCI archives only on mismatch), and posts a step summary table plus a pass/fail result based on digest equality.

^{Written by Cursor Bugbot for commit 4fa37d1. This will update automatically on new commits. Configure here.}

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[claude]

Code Review

This PR adds a reproducibility verification workflow for Docker builds. The approach is solid, but there are a few critical issues that could cause false positives/negatives or confusing failures:

Critical Issues

1. Builder cleanup hardcodes name (lines 98-104)

• The cleanup step assumes buildkit_20 builder name, which is hardcoded in build-image.sh:27
• If build-image.sh changes the builder name, sequential builds won't be properly isolated
• Risk: False positives if cached layers persist between builds
• Suggested fix: Extract builder name dynamically from build-image.sh to stay in sync

2. Summary shows empty digests on early failure (lines 240-266)

• If verification fails before setting GITHUB_OUTPUT variables (e.g., at line 199), the summary will display an empty table
• The summary step runs with if: always() but doesn't handle missing outputs gracefully
• Suggested fix: Set default empty values at the start of the verify step (before line 166)

3. Potential disk space exhaustion

• Uploads 5 OCI tar files simultaneously (each could be 500MB-2GB+)
• GitHub Actions runners have limited disk space (~14GB available)
• Risk: Intermittent failures unrelated to reproducibility
• Recommendation: Consider uploading only digests by default, and OCI tars only on mismatch/failure for debugging

Minor Suggestions

• Line 31: Add || true to apt-get update to handle transient repository failures
• Line 14-15: Weekly cron may be unnecessary for reproducibility verification (this doesn't change often) - consider monthly or on-release only

---

Overall the workflow logic is sound, but these issues could make it unreliable or confusing when failures occur. Recommend addressing issues #1 and #2 before merge.

⚠️ Issues found

[Copilot]

Pull request overview

This PR adds a GitHub Actions workflow to verify that Docker image builds are reproducible across different environments and sequential builds. The workflow tests reproducibility by building on multiple Ubuntu versions in parallel and performing sequential builds on the same runner with a clean environment between builds, then verifying that all builds produce identical image digests.

Changes:

• Added a new workflow file verify-reproducible-build.yml that runs on pull requests affecting build files, manually via workflow_dispatch, and weekly on schedule
• Implemented three jobs: parallel builds on different runners, sequential builds on the same runner, and verification that all digests match
• Configured artifact uploads for digests and OCI archives with 1-day retention

Comments suppressed due to low confidence (1)

.github/workflows/verify-reproducible-build.yml:266

• The summary generation step runs with 'if: always()' which means it will run even if the verify step fails. However, if the verify step fails early (e.g., during digest extraction), the output variables may not be set, and the summary will show empty digests. Consider adding error handling to display a more helpful message when outputs are missing, or checking if the outputs exist before using them in the summary.

            echo ""
            echo "| Environment | Digest |"
            echo "|-------------|--------|"
            echo "| ubuntu-latest | \`${{ steps.verify.outputs.digest_ubuntu_latest }}\` |"
            echo "| ubuntu-22.04 | \`${{ steps.verify.outputs.digest_ubuntu_22 }}\` |"
            echo "| ubuntu-24.04 | \`${{ steps.verify.outputs.digest_ubuntu_24 }}\` |"
            echo "| Sequential (first) | \`${{ steps.verify.outputs.digest_seq_first }}\` |"
            echo "| Sequential (second) | \`${{ steps.verify.outputs.digest_seq_second }}\` |"
            echo ""

            if [ "${{ steps.verify.outputs.result }}" = "passed" ]; then
              echo "### Result: REPRODUCIBLE"
              echo ""
              echo "All builds produced identical digests."
            else
              echo "### Result: NOT REPRODUCIBLE"
              echo ""
              echo "Build digests do not match across environments."
            fi
          } >> "$GITHUB_STEP_SUMMARY"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[think-in-universe]

Thanks Evrard. I was also thinking about automate the reproducible build verification yesterday. Thanks for adding this!

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on February 9

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[PierreLeGuen]

LGTM. Good reproducible build verification — testing across multiple Ubuntu versions and sequential builds with clean environments. All checks pass.