英文:
Github Actions Go lambda project different sha256sums
问题
我有一个使用Golang编写的AWS Lambda项目。我使用terraform脚本将其部署在GitHub Actions上。
我有以下情况:
构建 #1
-rwxr-xr-x 1 runner docker 14717304 Jan 1 2022 aTest
-rw-r--r-- 1 runner docker 7776780 Jan 1 2022 aTest.zip
我对某个文件进行了一个变更,该文件甚至没有被任何其他文件导入,并且
构建 #2
-rwxr-xr-x 1 runner docker 14717304 Jan 1 2022 aTest
-rw-r--r-- 1 runner docker 7776755 Jan 1 2022 aTest.zip
zip文件的大小发生了变化,但二进制文件没有变化。
这是我的Makefile的重要部分:
build: ## Build Linux binary with path consistent with passed functionction layere (layer) and functionction name (function)
build: resolve-env
@$(BUILD_FLAGS) ${GOCMD} build ${LDFLAGS} -o ${BINARY_PATH} ${GO_PKG}
@touch -t 202201010000.00 ${BINARY_PATH}
.PHONY: package
package: build
@cd ${DST} && ${ZIPCMD} -X -q --latest-time ${ABS_ZIP_PATH} ${function}
@touch -t 202201010000.00 ${ABS_ZIP_PATH}
当我在本地进行相同的更改,并使用terraform或名为"act"的工具运行构建时,没有发生这样的更改...只有在GitHub Actions上才有。
我需要保持相同的大小,这会影响sha256sum(以避免每次部署Lambda函数)。
可能的原因是什么?
英文:
I have Golang aws lambda project. I deploy it on github actinos using terraform scripts.
I have situation like:
Build #1
-rwxr-xr-x 1 runner docker 14717304 Jan 1 2022 aTest
-rw-r--r-- 1 runner docker 7776780 Jan 1 2022 aTest.zip
I do 1 change in some file that is even not imported in any other file and
Build #2
-rwxr-xr-x 1 runner docker 14717304 Jan 1 2022 aTest
-rw-r--r-- 1 runner docker 7776755 Jan 1 2022 aTest.zip
zips sizes are changed but binary not
here is important part of my Makefile
build: ## Build Linux binary with path consistent with passed functionction layere (layer) and functionction name (function)
build: resolve-env
@$(BUILD_FLAGS) ${GOCMD} build ${LDFLAGS} -o ${BINARY_PATH} ${GO_PKG}
@touch -t 202201010000.00 ${BINARY_PATH}
.PHONY: package
package: build
@cd ${DST} && ${ZIPCMD} -X -q --latest-time ${ABS_ZIP_PATH} ${function}
@touch -t 202201010000.00 ${ABS_ZIP_PATH}
when I do the same change locally, and run build using terraform or tool called: "act" there is no such change.. only on github actions.
I need to keep the same size, which affects sha256sum ( to avoid deploying each lambda ).
What can be the reason ?
答案1
得分: 2
这个答案侧重于Go二进制文件的可复现构建。
尽管显示Go二进制文件的大小相同,但我怀疑内容可能不同。请先检查二进制文件的哈希值以确认。
要实现可复现构建,除了其他明显的要求外,您还需要:
- 确保cgo构建是可复现的(工具链、依赖等),或者禁用cgo。您已经设置了
CGO_ENABLED=0
(这个信息是由另一个已被删除的问题提供的)。 - 使用
-trimpath
标志。也许GitHub操作将始终将源代码放置在相同的目录中。为了安全起见,让我们指定这个选项。 - 设置
-buildvcs=false
。默认情况下("auto"),如果可用,版本控制信息将被嵌入到二进制文件中。这就解释了为什么只有readme文件有差异的两个提交会产生不同的二进制文件。
参考资料:
英文:
This answer focuses on the reproducible build of the go binaries.
Though it shows that the go binaries have the same size, I doubt that the contents are different. Please check the hash of binaries to confirm that first.
To get a reproducible build, besides other obvious requirements, you also need to:
- ensure that the cgo build is reproducible (toolchain, dependencies, etc), or disable cgo. You have set
CGO_ENABLED=0
already (this information is provided by another question which has already been deleted). - use the
-trimpath
flag. Maybe the GitHub action will always place the source code in the same directory. To be safe, let's specify this option. - set
-buildvcs=false
. By default ("auto"), version control information is stamped into the binary if it's available. This explains why two commits with only difference in the readme file produce different binaries.
References:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论