Github Actions Go lambda项目的sha256sums不同

huangapple go评论76阅读模式
英文:

Github Actions Go lambda project different sha256sums

问题

我有一个使用Golang编写的AWS Lambda项目。我使用terraform脚本将其部署在GitHub Actions上。
我有以下情况:
构建 #1

-rwxr-xr-x  1 runner docker 14717304 Jan  1  2022 aTest
-rw-r--r--  1 runner docker  7776780 Jan  1  2022 aTest.zip

我对某个文件进行了一个变更,该文件甚至没有被任何其他文件导入,并且
构建 #2

-rwxr-xr-x  1 runner docker 14717304 Jan  1  2022 aTest
-rw-r--r--  1 runner docker  7776755 Jan  1  2022 aTest.zip

zip文件的大小发生了变化,但二进制文件没有变化。

这是我的Makefile的重要部分:

build: ## Build Linux binary with path consistent with passed functionction layere (layer) and functionction name (function)
build: resolve-env
	@$(BUILD_FLAGS) ${GOCMD} build ${LDFLAGS} -o ${BINARY_PATH} ${GO_PKG}
	@touch -t 202201010000.00 ${BINARY_PATH}

.PHONY: package
package: build
	@cd ${DST} && ${ZIPCMD} -X -q --latest-time ${ABS_ZIP_PATH} ${function}
	@touch -t 202201010000.00 ${ABS_ZIP_PATH}

当我在本地进行相同的更改,并使用terraform或名为"act"的工具运行构建时,没有发生这样的更改...只有在GitHub Actions上才有。
我需要保持相同的大小,这会影响sha256sum(以避免每次部署Lambda函数)。
可能的原因是什么?

英文:

I have Golang aws lambda project. I deploy it on github actinos using terraform scripts.
I have situation like:
Build #1

-rwxr-xr-x  1 runner docker 14717304 Jan  1  2022 aTest
-rw-r--r--  1 runner docker  7776780 Jan  1  2022 aTest.zip

I do 1 change in some file that is even not imported in any other file and
Build #2

-rwxr-xr-x  1 runner docker 14717304 Jan  1  2022 aTest
-rw-r--r--  1 runner docker  7776755 Jan  1  2022 aTest.zip

zips sizes are changed but binary not

here is important part of my Makefile

build: ## Build Linux binary with path consistent with passed functionction layere (layer) and functionction name (function)
build: resolve-env
	@$(BUILD_FLAGS) ${GOCMD} build ${LDFLAGS} -o ${BINARY_PATH} ${GO_PKG}
	@touch -t 202201010000.00 ${BINARY_PATH}

.PHONY: package
package: build
	@cd ${DST} && ${ZIPCMD} -X -q --latest-time ${ABS_ZIP_PATH} ${function}
	@touch -t 202201010000.00 ${ABS_ZIP_PATH}

when I do the same change locally, and run build using terraform or tool called: "act" there is no such change.. only on github actions.
I need to keep the same size, which affects sha256sum ( to avoid deploying each lambda ).
What can be the reason ?

答案1

得分: 2

这个答案侧重于Go二进制文件的可复现构建。

尽管显示Go二进制文件的大小相同,但我怀疑内容可能不同。请先检查二进制文件的哈希值以确认。

要实现可复现构建,除了其他明显的要求外,您还需要:

  1. 确保cgo构建是可复现的(工具链、依赖等),或者禁用cgo。您已经设置了CGO_ENABLED=0(这个信息是由另一个已被删除的问题提供的)。
  2. 使用-trimpath标志。也许GitHub操作将始终将源代码放置在相同的目录中。为了安全起见,让我们指定这个选项。
  3. 设置-buildvcs=false。默认情况下("auto"),如果可用,版本控制信息将被嵌入到二进制文件中。这就解释了为什么只有readme文件有差异的两个提交会产生不同的二进制文件。

参考资料:

英文:

This answer focuses on the reproducible build of the go binaries.

Though it shows that the go binaries have the same size, I doubt that the contents are different. Please check the hash of binaries to confirm that first.

To get a reproducible build, besides other obvious requirements, you also need to:

  1. ensure that the cgo build is reproducible (toolchain, dependencies, etc), or disable cgo. You have set CGO_ENABLED=0 already (this information is provided by another question which has already been deleted).
  2. use the -trimpath flag. Maybe the GitHub action will always place the source code in the same directory. To be safe, let's specify this option.
  3. set -buildvcs=false. By default ("auto"), version control information is stamped into the binary if it's available. This explains why two commits with only difference in the readme file produce different binaries.

References:

huangapple
  • 本文由 发表于 2023年5月17日 14:30:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/76269119.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定