Using GitHub Actions for reproducible builds

[billziss-gh]

I would like to use GitHub Actions to create "reproducible" (or "deterministic") builds. Such builds produce bit-by-bit identical artifacts when given the same source code + configuration. There are many benefits to this approach: my primary interest is to scrutinize changes and assure quality, but there are also benefits to auditing, security, etc.

A good introduction and general resource on this subject is https://reproducible-builds.org/

I am starting this discussion because GitHub Actions provides the most essential ingredient for builds: the build environment. Naturally if the build environment changes, the build products may change thus compromising the goal of reproducible builds.

It is my understanding that GitHub Actions regularly changes the build environment. (Note that I do not have intimate knowledge of GitHub Actions and this understanding may be wrong.) For example:

• GitHub Actions regularly deprecates and drops images thus forcing major changes to the build environment of any workflows that use these images.

• GitHub Actions regularly updates versioned images thus introducing smaller but important changes to the build environment.

I understand that GitHub Actions also supports containers and one could perhaps create a stable build environment in this fashion. However this is less convenient than using GitHub Actions only and is a Linux-only solution. (I think -- are Windows containers supported by GitHub Actions?)

What I would like is to be able to request a specific image version that will never change and have it available for a very long time (ideally "forever"). I understand that security is a concern, so I would be happy if such images were severely "locked down" without general network access and only able to communicate with other workflows via artifact download/upload and the outputs/needs mechanism.

Thank you.