glensc/.gitignore

## .gitignore
/vendor/

## README.md

      
    Raw
  

              README.md
            
          
    RFC: Reproducible vendor directory contents

From composer/composer#9768:

With given composer.lock and docker --cache-from must produce same image
even if the builds share no previous state.

Install

Clone this prpoject:
git clone -b v1 https://gist.github.com/glensc/b51e9a8c180f3ca3ca1a6593931d431d composer-feat-9768
cd composer-feat-9768

Test

Ensure pristine state, delete local build cache and images:
docker builder prune -fa
docker image prune -fa
Let's assume previous build is published at $CACHE_TAG, and we are tagging
built image as $IMAGE_TAG:
DOCKER_BUILDKIT=1 \
docker build \
	--build-arg=BUILDKIT_INLINE_CACHE=1 \
	--tag=$IMAGE_TAG \
	--cache-from=$CACHE_TAG \
	.

  
## buildkit
#!/bin/sh
# Script to build reproducible docker image
# https://github.com/composer/composer/issues/9768

set -eu

docker builder prune -fa
docker image prune -fa

REPO_SLUG=glen/composer-feat-9768

CACHE_TAG=$REPO_SLUG:v2
IMAGE_TAG=$REPO_SLUG:v3

DOCKER_BUILDKIT=1 \
docker build \
	--build-arg=BUILDKIT_INLINE_CACHE=1 \
	--tag=$IMAGE_TAG \
	--cache-from=$CACHE_TAG \
	.

## composer.json
{
    "name": "glensc/feat-9768",
    "require": {
        "composer/ca-bundle": "^1.2"
    }
}

## composer.lock
{
    "_readme": [
        "This file locks the dependencies of your project to a known state",
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
    "content-hash": "21d1bed8572d313ae854da0dcde54115",
    "packages": [
        {
            "name": "composer/ca-bundle",
            "version": "1.2.9",
            "source": {
                "type": "git",
                "url": "https://github.com/composer/ca-bundle.git",
                "reference": "78a0e288fdcebf92aa2318a8d3656168da6ac1a5"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/composer/ca-bundle/zipball/78a0e288fdcebf92aa2318a8d3656168da6ac1a5",
                "reference": "78a0e288fdcebf92aa2318a8d3656168da6ac1a5",
                "shasum": ""
            },
            "require": {
                "ext-openssl": "*",
                "ext-pcre": "*",
                "php": "^5.3.2 || ^7.0 || ^8.0"
            },
            "require-dev": {
                "phpstan/phpstan": "^0.12.55",
                "psr/log": "^1.0",
                "symfony/phpunit-bridge": "^4.2 || ^5",
                "symfony/process": "^2.5 || ^3.0 || ^4.0 || ^5.0"
            },
            "type": "library",
            "extra": {
                "branch-alias": {
                    "dev-main": "1.x-dev"
                }
            },
            "autoload": {
                "psr-4": {
                    "Composer\\CaBundle\\": "src"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Jordi Boggiano",
                    "email": "j.boggiano@seld.be",
                    "homepage": "http://seld.be"
                }
            ],
            "description": "Lets you find a path to the system CA bundle, and includes a fallback to the Mozilla CA bundle.",
            "keywords": [
                "cabundle",
                "cacert",
                "certificate",
                "ssl",
                "tls"
            ],
            "funding": [
                {
                    "url": "https://packagist.com",
                    "type": "custom"
                },
                {
                    "url": "https://github.com/composer",
                    "type": "github"
                },
                {
                    "url": "https://tidelift.com/funding/github/packagist/composer/composer",
                    "type": "tidelift"
                }
            ],
            "time": "2021-01-12T12:10:35+00:00"
        }
    ],
    "packages-dev": [],
    "aliases": [],
    "minimum-stability": "stable",
    "stability-flags": [],
    "prefer-stable": false,
    "prefer-lowest": false,
    "platform": [],
    "platform-dev": [],
    "plugin-api-version": "1.1.0"
}

## Dockerfile
#
# Dockerfile for Reproducible build
# https://github.com/composer/composer/issues/9768

# glen/composer-feat-9768:alpine-3.13 is just a snapshot of alpine:3.13
FROM glen/composer-feat-9768:alpine-3.13 AS base

FROM composer:2.0.8 AS deps
WORKDIR /app
COPY composer.* .
RUN composer install --no-dev

# common timestamp for all files in vendor until composer supports that itself
# https://github.com/composer/composer/issues/9768
ARG TIMESTAMP="2021-03-10 19:33:10"
RUN find vendor | xargs touch --date="$TIMESTAMP"

FROM base AS app
WORKDIR /app
COPY --from=deps /app/vendor ./vendor
	#!/bin/sh
	# Script to build reproducible docker image
	# https://github.com/composer/composer/issues/9768

	set -eu

	docker builder prune -fa
	docker image prune -fa

	REPO_SLUG=glen/composer-feat-9768

	CACHE_TAG=$REPO_SLUG:v2
	IMAGE_TAG=$REPO_SLUG:v3

	DOCKER_BUILDKIT=1 \
	docker build \
	--build-arg=BUILDKIT_INLINE_CACHE=1 \
	--tag=$IMAGE_TAG \
	--cache-from=$CACHE_TAG \
	.
	{
	"name": "glensc/feat-9768",
	"require": {
	"composer/ca-bundle": "^1.2"
	}
	}
	{
	"_readme": [
	"This file locks the dependencies of your project to a known state",
	"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
	"This file is @generated automatically"
	],
	"content-hash": "21d1bed8572d313ae854da0dcde54115",
	"packages": [
	{
	"name": "composer/ca-bundle",
	"version": "1.2.9",
	"source": {
	"type": "git",
	"url": "https://github.com/composer/ca-bundle.git",
	"reference": "78a0e288fdcebf92aa2318a8d3656168da6ac1a5"
	},
	"dist": {
	"type": "zip",
	"url": "https://api.github.com/repos/composer/ca-bundle/zipball/78a0e288fdcebf92aa2318a8d3656168da6ac1a5",
	"reference": "78a0e288fdcebf92aa2318a8d3656168da6ac1a5",
	"shasum": ""
	},
	"require": {
	"ext-openssl": "*",
	"ext-pcre": "*",
	"php": "^5.3.2 \|\| ^7.0 \|\| ^8.0"
	},
	"require-dev": {
	"phpstan/phpstan": "^0.12.55",
	"psr/log": "^1.0",
	"symfony/phpunit-bridge": "^4.2 \|\| ^5",
	"symfony/process": "^2.5 \|\| ^3.0 \|\| ^4.0 \|\| ^5.0"
	},
	"type": "library",
	"extra": {
	"branch-alias": {
	"dev-main": "1.x-dev"
	}
	},
	"autoload": {
	"psr-4": {
	"Composer\\CaBundle\\": "src"
	}
	},
	"notification-url": "https://packagist.org/downloads/",
	"license": [
	"MIT"
	],
	"authors": [
	{
	"name": "Jordi Boggiano",
	"email": "j.boggiano@seld.be",
	"homepage": "http://seld.be"
	}
	],
	"description": "Lets you find a path to the system CA bundle, and includes a fallback to the Mozilla CA bundle.",
	"keywords": [
	"cabundle",
	"cacert",
	"certificate",
	"ssl",
	"tls"
	],
	"funding": [
	{
	"url": "https://packagist.com",
	"type": "custom"
	},
	{
	"url": "https://github.com/composer",
	"type": "github"
	},
	{
	"url": "https://tidelift.com/funding/github/packagist/composer/composer",
	"type": "tidelift"
	}
	],
	"time": "2021-01-12T12:10:35+00:00"
	}
	],
	"packages-dev": [],
	"aliases": [],
	"minimum-stability": "stable",
	"stability-flags": [],
	"prefer-stable": false,
	"prefer-lowest": false,
	"platform": [],
	"platform-dev": [],
	"plugin-api-version": "1.1.0"
	}
	#
	# Dockerfile for Reproducible build
	# https://github.com/composer/composer/issues/9768

	# glen/composer-feat-9768:alpine-3.13 is just a snapshot of alpine:3.13
	FROM glen/composer-feat-9768:alpine-3.13 AS base

	FROM composer:2.0.8 AS deps
	WORKDIR /app
	COPY composer.* .
	RUN composer install --no-dev

	# common timestamp for all files in vendor until composer supports that itself
	# https://github.com/composer/composer/issues/9768
	ARG TIMESTAMP="2021-03-10 19:33:10"
	RUN find vendor \| xargs touch --date="$TIMESTAMP"

	FROM base AS app
	WORKDIR /app
	COPY --from=deps /app/vendor ./vendor