From 784f7ebaa73a9624a6dccc0ba3df6d5bf899131e Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Wed, 13 Mar 2024 13:19:56 +0100
Subject: [PATCH] build(gha): add reproducible builds example
 (source_date_epoch)

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
---
 .../ci/github-actions/reproducible-builds.md  | 142 ++++++++++++++++++
 data/toc.yaml                                 |   2 +
 2 files changed, 144 insertions(+)
 create mode 100644 content/build/ci/github-actions/reproducible-builds.md

diff --git a/content/build/ci/github-actions/reproducible-builds.md b/content/build/ci/github-actions/reproducible-builds.md
new file mode 100644
index 0000000000..ace4f55fc8
--- /dev/null
+++ b/content/build/ci/github-actions/reproducible-builds.md
@@ -0,0 +1,142 @@
+---
+title: Reproducible builds with GitHub Actions
+description: How to create reproducible builds in GitHub Actions using the SOURCE_EPOCH environment variable
+keywords: build, buildx, github actions, ci, gha, reproducible builds, SOURCE_DATE_EPOCH
+---
+
+`SOURCE_DATE_EPOCH` is a [standardized environment variable][source_date_epoch]
+for instructing build tools to produce a reproducible output.
+Setting the environment variable for a build makes the timestamps in the
+image index, config, and file metadata reflect the specified Unix time.
+
+[source_date_epoch]: https://reproducible-builds.org/docs/source-date-epoch/
+
+To set the environment variable in GitHub Actions,
+use the built-in `env` property on the build step.
+
+## Unix epoch timestamps
+
+The following example sets the `SOURCE_DATE_EPOCH` variable to 0, Unix epoch.
+
+{{< tabs group="action" >}}
+{{< tab name="`docker/build-push-action`" >}}
+
+```yaml
+name: ci
+
+on:
+  push:
+    branches:
+      - "main"
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          tags: user/app:latest
+        env:
+          SOURCE_DATE_EPOCH: 0
+```
+
+{{< /tab >}}
+{{< tab name="`docker/bake-action`" >}}
+
+```yaml
+name: ci
+
+on:
+  push:
+    branches:
+      - "main"
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build
+        uses: docker/bake-action@v4
+        env:
+          SOURCE_DATE_EPOCH: 0
+```
+
+{{< /tab >}}
+{{< /tabs >}}
+
+## Git commit timestamps
+
+The following example sets `SOURCE_DATE_EPOCH` to the Git commit timestamp.
+
+{{< tabs group="action" >}}
+{{< tab name="`docker/build-push-action`" >}}
+
+```yaml
+name: ci
+
+on:
+  push:
+    branches:
+      - "main"
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+      - name: Build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          tags: user/app:latest
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+```
+
+{{< /tab >}}
+{{< tab name="`docker/bake-action`" >}}
+
+```yaml
+name: ci
+
+on:
+  push:
+    branches:
+      - "main"
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+      - name: Build
+        uses: docker/bake-action@v4
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+```
+
+{{< /tab >}}
+{{< /tabs >}}
+
+## Additional information
+
+For more information about the `SOURCE_DATE_EPOCH` support in BuildKit,
+see [BuildKit documentation](https://github.com/moby/buildkit/blob/master/docs/build-repro.md#source_date_epoch).
diff --git a/data/toc.yaml b/data/toc.yaml
index eb464fb09b..0f5c29ace2 100644
--- a/data/toc.yaml
+++ b/data/toc.yaml
@@ -1918,6 +1918,8 @@ Manuals:
             title: SBOM and provenance attestations
           - path: /build/ci/github-actions/annotations/
             title: Annotations
+          - path: /build/ci/github-actions/reproducible-builds/
+            title: Reproducible builds
     - path: /build/release-notes/
       title: Release notes
 - sectiontitle: Docker Compose