🌱 Reproducible builds with static binary

Changes to goreleaser to have static binaries and reproducible builds.
ossf · Oct 25, 2021 · 311d2e2 · 311d2e2
1 parent c3d51a7
commit 311d2e2
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 7 deletions.
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -1,11 +1,21 @@
 project_name: scorecard
 env:
   - GO111MODULE=on
-  - CGO_ENABLED=1
+  # https://stackoverflow.com/a/62821358/19407
+  - CGO_ENABLED=0
 before:
   hooks:
     - go mod download
 builds:
+flags:
+ # trimpath is for reproducible builds
+ # remove all file system paths from the resulting executable.
+ # Instead of absolute file system paths, the recorded file names
+ # will begin with either "go" (for the standard library),
+ # or a module path@version (when using modules),
+ # or a plain import path (when using GOPATH).
+    - -trimpath
+    - -tags=netgo
 
 - id: linux
   binary: scorecard-linux-{{ .Arch }}
@@ -18,7 +28,7 @@ builds:
     - 386
     - arm
   ldflags:
-    - -s -w {{.Env.VERSION_LDFLAGS}} 
+    - -s {{.Env.VERSION_LDFLAGS}} 
 
 - id: darwin
   binary: scorecard-darwin-{{ .Arch }}
@@ -29,7 +39,7 @@ builds:
     - amd64
     - arm64
   ldflags:
-    - -s -w {{.Env.VERSION_LDFLAGS}} 
+    - -s {{.Env.VERSION_LDFLAGS}} 
 
 - id: windows
   binary: scorecard-windows-{{ .Arch }}
@@ -43,7 +53,7 @@ builds:
     - arm
   ldflags:
     - -buildmode=exe
-    - -s -w {{.Env.VERSION_LDFLAGS}} 
+    - -s {{.Env.VERSION_LDFLAGS}} 
 
 checksum:
   # Algorithm to be used.

diff --git a/Makefile b/Makefile
@@ -8,8 +8,7 @@ PROTOC := $(shell which protoc)
 IMAGE_NAME = scorecard
 OUTPUT = output
 IGNORED_CI_TEST="E2E TEST:blob|E2E TEST:executable"
-VERSION_LDFLAGS=$(shell ./scripts/version-ldflags)
-LDFLAGS=$(shell echo "-w -extldflags \"-static\" $(VERSION_LDFLAGS)")
+LDFLAGS=$(shell ./scripts/version-ldflags)
 
 ############################### make help #####################################
 .PHONY: help

diff --git a/scripts/version-ldflags b/scripts/version-ldflags
@@ -24,4 +24,4 @@ GIT_HASH=$(git rev-parse HEAD)
 SOURCE_DATE_EPOCH=$(git log --date=iso8601-strict -1 --pretty=%ct)
 GIT_TREESTATE=$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)
 PKG=$(go list -m | head -n1)/pkg
-echo "-X $PKG.gitVersion=$GIT_VERSION -X $PKG.gitCommit=$GIT_HASH -X $PKG.gitTreeState=$GIT_TREESTATE -X $PKG.buildDate=$SOURCE_DATE_EPOCH"
+echo "-X $PKG.gitVersion=$GIT_VERSION -X $PKG.gitCommit=$GIT_HASH -X $PKG.gitTreeState=$GIT_TREESTATE -X $PKG.buildDate=$SOURCE_DATE_EPOCH -w -extldflags \"-static\""