Skip to content

Lab 11: Reproducible Nix flake + deterministic OCI image#1292

Open
selysecr332 wants to merge 30 commits into
inno-devops-labs:mainfrom
selysecr332:feature/lab11
Open

Lab 11: Reproducible Nix flake + deterministic OCI image#1292
selysecr332 wants to merge 30 commits into
inno-devops-labs:mainfrom
selysecr332:feature/lab11

Conversation

@selysecr332

@selysecr332 selysecr332 commented Jul 1, 2026

Copy link
Copy Markdown

Summary

Lab 11 — Reproducible Builds (Mahmoud Hassan, selysecr332)

  • Task 1: flake.nix + flake.lockbuildGoModule, vendorHash = null, devShell
  • Task 2: dockerTools.buildImage — reproducible OCI tarball; Lab 6 --no-cache digest mismatch documented
  • Bonus: nix-repro.yml — two parallel nix build .#docker jobs + digest compare
  • Design questions a–j in submissions/lab11.md

Test plan

  • nix build .#quicknotes — store hash sha256:0hmzr9…
  • nix build .#docker — tarball 65b95b0f…
  • Binary serves /health on :8081
  • nix-repro CI green (+ red demo pending)

Add DevSecOps scanning artifacts, HTTP security headers with tests, and triage documentation for Trivy and ZAP findings.
Extend Lab 3 CI with govulncheck@v1.1.4 job, red/green demo logs, and bonus documentation.
setup-go 1.24 installed an early patch with reachable net/http CVEs; pin govulncheck job to Go 1.26 and invoke via GOPATH/bin.
Add release.yml for v* tags, cloud/hf-space files, latency scripts, teardown notes, and submissions/lab10.md template.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant