File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -10,7 +10,7 @@ build-docker:
1010
1111.PHONY : install
1212install :
13- npm install
13+ npm ci
1414
1515.PHONY : lint
1616lint : format-check
@@ -34,4 +34,19 @@ build: lint
3434
3535.PHONY : dev
3636dev :
37- npm run dev
37+ npm run dev
38+
39+ # Reproducible build verification using devbox
40+ .PHONY : verify-reproducible
41+ verify-reproducible :
42+ @command -v devbox > /dev/null 2>&1 || { echo " Please install devbox: curl -fsSL https://get.jetify.com/devbox | bash" ; exit 1; }
43+ @echo " Building twice and comparing checksums..."
44+ @devbox run build
45+ @tar --sort=name --mtime=" 1980-01-01 00:00:00 UTC" --owner=0 --group=0 --numeric-owner -cf /tmp/a.tar dist/
46+ @rm -rf dist
47+ @devbox run build
48+ @tar --sort=name --mtime=" 1980-01-01 00:00:00 UTC" --owner=0 --group=0 --numeric-owner -cf /tmp/b.tar dist/
49+ @echo " Build A:" && sha256sum /tmp/a.tar
50+ @echo " Build B:" && sha256sum /tmp/b.tar
51+ @diff <( sha256sum /tmp/a.tar | cut -d' ' -f1) <( sha256sum /tmp/b.tar | cut -d' ' -f1) && echo " ✅ Builds are reproducible!" || { echo " ❌ Builds are NOT reproducible" ; exit 1; }
52+ @rm -f /tmp/a.tar /tmp/b.tar
Original file line number Diff line number Diff line change @@ -105,6 +105,28 @@ make build
105105
106106Output will be in the ` dist/ ` directory.
107107
108+ ## Reproducible Builds
109+
110+ For Apache releases and verification purposes, this project supports reproducible builds using [ Devbox] ( https://www.jetify.com/devbox ) .
111+
112+ ### Prerequisites
113+
114+ Install Devbox:
115+
116+ ``` bash
117+ curl -fsSL https://get.jetify.com/devbox | bash
118+ ```
119+
120+ ### Verifying Reproducibility
121+
122+ To verify that builds are reproducible (builds twice and compares checksums):
123+
124+ ``` bash
125+ make verify-reproducible
126+ ```
127+
128+ This will build the project twice and compare SHA256 checksums of the output tarballs.
129+
108130## Production Deployment
109131
110132After building, you can serve the production files in several ways:
Original file line number Diff line number Diff line change 1+ {
2+ "$schema" : " https://raw.githubusercontent.com/jetify-com/devbox/0.16.0/.schema/devbox.schema.json" ,
3+ "packages" : [
4+ " nodejs@22.12.0"
5+ ],
6+ "shell" : {
7+ "init_hook" : [
8+ " npm ci"
9+ ],
10+ "scripts" : {
11+ "build" : [
12+ " npm run build"
13+ ],
14+ "dev" : [
15+ " npm run dev"
16+ ],
17+ "lint" : [
18+ " npm run lint"
19+ ]
20+ }
21+ }
22+ }
Original file line number Diff line number Diff line change @@ -28,10 +28,10 @@ ENV VITE_POLARIS_REALM_HEADER_NAME=Polaris-Realm
2828WORKDIR /app
2929
3030# Copy package files
31- COPY package.json ./
31+ COPY package.json package-lock.json ./
3232
33- # Install dependencies
34- RUN npm install
33+ # Install dependencies (use npm ci for reproducible installs)
34+ RUN npm ci
3535
3636# Copy source code (excluding docker directory via .dockerignore)
3737COPY . .
Original file line number Diff line number Diff line change @@ -29,6 +29,25 @@ export default defineConfig({
2929 "@" : path . resolve ( __dirname , "./src" ) ,
3030 } ,
3131 } ,
32+ build : {
33+ // Reproducibility: disable non-deterministic options
34+ cssCodeSplit : false ,
35+ sourcemap : false ,
36+ rollupOptions : {
37+ output : {
38+ // Use content hash for deterministic chunk names
39+ chunkFileNames : "assets/[name]-[hash].js" ,
40+ entryFileNames : "assets/[name]-[hash].js" ,
41+ assetFileNames : "assets/[name]-[hash][extname]" ,
42+ // Ensure consistent chunk ordering by grouping node_modules
43+ manualChunks : ( id ) => {
44+ if ( id . includes ( "node_modules" ) ) {
45+ return "vendor" ;
46+ }
47+ } ,
48+ } ,
49+ } ,
50+ } ,
3251 server : {
3352 proxy : {
3453 "/api" : {
You can’t perform that action at this time.
0 commit comments