docker: Add HEADS_FORCE_DOCKER_REBUILD and improve reproducibility checks#2081
Conversation
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
from
8f2510a to
8ee7c58
Compare
There was a problem hiding this comment.
Pull request overview
Adds a forced rebuild option to the Docker/Nix developer workflow and refines the reproducibility check to be more transparent about which digests are being compared and how they were obtained.
Changes:
- Introduces
HEADS_FORCE_DOCKER_REBUILD=1to rebuild fromflake.nix/flake.lockregardless of git status (and attempts to clear cached build outputs). - Improves Nix build visibility (
--print-build-logs) and refactors reproducibility-check messaging / helper functions. - Updates Docker documentation to explain config digest vs manifest digest and updates example output.
Reviewed changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
docker/common.sh |
Adds forced rebuild behavior, changes nix build/load invocation, and extends reproducibility-check helpers/output. |
docker_local_dev.sh |
Documents/exposes HEADS_FORCE_DOCKER_REBUILD and keeps dev wrapper aligned with common.sh. |
docker_latest.sh |
Indentation normalization; continues to rely on shared helpers. |
docker_repro.sh |
Indentation normalization; continues to enforce digest-pinned images. |
doc/docker.md |
Documents the new env var and expands digest/reproducibility explanations and example output. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
2 times, most recently
from
7af1497 to
d1ba3c4
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 5 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
2 times, most recently
from
cb2beb7 to
0d9c44f
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 5 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
2 times, most recently
from
6a7b71f to
b7a7409
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 5 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
from
b7a7409 to
b9854e5
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 5 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
from
b9854e5 to
0afb709
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 5 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
from
0afb709 to
bf27183
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 5 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
2 times, most recently
from
75ce0c3 to
100082e
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 5 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
from
100082e to
08fe3e8
Compare
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
from
08fe3e8 to
1a56cf1
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 7 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
from
1a56cf1 to
773633d
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 7 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
from
773633d to
72372c1
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 7 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
docker_scripts_improvements-local_dev_reconstruct_from_nix
branch
from
72372c1 to
9fc8dc5
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 7 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 7 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 7 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 7 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 7 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
docker/pin-and-run.sh:135
print_digest_infois given${image%@*}@${digest}, which will include the original:tag(e.g.,repo:v0.2.7@sha256:...). That combined tag+digest form is not a valid Docker reference and may confuse users copying the “Image:” line. Consider normalizing torepo@sha256:...by stripping any tag (from the last path component) before appending the digest.
print_digest_info "${image%@*}@${digest}" "${digest}" "user" "${envvar}"
echo "Running ${wrapper} pinned to ${digest} (exporting ${envvar})" >&2
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 7 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ecks - Add HEADS_FORCE_DOCKER_REBUILD=1 to force rebuild from flake.nix/flake.lock - Delete cached nix store result when forcing rebuild - Add --print-build-logs to nix build for visibility - Use docker load -i instead of docker load < for consistency - Improve reproducibility check: explain config vs manifest digests - Show method used (registry+jq, registry+sed, or pulled) - Add tip to install jq and curl for faster registry checks - Add get_remote_manifest_digest() with correct Docker Hub URL format - Update doc/docker.md explaining config vs manifest digests - Normalize indentation to tabs across docker scripts - Use script-relative paths for deterministic nix build (--out-link) - Add shared _parse_docker_image helper for consistent registry parsing - Handle localhost as registry hostname (not Docker Hub) Fixes: - local result_target declaration in force rebuild - handle regular file case for result (not just symlink) - use printf instead of echo in hash computation - fall back to shasum when sha256sum unavailable - ensure temp directory cleanup on all paths - handle @digest references in get_remote_manifest_digest - restrict sha256 regex to exactly 64 hex chars - use remote_method instead of hardcoded message - Docker Hub URL uses sha256-{digest} not sha256:{digest} - fix regex in get_remote_config_digest: use \. not \. for dot matching - remove unused get_local_manifest_digest function - move End marker to actual end points - distinguish fetch_failed from mismatch in fallback message - update documentation mismatch example to match current output - check curl availability in get_remote_config_digest - only show Docker Hub URL for Docker Hub images - add curl availability check to get_remote_manifest_digest - fix readlink -f fallback to use quoted variable - fix pin-and-run.sh: strip :tag before appending @digest for valid Docker ref Signed-off-by: Thierry Laurion <insurgo@riseup.net>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 7 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
What
HEADS_FORCE_DOCKER_REBUILD=1to force rebuild fromflake.nix/flake.lockregardless of git status; also deletes the cached nix store result/link before rebuilding--print-build-logstonix buildfor build visibilitydocker load -i resultinstead ofdocker load < result--out-linkpath sonix buildanddocker loadare deterministic regardless of$PWDregistry+jq,registry+sed,skopeo+jq, orpulled)get_remote_manifest_digest()to show the Docker Hub URL for manual cross-checkdocker pullwhen registry API is unavailable; tip to installjq/curlto avoid the pulldoc/docker.mdexplaining config vs manifest digests, with accurate example outputCorrectness fixes (addressed during Copilot review)
result_targetdeclaredlocalin theHEADS_FORCE_DOCKER_REBUILDpathresultsymlink always removed (not only when target exists)get_local_manifest_digest()removed (unused, would have hashed with wrong newline semantics)sha256regex restricted to exactly 64 hex chars ({64})(via ${remote_method})reflects actual fetch path instead of hardcoded "Verified via registry API"sha256-<hex>path format (notsha256:<hex>)curlavailability checked before registry API path; non-Docker-Hub registries short-circuit earlycurl -D - -o /dev/nullcaptures only headers, not the full manifest body_parse_docker_image()normalisesdocker.io/index.docker.iotoregistry-1.docker.ioand addslibrary/prefix for official images=== End Reproducibility Check ===only printed at actual return points, not before the pull fallbacklast_segmentdeclaredlocalto avoid leaking into calling scopepin-and-run.sh: strip:tagbefore appending@digestto produce valid Docker reference (repo@sha256:...)Example: force rebuild
Example: reproducibility check