Git Product home page Git Product logo

deterministicbuilds's Introduction

Deterministic Builds

This repo shows how to get a fully deterministic build using Source Link. Deterministic builds are important as they enable verification that the resulting binary was built from the specified source and provides traceability.

Deterministic builds require a property to be set to true during CI: ContinuousIntegrationBuild. These should not be enabled during local dev or the debugger won't be able to find the local source files.

Therefore, you should use your CI system's variable to set them conditionally. For Azure Pipelines, it looks like this

<PropertyGroup Condition="'$(TF_BUILD)' == 'true'">
  <ContinuousIntegrationBuild>true</ContinuousIntegrationBuild>
</PropertyGroup>

For GitHub Actions, the variable is GITHUB_ACTIONS, so the result would be:

<PropertyGroup Condition="'$(GITHUB_ACTIONS)' == 'true'">
  <ContinuousIntegrationBuild>true</ContinuousIntegrationBuild>
</PropertyGroup>

Or another option is to pass it to msbuild or dotnet with /p:ContinuousIntegrationBuild=true

Also EmbedUntrackedSources should be enabled so that compiler-generated source, like AssemblyInfo, are included in the PDB.

Add in your .csproj under <PropertyGroup>:

 <EmbedUntrackedSources>true</EmbedUntrackedSources>

Work around for .NET SDK prior 3.1.300

Note that there's a workaround needed for many SDK's prior to 3.1.300. You'll need to add a Directory.Build.targets file with the following:

<Project>
  <PropertyGroup>
    <TargetFrameworkMonikerAssemblyAttributesPath>$([System.IO.Path]::Combine('$(IntermediateOutputPath)','$(TargetFrameworkMoniker).AssemblyAttributes$(DefaultLanguageSourceExtension)'))</TargetFrameworkMonikerAssemblyAttributesPath>
  </PropertyGroup>
  <ItemGroup>
    <EmbeddedFiles Include="$(GeneratedAssemblyInfoFile)"/>
  </ItemGroup>
</Project>

Building locally

To see/test this locally, build with dotnet build /p:ContinuousIntegrationBuild=true. After uploading to nuget.org, you could check it with NuGet Package Explorer:

image

deterministicbuilds's People

Contributors

304notmodified avatar clairernovotny avatar nulltoken avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar

deterministicbuilds's Issues

How should Razor Class Libraries (RCL) be configured to achieve deterministic builds?

I have a reproduction of this issue with a vanilla .NET 5.0 Razor Class Library, created from the CLI template and using the latest version of the .NET 5 CLI.

It has SourceLink added to the project.

It is embedding the PDBs because I use Azure DevOps Artifacts which doesn't support .snupkg

https://github.com/seangwright/razor-class-lib-deterministic-build

  • Clone the repo
  • Run the commands in the README
    • dotnet build /p:ContinuousIntegrationBuild=true -c Release
    • dotnet pack --no-restore -o ./temp --no-build -c Release

Here's what NuGet Package Explorer tells me:

Screenshot 2021-09-08 164730

I'm not sure how to get a RCL to meet any of the criteria for a 'healthy' package. Is it even possible?

Add a demo for ProduceReferenceAssembly

This is an awesome effort!

Would also be nice to add the next step demo: have two projects, one referencing the other, and have them set ProduceReferenceAssembly.

This way the referencing project will actually get the .dll from ref folder, which strips method bodies and is a reference assembly. This way you can make a whitespace change, or a method-body change or private API change in the first project, and the second project will not rebuild.

Why can't you combine *.props + *.targets

Hi Claire,

Why can't you combine Directory.Build.targets into Directory.Build.props? There are no targets in the Directory.Build.targets folder? Is there some subtlety here I am missing with how MSBuild works?

Does the .NET Core SDK 3.1.300 really solves the untracked files issue?

I already asked this question on dotnet/sdk#10614 (comment) but did not get a response yet, so I'm trying here since it looks like a good place with Claire being very knowledgeable about deterministic builds.

Let's describe the problem with a concrete example. Here's how I'm packing https://github.com/0xced/DockerRunner, commit d6d8917e7f208dbaacd9dd6ff25a439031d5dfd1 (current master branch as of writing):

dotnet --version
3.1.300
dotnet pack -c Release /p:ContinuousIntegrationBuild=true
  Successfully created package '[...]DockerRunner\src\bin\Release\DockerRunner.0.9.0-alpha.0.21.nupkg'.

When I open the resulting DockerRunner.0.9.0-alpha.0.21.nupkg in NuGet Package Explorer, Source Link and Deterministic health items have a warning sign with this tooltip:

Contains untracked sources:
To Fix:
<EmbedUntrackedSources>true</EmbedUntrackedSources>

Also, use 3.1.300 SDK to build or
workaround in: dotnet/sourcelink#572
Assembly: lib\netstandard2.0\DockerRunner.dll
/_/src/obj/Release/netstandard2.0/.NETStandard,Version=v2.0.AssemblyAttributes.cs
/_/src/obj/Release/netstandard2.0/DockerRunner.AssemblyInfo.cs

Now, let's add the workaround described on dotnet/sourcelink#572 in DockerRunner.csproj:

<PropertyGroup>
  <TargetFrameworkMonikerAssemblyAttributesPath>$([System.IO.Path]::Combine('$(IntermediateOutputPath)','$(TargetFrameworkMoniker).AssemblyAttributes$(DefaultLanguageSourceExtension)'))</TargetFrameworkMonikerAssemblyAttributesPath>
</PropertyGroup>
<ItemGroup>
  <EmbeddedFiles Include="$(GeneratedAssemblyInfoFile)" />
</ItemGroup>

Then I try to pack again with dotnet pack -c Release /p:ContinuousIntegrationBuild=true and with this workaround, NuGet Package Explorer reports that Source Link and Determinisc are valid with a checkmark icon.

To me, it seems that the .NET Core SDK 3.1.300 does not actually solve the untracked sources issue. Am I missing something? (Note that I have <EmbedUntrackedSources> set to true in the csproj)

Visual Studio warning when Microsoft.SourceLink.GitHub in Directory.build.props

Thanks for this repo, very handy.

I like the idea of putting the Microsoft.SourceLink.GitHub PackageReference in one central place (the Directory.Build.props) however Visual Studio IDE then shows an ugly warning.

image

I'm running VS 16.9.0 Preview 1.0, any idea how to get rid of the warning... or is this just affecting me?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.