Smarter default timestamps on images

chainguard-dev / apko

Build OCI images from APK packages directly without Dockerfile

https://apko.dev

Apache License 2.0

1.18k stars 118 forks source link

Smarter default timestamps on images #654

Open mattmoor opened 1 year ago

mattmoor commented 1 year ago

Today apko supports setting SOURCE_DATE_EPOCH to set the timestamp on images, but for Chainguard images we generally use the build timestamp because the apko.yaml config files rarely change, but since packages float forward the typical git log -1 --pretty=%ct is a poor approximation of the image's actual age.

I think a more appropriate "smart" default for the image age is something like the MAX() of:

The apko.yaml last-modified-time, and
The build times of the APKs

This builds on https://github.com/chainguard-images/images/issues/535 and https://github.com/chainguard-dev/melange/issues/421 so that our image timestamps will only roll forward if one of the above change.

cc @kaniini @deitch @imjasonh

mattmoor commented 1 year ago

One "fun" thought experiment is whether the smart defaulting should even include the apko.yaml mtime. I'm imagining scenarios like tf-apko where the config is constructed other ways and may not exist as a literal file, or is a composition of multiple files.

In general I feel like the apko.yaml mtime is arguably the weakest contribution to our pseudo-SOURCE_DATE_EPOCH, so wanted to float the possibility of also just excluding it 🤔

mritunjaysharma394 commented 1 year ago

Hi @mattmoor, seems like an interesting task and I would love to contribute to it if this is not already under development by someone else.

From my little understanding, we already have surfaced SOURCE_DATE_EPOCH as the build time with the https://github.com/chainguard-dev/melange/pull/435 and this along with #535 can enable us to implement the smarted default timestamps. However, seems like something broke and ARM builds failed that's why PR linked to #535 had to be reverted. Trying to investigate what could have happened but if you have some suggestions that I can begin with, would love to have a kick start! Thanks!

mattmoor commented 1 year ago

We're pretty close. In fact, this piece should be done, but I want to validate it e2e and we need some changes to Wolfi to set builddate in our packages. Alpine should work now though.

mattmoor commented 1 year ago

This: https://github.com/chainguard-images/images/issues/535

Once that's done we should whack: https://github.com/chainguard-images/actions/blob/cfc56ba1a26d410474fe453d9c9a865fdd422fa7/apko-snapshot/action.yaml#L228 🤞

mritunjaysharma394 commented 1 year ago

Thanks @mattmoor! That seems like we are already very close to closing it, loved the discussion!