Check build reproducibility across languages

[sophiewigmore]

Context

Recently, a user found that in some instances, multiple builds on the same source code produce images with different digests (see this thread). The user expected that the build would've produced the same image. This issue appears to have cropped up without our knowledge since we did not have language-family level tests for reproducibility. This latest occurrence may be related to the SBOM work we recently added.

Issue

We should perform an investigation across all of our language family buildpacks to determine the status of build reproducibility. For any buildpacks that do not produce reproducible images, we should file an issue to flag that and (hopefully) resolve it down the line. The issues file should include an outcome about adding a test at the language-test level. Buildpacks to investigate:

• [x] .NET Core https://github.com/paketo-buildpacks/dotnet-core/issues/756
• [x] Go https://github.com/paketo-buildpacks/go/issues/645
• [x] NodeJS https://github.com/paketo-buildpacks/nodejs/issues/631
• [x] PHP https://github.com/paketo-buildpacks/php/issues/568
• [ ] Python https://github.com/paketo-buildpacks/python/issues/507
• [x] Ruby https://github.com/paketo-buildpacks/ruby/issues/811
• [x] Web Servers
• [ ] Java Native Image (cc @dmikusa-pivotal)
• [ ] Java (cc @dmikusa-pivotal)

[c0d1ngm0nk3y]

We tried this with a simple NodeJS based application and were able to reproduce the IMAGE_ID two weeks later, with the following information:

• version of the application (package-lock.json used)
• pack version
• builder version
• run image version

[sophiewigmore]

cc @paketo-buildpacks/nodejs-maintainers