From 6229c0195bf6c1d69788efa88e2d287c82a74ada Mon Sep 17 00:00:00 2001
From: bakhtin <a@bakhtin.net>
Date: Fri, 7 Nov 2025 14:20:02 +0000
Subject: [PATCH 1/3] Better artifacts handling

Signed-off-by: bakhtin <a@bakhtin.net>
---
 .github/workflows/release.yml | 20 +++++++++++---------
 Dockerfile.reproducible       |  5 ++---
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e36888aa..266fc7e9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -55,24 +55,26 @@ jobs:
       packages: write
     steps:
       - uses: actions/checkout@v4
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Build reproducible binary with Docker
+      - name: Install rust
         run: |
-          docker build -f Dockerfile.reproducible -t flowproxy:release .
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 
-      - name: Extract binary from Docker image
+      - name: Build reproducible binary with Docker
         run: |
-          # Create a temporary container and copy the binary
-          docker create --name temp-container flowproxy:release
-          docker cp temp-container:/flowproxy ./flowproxy
-          docker rm temp-container
+          RUST_TOOLCHAIN=$(rustc --version | cut -d' ' -f2)
+          docker build -f Dockerfile.reproducible \
+          --build-arg "RUST_TOOLCHAIN=${RUST_TOOLCHAIN}" \
+          -t flowproxy:release \
+          --output type=local,dest=./target .
 
       - name: Calculate SHA256
         id: sha256
         run: |
-          sha256sum flowproxy > flowproxy-${{ needs.extract-version.outputs.VERSION }}.sha256
+          sha256sum ./target/flowproxy > flowproxy-${{ needs.extract-version.outputs.VERSION }}.sha256
           echo "hash=$(cat flowproxy-${{ needs.extract-version.outputs.VERSION }}.sha256 | cut -d' ' -f1)" >> $GITHUB_OUTPUT
           echo "Binary SHA256: $(cat flowproxy-${{ needs.extract-version.outputs.VERSION }}.sha256)"
 
@@ -81,7 +83,7 @@ jobs:
         with:
           name: flowproxy-${{ needs.extract-version.outputs.VERSION }}-x86_64-unknown-linux-gnu
           path: |
-            flowproxy
+            ./target/flowproxy
             flowproxy-${{ needs.extract-version.outputs.VERSION }}.sha256
 
   draft-release:
diff --git a/Dockerfile.reproducible b/Dockerfile.reproducible
index 9da52052..c68d1bf8 100644
--- a/Dockerfile.reproducible
+++ b/Dockerfile.reproducible
@@ -9,6 +9,5 @@ WORKDIR /build
 COPY . .
 RUN SOURCE_DATE_EPOCH=1730000000 just build-reproducible
 
-FROM gcr.io/distroless/cc-debian13:nonroot@sha256:4dd5cc58bb27cf9da5960f2a202cecf6c1c05c6ccbf0cda1b8ac24aeb428ca1a
-COPY --from=builder /build/target/x86_64-unknown-linux-gnu/reproducible/flowproxy /flowproxy
-ENTRYPOINT ["/flowproxy"]
+FROM scratch AS artifacts
+COPY --from=builder /build/target/x86_64-unknown-linux-gnu/reproducible/flowproxy /

From b8981b04ccd75398335120f03033f61be8e1e0f3 Mon Sep 17 00:00:00 2001
From: bakhtin <a@bakhtin.net>
Date: Fri, 7 Nov 2025 14:40:01 +0000
Subject: [PATCH 2/3] repro

Signed-off-by: bakhtin <a@bakhtin.net>
---
 .github/workflows/release.yml            |  3 +--
 .github/workflows/reproducible-build.yml | 21 +++++++++++++--------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 266fc7e9..dc1e8302 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -106,8 +106,7 @@ jobs:
       - name: Record artifacts checksums
         working-directory: artifacts
         run: |
-          find ./ || true
-          for file in *; do sha256sum "$file" >> sha256sums.txt; done;
+          find ./ -type f -exec sha256sum {} \; >> sha256sums.txt
           cat sha256sums.txt
       - name: Create release draft
         uses: softprops/action-gh-release@v2.0.5
diff --git a/.github/workflows/reproducible-build.yml b/.github/workflows/reproducible-build.yml
index adc663cd..b931315d 100644
--- a/.github/workflows/reproducible-build.yml
+++ b/.github/workflows/reproducible-build.yml
@@ -18,21 +18,26 @@ jobs:
             machine: machine-2
     steps:
       - uses: actions/checkout@v5
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Build reproducible binary with Docker
+
+      - name: Install rust
         run: |
-          docker build -f Dockerfile.reproducible -t flowproxy:reproducible .
-      - name: Extract binary from Docker image
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+
+      - name: Build reproducible binary with Docker
         run: |
-          # Create a temporary container and copy the binary
-          docker create --name temp-container flowproxy:reproducible
-          docker cp temp-container:/flowproxy ./flowproxy
-          docker rm temp-container
+          RUST_TOOLCHAIN=$(rustc --version | cut -d' ' -f2)
+          docker build -f Dockerfile.reproducible \
+          --build-arg "RUST_TOOLCHAIN=${RUST_TOOLCHAIN}" \
+          -t flowproxy:reproducible \
+          --output type=local,dest=./target .
+
       - name: Calculate SHA256
         id: sha256
         run: |
-          sha256sum flowproxy > flowproxy.sha256
+          sha256sum ./target/flowproxy > flowproxy.sha256
           echo "hash=$(cat flowproxy.sha256 | cut -d' ' -f1)" >> $GITHUB_OUTPUT
           echo "Binary SHA256 on ${{ matrix.machine }}: $(cat flowproxy.sha256)"
       - name: Upload the hash

From 4472c3f96771009e80fa6655e5f6bf4f0b69cc47 Mon Sep 17 00:00:00 2001
From: bakhtin <a@bakhtin.net>
Date: Fri, 7 Nov 2025 15:05:49 +0000
Subject: [PATCH 3/3] release fix

Signed-off-by: bakhtin <a@bakhtin.net>
---
 .github/workflows/release.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dc1e8302..145b61ae 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -74,7 +74,8 @@ jobs:
       - name: Calculate SHA256
         id: sha256
         run: |
-          sha256sum ./target/flowproxy > flowproxy-${{ needs.extract-version.outputs.VERSION }}.sha256
+          mv ./target/flowproxy flowproxy-${{ needs.extract-version.outputs.VERSION }}-x86_64-unknown-linux-gnu
+          sha256sum flowproxy-${{ needs.extract-version.outputs.VERSION }}-x86_64-unknown-linux-gnu > flowproxy-${{ needs.extract-version.outputs.VERSION }}.sha256
           echo "hash=$(cat flowproxy-${{ needs.extract-version.outputs.VERSION }}.sha256 | cut -d' ' -f1)" >> $GITHUB_OUTPUT
           echo "Binary SHA256: $(cat flowproxy-${{ needs.extract-version.outputs.VERSION }}.sha256)"
 
@@ -83,7 +84,7 @@ jobs:
         with:
           name: flowproxy-${{ needs.extract-version.outputs.VERSION }}-x86_64-unknown-linux-gnu
           path: |
-            ./target/flowproxy
+            flowproxy-${{ needs.extract-version.outputs.VERSION }}-x86_64-unknown-linux-gnu
             flowproxy-${{ needs.extract-version.outputs.VERSION }}.sha256
 
   draft-release: