CI/CD & GitOps Practical By Samson Tanimawo, PhD Published Aug 23, 2025 4 min read

Build Determinism Discipline

Same input, same output.

What deterministic builds mean

Same inputs, same outputs. Byte-identical artifact every time.

Catches supply-chain attacks, reproducibility bugs, and "works on my machine" surprises.

Required for SLSA level 3+. Increasingly required by regulated industries.

Timestamps in artifacts. Embedded build time, modified time on files in tarballs.

Random orderings: file globs, hash maps, parallel build outputs.

Dependency versions resolved at build time. Pin everything; lockfiles or Bazel-style hermetic builds.

Set `SOURCE_DATE_EPOCH` env var. Most build tools honor it for embedded timestamps.

Sort file lists explicitly. `find ... | sort | xargs ...`.

Pin every dependency to a hash, not a version. Bazel's MODULE.bazel.lock, Nix's flake.lock, Cargo.lock with frozen mode.

Build twice on different machines. Compare hashes.

diffoscope tells you what differs. Often reveals one stray timestamp.

CI job that builds, hashes, builds again, compares. Flag any drift.

Required for any artifact you'll publish externally (npm, Docker Hub, container registry).

Recommended for production deploys; the supply-chain risk reduction is real.

Skip for internal-only tools where reproducibility is not load-bearing. Spend the engineering hours where they pay back.