fix: correct git timestamp retrieval and integration test issues

Fix critical bug where git commands were running without a working
directory set, causing 'exit status 128' failures. Also fix 7 issues
in TestDockerPackage_OCILayout_Determinism_Integration.

Git Timestamp Fix:
- Move getGitCommitTimestamp from sbom.go to gitinfo.go
- Rename to GetCommitTimestamp (exported, follows codebase patterns)
- Accept GitInfo directly (contains commit hash and working directory)
- Ensure git commands run in correct repository directory
- Improve error handling and messages

Integration Test Fixes:
1. Use FindWorkspace instead of undefined Load function
2. Correct build method signature (buildctx parameter)
3. Fix package name format (use FullName())
4. Initialize buildContext properly (avoid nil pointer)
5. Initialize ConsoleReporter (avoid nil pointer)
6. Set git user config (required for commits)
7. Use deterministic git timestamps (GIT_AUTHOR_DATE/GIT_COMMITTER_DATE)

Impact:
- Fixes CI failures when building Docker packages
- Enables integration test to run successfully
- Verifies OCI layout determinism (same checksum across builds)
- Improves code organization and maintainability

Verification:
- Unit tests pass
- Integration test passes with deterministic checksums
- No backward compatibility issues

Co-authored-by: Ona <no-reply@ona.com>

Author: leodido

pkg/leeway/build.go

@@ -2437,11 +2437,11 @@ func (p *Package) getDeterministicMtime() (int64, error) {
 			"Building from source tarballs without git metadata will cause cache inconsistencies")
 	}
 
-	timestamp, err := getGitCommitTimestamp(context.Background(), commit)
+	timestamp, err := GetCommitTimestamp(context.Background(), p.C.Git())
 	if err != nil {
-		return 0, fmt.Errorf("failed to get deterministic timestamp for tar mtime (commit: %s): %w. "+
+		return 0, fmt.Errorf("failed to get deterministic timestamp for tar mtime: %w. "+
 			"Ensure git is available and the repository is not a shallow clone, or set SOURCE_DATE_EPOCH environment variable",
-			commit, err)
+			err)
 	}
 	return timestamp.Unix(), nil
 }

pkg/leeway/build_integration_test.go

@@ -590,42 +590,64 @@ CMD ["cat", "/build-time.txt"]
 		t.Fatal(err)
 	}
 
+	gitConfigName := exec.Command("git", "config", "user.name", "Test User")
+	gitConfigName.Dir = wsDir
+	if err := gitConfigName.Run(); err != nil {
+		t.Fatal(err)
+	}
+
+	gitConfigEmail := exec.Command("git", "config", "user.email", "test@example.com")
+	gitConfigEmail.Dir = wsDir
+	if err := gitConfigEmail.Run(); err != nil {
+		t.Fatal(err)
+	}
+
 	gitAdd := exec.Command("git", "add", ".")
 	gitAdd.Dir = wsDir
 	if err := gitAdd.Run(); err != nil {
 		t.Fatal(err)
 	}
 
+	// Use fixed timestamp for deterministic git commit
+	// This ensures the commit timestamp is the same across test runs
 	gitCommit := exec.Command("git", "commit", "-m", "initial")
 	gitCommit.Dir = wsDir
+	gitCommit.Env = append(os.Environ(),
+		"GIT_AUTHOR_DATE=2021-01-01T00:00:00Z",
+		"GIT_COMMITTER_DATE=2021-01-01T00:00:00Z",
+	)
 	if err := gitCommit.Run(); err != nil {
 		t.Fatal(err)
 	}
 
 	// Build first time
 	cacheDir1 := filepath.Join(tmpDir, "cache1")
-	if err := os.MkdirAll(cacheDir1, 0755); err != nil {
+	cache1, err := local.NewFilesystemCache(cacheDir1)
+	if err != nil {
 		t.Fatal(err)
 	}
 
-	buildCtx1 := &buildContext{
-		LocalCache:           &FilesystemCache{Location: cacheDir1},
-		DockerExportToCache:  true,
-		DockerExportSet:      true,
-		Reporter:             &ConsoleReporter{},
+	buildCtx1, err := newBuildContext(buildOptions{
+		LocalCache:          cache1,
+		DockerExportToCache: true,
+		DockerExportSet:     true,
+		Reporter:            NewConsoleReporter(),
+	})
+	if err != nil {
+		t.Fatalf("Failed to create build context: %v", err)
 	}
 
-	ws1, err := Load(wsDir)
+	ws1, err := FindWorkspace(wsDir, Arguments{}, "", "")
 	if err != nil {
 		t.Fatalf("Failed to load workspace: %v", err)
 	}
 
-	pkg1, exists := ws1.Packages[":test-image"]
+	pkg1, exists := ws1.Packages["//:test-image"]
 	if !exists {
-		t.Fatal("Package :test-image not found")
+		t.Fatal("Package //:test-image not found")
 	}
 
-	if _, err := pkg1.build(buildCtx1); err != nil {
+	if err := pkg1.build(buildCtx1); err != nil {
 		t.Fatalf("First build failed: %v", err)
 	}
 
@@ -641,28 +663,32 @@ CMD ["cat", "/build-time.txt"]
 
 	// Build second time (clean cache)
 	cacheDir2 := filepath.Join(tmpDir, "cache2")
-	if err := os.MkdirAll(cacheDir2, 0755); err != nil {
+	cache2, err := local.NewFilesystemCache(cacheDir2)
+	if err != nil {
 		t.Fatal(err)
 	}
 
-	buildCtx2 := &buildContext{
-		LocalCache:           &FilesystemCache{Location: cacheDir2},
-		DockerExportToCache:  true,
-		DockerExportSet:      true,
-		Reporter:             &ConsoleReporter{},
+	buildCtx2, err := newBuildContext(buildOptions{
+		LocalCache:          cache2,
+		DockerExportToCache: true,
+		DockerExportSet:     true,
+		Reporter:            NewConsoleReporter(),
+	})
+	if err != nil {
+		t.Fatalf("Failed to create build context: %v", err)
 	}
 
-	ws2, err := Load(wsDir)
+	ws2, err := FindWorkspace(wsDir, Arguments{}, "", "")
 	if err != nil {
 		t.Fatalf("Failed to load workspace: %v", err)
 	}
 
-	pkg2, exists := ws2.Packages[":test-image"]
+	pkg2, exists := ws2.Packages["//:test-image"]
 	if !exists {
-		t.Fatal("Package :test-image not found")
+		t.Fatal("Package //:test-image not found")
 	}
 
-	if _, err := pkg2.build(buildCtx2); err != nil {
+	if err := pkg2.build(buildCtx2); err != nil {
 		t.Fatalf("Second build failed: %v", err)
 	}
 

pkg/leeway/gitinfo.go

@@ -1,11 +1,14 @@
 package leeway
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/xerrors"
@@ -174,3 +177,53 @@ func (info *GitInfo) DirtyFiles(files []string) bool {
 	}
 	return false
 }
+
+// GetCommitTimestamp returns the timestamp of a git commit.
+// It first checks SOURCE_DATE_EPOCH for reproducible builds, then falls back to git.
+// The context allows for cancellation of the git command if the build is cancelled.
+//
+// This function is used for:
+// - Deterministic tar mtime in package builds
+// - SBOM timestamp normalization
+// - Any operation requiring reproducible timestamps
+func GetCommitTimestamp(ctx context.Context, gitInfo *GitInfo) (time.Time, error) {
+	// Try SOURCE_DATE_EPOCH first (for reproducible builds)
+	// This takes precedence over git to allow explicit override
+	if epoch := os.Getenv("SOURCE_DATE_EPOCH"); epoch != "" {
+		timestamp, err := strconv.ParseInt(epoch, 10, 64)
+		if err == nil {
+			return time.Unix(timestamp, 0).UTC(), nil
+		}
+		// Log warning but continue to git fallback
+		log.WithError(err).WithField("SOURCE_DATE_EPOCH", epoch).Warn("Invalid SOURCE_DATE_EPOCH, falling back to git commit timestamp")
+	}
+
+	// Validate git information is available
+	if gitInfo == nil {
+		return time.Time{}, fmt.Errorf("no git information available")
+	}
+
+	if gitInfo.Commit == "" {
+		return time.Time{}, fmt.Errorf("no git commit available")
+	}
+
+	// Execute git command with context support for cancellation
+	cmd := exec.CommandContext(ctx, "git", "show", "-s", "--format=%ct", gitInfo.Commit)
+	cmd.Dir = gitInfo.WorkingCopyLoc
+	
+	output, err := cmd.Output()
+	if err != nil {
+		return time.Time{}, &GitError{
+			Op:  fmt.Sprintf("show -s --format=%%ct %s", gitInfo.Commit),
+			Err: err,
+		}
+	}
+
+	// Parse Unix timestamp
+	timestamp, err := strconv.ParseInt(strings.TrimSpace(string(output)), 10, 64)
+	if err != nil {
+		return time.Time{}, fmt.Errorf("failed to parse commit timestamp '%s': %w", strings.TrimSpace(string(output)), err)
+	}
+
+	return time.Unix(timestamp, 0).UTC(), nil
+}

pkg/leeway/sbom.go

@@ -10,11 +10,9 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
 	"runtime"
-	"strconv"
 	"strings"
 	"time"
 
@@ -103,33 +101,6 @@ func GetSBOMParallelism(sbomConfig WorkspaceSBOM) int {
 	return runtime.NumCPU()
 }
 
-// getGitCommitTimestamp returns the timestamp of the git commit.
-// The context allows for cancellation of the git command if the build is cancelled.
-func getGitCommitTimestamp(ctx context.Context, commit string) (time.Time, error) {
-	// Try SOURCE_DATE_EPOCH first (for reproducible builds)
-	if epoch := os.Getenv("SOURCE_DATE_EPOCH"); epoch != "" {
-		timestamp, err := strconv.ParseInt(epoch, 10, 64)
-		if err == nil {
-			return time.Unix(timestamp, 0).UTC(), nil
-		}
-		// Log warning but continue to git fallback
-		log.WithError(err).WithField("SOURCE_DATE_EPOCH", epoch).Warn("Invalid SOURCE_DATE_EPOCH, falling back to git commit timestamp")
-	}
-
-	// Get commit timestamp from git with context support for cancellation
-	cmd := exec.CommandContext(ctx, "git", "show", "-s", "--format=%ct", commit)
-	output, err := cmd.Output()
-	if err != nil {
-		return time.Time{}, fmt.Errorf("failed to get commit timestamp: %w", err)
-	}
-
-	timestamp, err := strconv.ParseInt(strings.TrimSpace(string(output)), 10, 64)
-	if err != nil {
-		return time.Time{}, fmt.Errorf("failed to parse commit timestamp: %w", err)
-	}
-
-	return time.Unix(timestamp, 0).UTC(), nil
-}
 
 // generateDeterministicUUID generates a UUIDv5 from content
 func generateDeterministicUUID(content []byte) string {
@@ -324,11 +295,11 @@ func writeSBOM(buildctx *buildContext, p *Package, builddir string) (err error)
 	}
 
 	// Normalize SBOMs after generation
-	timestamp, err := getGitCommitTimestamp(context.Background(), p.C.Git().Commit)
+	timestamp, err := GetCommitTimestamp(context.Background(), p.C.Git())
 	if err != nil {
-		return fmt.Errorf("failed to get deterministic timestamp for SBOM normalization (commit: %s): %w. "+
+		return fmt.Errorf("failed to get deterministic timestamp for SBOM normalization: %w. "+
 			"Ensure git is available and the repository is not a shallow clone, or set SOURCE_DATE_EPOCH environment variable", 
-			p.C.Git().Commit, err)
+			err)
 	}
 
 	// Normalize CycloneDX

pkg/leeway/sbom_normalize_test.go

@@ -67,7 +67,7 @@ func TestGenerateDeterministicUUID(t *testing.T) {
 	}
 }
 
-func TestGetGitCommitTimestamp_SourceDateEpoch(t *testing.T) {
+func TestGetCommitTimestamp_SourceDateEpoch(t *testing.T) {
 	// Save original env var
 	originalEnv := os.Getenv("SOURCE_DATE_EPOCH")
 	defer func() {
@@ -111,7 +111,12 @@ func TestGetGitCommitTimestamp_SourceDateEpoch(t *testing.T) {
 			}
 
 			// Use HEAD as commit (should exist in test environment)
-			timestamp, err := getGitCommitTimestamp(context.Background(), "HEAD")
+			wd, _ := os.Getwd()
+			gitInfo := &GitInfo{
+				Commit:         "HEAD",
+				WorkingCopyLoc: wd,
+			}
+			timestamp, err := GetCommitTimestamp(context.Background(), gitInfo)
 
 			if tt.wantErr && err == nil {
 				t.Error("expected error, got nil")
@@ -128,11 +133,17 @@ func TestGetGitCommitTimestamp_SourceDateEpoch(t *testing.T) {
 	}
 }
 
-func TestGetGitCommitTimestamp_GitCommit(t *testing.T) {
+func TestGetCommitTimestamp_GitCommit(t *testing.T) {
 	// This test requires being in a git repository
 	// Use HEAD as a known commit
 	ctx := context.Background()
-	timestamp, err := getGitCommitTimestamp(ctx, "HEAD")
+	wd, _ := os.Getwd()
+	gitInfo := &GitInfo{
+		Commit:         "HEAD",
+		WorkingCopyLoc: wd,
+	}
+	
+	timestamp, err := GetCommitTimestamp(ctx, gitInfo)
 	if err != nil {
 		t.Skipf("skipping test: not in a git repository or git not available: %v", err)
 	}
@@ -148,7 +159,7 @@ func TestGetGitCommitTimestamp_GitCommit(t *testing.T) {
 	}
 
 	// Verify deterministic: calling twice should return same result
-	timestamp2, err := getGitCommitTimestamp(ctx, "HEAD")
+	timestamp2, err := GetCommitTimestamp(ctx, gitInfo)
 	if err != nil {
 		t.Fatalf("second call failed: %v", err)
 	}
@@ -157,12 +168,18 @@ func TestGetGitCommitTimestamp_GitCommit(t *testing.T) {
 	}
 }
 
-func TestGetGitCommitTimestamp_ContextCancellation(t *testing.T) {
+func TestGetCommitTimestamp_ContextCancellation(t *testing.T) {
 	// Create a cancelled context
 	ctx, cancel := context.WithCancel(context.Background())
 	cancel() // Cancel immediately
 
-	_, err := getGitCommitTimestamp(ctx, "HEAD")
+	wd, _ := os.Getwd()
+	gitInfo := &GitInfo{
+		Commit:         "HEAD",
+		WorkingCopyLoc: wd,
+	}
+	
+	_, err := GetCommitTimestamp(ctx, gitInfo)
 	if err == nil {
 		t.Error("expected error with cancelled context, got nil")
 	}