Make the image builds deterministic

Author: myftija

packages/cli-v3/package.json

@@ -92,10 +92,10 @@
     "@opentelemetry/resources": "2.0.1",
     "@opentelemetry/sdk-trace-node": "2.0.1",
     "@opentelemetry/semantic-conventions": "1.36.0",
+    "@s2-dev/streamstore": "^0.17.6",
     "@trigger.dev/build": "workspace:4.2.0",
     "@trigger.dev/core": "workspace:4.2.0",
     "@trigger.dev/schema-to-json": "workspace:4.2.0",
-    "@s2-dev/streamstore": "^0.17.6",
     "ansi-escapes": "^7.0.0",
     "braces": "^3.0.3",
     "c12": "^1.11.1",
@@ -117,6 +117,7 @@
     "import-in-the-middle": "1.11.0",
     "import-meta-resolve": "^4.1.0",
     "ini": "^5.0.0",
+    "json-stable-stringify": "^1.3.0",
     "jsonc-parser": "3.2.1",
     "magicast": "^0.3.4",
     "minimatch": "^10.0.1",

packages/cli-v3/src/build/buildWorker.ts

@@ -12,7 +12,7 @@ import { join, relative, sep } from "node:path";
 import { generateContainerfile } from "../deploy/buildImage.js";
 import { writeFile } from "node:fs/promises";
 import { buildManifestToJSON } from "../utilities/buildManifest.js";
-import { readPackageJSON, writePackageJSON } from "pkg-types";
+import { readPackageJSON } from "pkg-types";
 import { writeJSONFile } from "../utilities/fileSystem.js";
 import { isWindows } from "std-env";
 import { pathToFileURL } from "node:url";
@@ -192,20 +192,23 @@ async function writeDeployFiles({
     ) ?? {};
 
   // Step 3: Write the resolved dependencies to the package.json file
-  await writePackageJSON(join(outputPath, "package.json"), {
-    ...packageJson,
-    name: packageJson.name ?? "trigger-project",
-    dependencies: {
-      ...dependencies,
+  await writeJSONFile(
+    join(outputPath, "package.json"),
+    {
+      ...packageJson,
+      name: packageJson.name ?? "trigger-project",
+      dependencies: {
+        ...dependencies,
+      },
+      trustedDependencies: Object.keys(dependencies).sort(),
+      devDependencies: {},
+      peerDependencies: {},
+      scripts: {},
     },
-    trustedDependencies: Object.keys(dependencies),
-    devDependencies: {},
-    peerDependencies: {},
-    scripts: {},
-  });
+    true
+  );
 
   await writeJSONFile(join(outputPath, "build.json"), buildManifestToJSON(buildManifest));
-  await writeJSONFile(join(outputPath, "metafile.json"), bundleResult.metafile);
   await writeContainerfile(outputPath, buildManifest);
 }
 

packages/cli-v3/src/build/bundle.ts

@@ -414,7 +414,9 @@ export async function createBuildManifestFromBundle({
     otelImportHook: {
       include: resolvedConfig.instrumentedPackageNames ?? [],
     },
-    outputHashes: bundle.outputHashes,
+    // `outputHashes` is only needed for dev builds for the deduplication mechanism during rebuilds.
+    // For deploys builds, we omit it to ensure deterministic builds
+    outputHashes: target === "dev" ? bundle.outputHashes : {},
   };
 
   if (!workerDir) {

packages/cli-v3/src/deploy/buildImage.ts

@@ -193,12 +193,12 @@ async function remoteBuildImage(options: DepotBuildImageOptions): Promise<BuildI
     "--metadata-file",
     "metadata.json",
     "--build-arg",
+    `SOURCE_DATE_EPOCH=0`,
+    "--build-arg",
     `TRIGGER_PROJECT_ID=${options.projectId}`,
     "--build-arg",
     `TRIGGER_DEPLOYMENT_ID=${options.deploymentId}`,
     "--build-arg",
-    `TRIGGER_DEPLOYMENT_VERSION=${options.deploymentVersion}`,
-    "--build-arg",
     `TRIGGER_CONTENT_HASH=${options.contentHash}`,
     "--build-arg",
     `TRIGGER_PROJECT_REF=${options.projectRef}`,
@@ -210,6 +210,8 @@ async function remoteBuildImage(options: DepotBuildImageOptions): Promise<BuildI
     `TRIGGER_SECRET_KEY=${options.apiKey}`,
     ...(buildArgs || []),
     ...(options.extraCACerts ? ["--build-arg", `NODE_EXTRA_CA_CERTS=${options.extraCACerts}`] : []),
+    "--output",
+    "type=image,rewrite-timestamp=true",
     "--progress",
     "plain",
     ".",
@@ -509,19 +511,17 @@ async function localBuildImage(options: SelfHostedBuildImageOptions): Promise<Bu
     options.imagePlatform,
     options.network ? `--network=${options.network}` : undefined,
     addHost ? `--add-host=${addHost}` : undefined,
-    push ? "--push" : undefined,
-    load ? "--load" : undefined,
     "--provenance",
     "false",
     "--metadata-file",
     "metadata.json",
     "--build-arg",
+    `SOURCE_DATE_EPOCH=0`,
+    "--build-arg",
     `TRIGGER_PROJECT_ID=${options.projectId}`,
     "--build-arg",
     `TRIGGER_DEPLOYMENT_ID=${options.deploymentId}`,
     "--build-arg",
-    `TRIGGER_DEPLOYMENT_VERSION=${options.deploymentVersion}`,
-    "--build-arg",
     `TRIGGER_CONTENT_HASH=${options.contentHash}`,
     "--build-arg",
     `TRIGGER_PROJECT_REF=${options.projectRef}`,
@@ -533,10 +533,12 @@ async function localBuildImage(options: SelfHostedBuildImageOptions): Promise<Bu
     `TRIGGER_SECRET_KEY=${options.apiKey}`,
     ...(buildArgs || []),
     ...(options.extraCACerts ? ["--build-arg", `NODE_EXTRA_CA_CERTS=${options.extraCACerts}`] : []),
+    "--output",
+    `type=image,name=${imageTag},rewrite-timestamp=true${push ? ",push=true" : ""}${
+      load ? ",load=true" : ""
+    }`,
     "--progress",
     "plain",
-    "-t",
-    imageTag,
     ".", // The build context
   ].filter(Boolean) as string[];
 
@@ -761,15 +763,11 @@ USER bun
 WORKDIR /app
 
 ARG TRIGGER_PROJECT_ID
-ARG TRIGGER_DEPLOYMENT_ID
-ARG TRIGGER_DEPLOYMENT_VERSION
 ARG TRIGGER_CONTENT_HASH
 ARG TRIGGER_PROJECT_REF
 ARG NODE_EXTRA_CA_CERTS
 
 ENV TRIGGER_PROJECT_ID=\${TRIGGER_PROJECT_ID} \
-    TRIGGER_DEPLOYMENT_ID=\${TRIGGER_DEPLOYMENT_ID} \
-    TRIGGER_DEPLOYMENT_VERSION=\${TRIGGER_DEPLOYMENT_VERSION} \
     TRIGGER_CONTENT_HASH=\${TRIGGER_CONTENT_HASH} \
     TRIGGER_PROJECT_REF=\${TRIGGER_PROJECT_REF} \
     UV_USE_IO_URING=0 \
@@ -875,15 +873,11 @@ USER node
 WORKDIR /app
 
 ARG TRIGGER_PROJECT_ID
-ARG TRIGGER_DEPLOYMENT_ID
-ARG TRIGGER_DEPLOYMENT_VERSION
 ARG TRIGGER_CONTENT_HASH
 ARG TRIGGER_PROJECT_REF
 ARG NODE_EXTRA_CA_CERTS
 
 ENV TRIGGER_PROJECT_ID=\${TRIGGER_PROJECT_ID} \
-    TRIGGER_DEPLOYMENT_ID=\${TRIGGER_DEPLOYMENT_ID} \
-    TRIGGER_DEPLOYMENT_VERSION=\${TRIGGER_DEPLOYMENT_VERSION} \
     TRIGGER_CONTENT_HASH=\${TRIGGER_CONTENT_HASH} \
     TRIGGER_PROJECT_REF=\${TRIGGER_PROJECT_REF} \
     UV_USE_IO_URING=0 \

packages/cli-v3/src/entryPoints/managed-index-controller.ts

@@ -10,6 +10,7 @@ import { CliApiClient } from "../apiClient.js";
 import { indexWorkerManifest } from "../indexing/indexWorkerManifest.js";
 import { resolveSourceFiles } from "../utilities/sourceFiles.js";
 import { execOptionsForRuntime } from "@trigger.dev/core/v3/build";
+import { writeJSONFile } from "../utilities/fileSystem.js";
 
 async function loadBuildManifest() {
   const manifestContents = await readFile("./build.json", "utf-8");
@@ -88,7 +89,8 @@ async function indexDeployment({
 
     console.log("Writing index.json", process.cwd());
 
-    await writeFile(join(process.cwd(), "index.json"), JSON.stringify(workerManifest, null, 2));
+    const { timings, ...manifestWithoutTimings } = workerManifest;
+    await writeJSONFile(join(process.cwd(), "index.json"), manifestWithoutTimings, true);
 
     const sourceFiles = resolveSourceFiles(buildManifest.sources, workerManifest.tasks);
 

packages/cli-v3/src/entryPoints/managed/env.ts

@@ -12,15 +12,15 @@ const DateEnv = z
 const Env = z.object({
   // Set at build time
   TRIGGER_CONTENT_HASH: z.string(),
-  TRIGGER_DEPLOYMENT_ID: z.string(),
-  TRIGGER_DEPLOYMENT_VERSION: z.string(),
   TRIGGER_PROJECT_ID: z.string(),
   TRIGGER_PROJECT_REF: z.string(),
   NODE_ENV: z.string().default("production"),
   NODE_EXTRA_CA_CERTS: z.string().optional(),
   UV_USE_IO_URING: z.string().optional(),
 
   // Set at runtime
+  TRIGGER_DEPLOYMENT_ID: z.string(),
+  TRIGGER_DEPLOYMENT_VERSION: z.string(),
   TRIGGER_WORKLOAD_CONTROLLER_ID: z.string().default(`controller_${randomUUID()}`),
   TRIGGER_ENV_ID: z.string(),
   OTEL_EXPORTER_OTLP_ENDPOINT: z.string().url(),

packages/cli-v3/src/utilities/buildManifest.ts

@@ -1,10 +1,12 @@
 import { BuildManifest } from "@trigger.dev/core/v3/schemas";
 
 export function buildManifestToJSON(manifest: BuildManifest): BuildManifest {
-  const { deploy, build, ...rest } = manifest;
+  const { deploy, build, externals, ...rest } = manifest;
 
   return {
     ...rest,
+    // sort externals for deterministic builds
+    externals: externals?.slice().sort((a, b) => a.name.localeCompare(b.name)),
     deploy: {},
     build: {},
   };

packages/cli-v3/src/utilities/fileSystem.ts

@@ -1,4 +1,5 @@
 import fsSync from "fs";
+import stringify from "json-stable-stringify";
 import fsModule, { writeFile } from "fs/promises";
 import fs from "node:fs";
 import { homedir, tmpdir } from "node:os";
@@ -159,7 +160,7 @@ export async function safeReadJSONFile(path: string) {
 }
 
 export async function writeJSONFile(path: string, json: any, pretty = false) {
-  await safeWriteFile(path, JSON.stringify(json, undefined, pretty ? 2 : undefined));
+  await safeWriteFile(path, stringify(json, pretty ? { space: 2 } : undefined) ?? "");
 }
 
 // Will create the directory if it doesn't exist