added a workflow attaching to tutorial

Author: amiller

.github/workflows/reproducible-build.yml

@@ -0,0 +1,107 @@
+name: Reproducible Build
+
+on:
+  push:
+    paths:
+      - 'tutorial/01a-reproducible-builds/**'
+  pull_request:
+    paths:
+      - 'tutorial/01a-reproducible-builds/**'
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}/tutorial-01a-oracle
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    defaults:
+      run:
+        working-directory: tutorial/01a-reproducible-builds
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Install skopeo
+        run: sudo apt-get update && sudo apt-get install -y skopeo
+
+      - name: Build reproducible image
+        run: |
+          docker buildx create --name repro-builder --driver docker-container || true
+          docker buildx build \
+            --builder repro-builder \
+            --build-arg SOURCE_DATE_EPOCH=0 \
+            --no-cache \
+            --output type=oci,dest=image.tar,rewrite-timestamp=true \
+            .
+
+      - name: Compute and display hash
+        id: hash
+        run: |
+          HASH=$(sha256sum image.tar | awk '{print $1}')
+          DIGEST=$(skopeo inspect oci-archive:image.tar | jq -r .Digest)
+          echo "image_hash=$HASH" >> $GITHUB_OUTPUT
+          echo "image_digest=$DIGEST" >> $GITHUB_OUTPUT
+          echo "## Reproducible Build Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Property | Value |" >> $GITHUB_STEP_SUMMARY
+          echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
+          echo "| **Image Hash** | \`$HASH\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Image Digest** | \`$DIGEST\` |" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Compare with your local build:" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
+          echo "cd tutorial/01a-reproducible-builds && ./build-reproducible.sh" >> $GITHUB_STEP_SUMMARY
+          echo "cat build-manifest.json" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+
+      - name: Verify against committed manifest
+        run: |
+          if [[ -f build-manifest.json ]]; then
+            EXPECTED=$(jq -r .image_hash build-manifest.json)
+            ACTUAL="${{ steps.hash.outputs.image_hash }}"
+            echo "Expected: $EXPECTED"
+            echo "Actual:   $ACTUAL"
+            if [[ "$EXPECTED" == "$ACTUAL" ]]; then
+              echo "✓ Build matches committed manifest"
+            else
+              echo "✗ Build differs from committed manifest"
+              exit 1
+            fi
+          else
+            echo "No build-manifest.json found - skipping verification"
+          fi
+
+      - name: Upload OCI image
+        uses: actions/upload-artifact@v4
+        with:
+          name: reproducible-image
+          path: tutorial/01a-reproducible-builds/image.tar
+          retention-days: 7
+
+      - name: Login to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push to GHCR
+        if: github.event_name != 'pull_request'
+        run: |
+          IMAGE_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}"
+          skopeo copy oci-archive:image.tar docker://$IMAGE_TAG
+          echo "Pushed: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
+          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+            LATEST_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
+            skopeo copy oci-archive:image.tar docker://$LATEST_TAG
+            echo "Pushed: $LATEST_TAG" >> $GITHUB_STEP_SUMMARY
+          fi