stabilize hashes

aslilac · aslilac · commit a92e371ce242 · 2025-05-13T18:54:32.000Z
diff --git a/provisioner/terraform/modules.go b/provisioner/terraform/modules.go
@@ -9,6 +9,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"time"
 
 	"golang.org/x/xerrors"
 
@@ -94,33 +95,28 @@ func GetModulesArchive(root fs.FS) ([]byte, error) {
 			continue
 		}
 
-		err := fs.WalkDir(root, it.Dir, func(filePath string, info fs.DirEntry, err error) error {
+		err := fs.WalkDir(root, it.Dir, func(filePath string, d fs.DirEntry, err error) error {
 			if err != nil {
 				return xerrors.Errorf("failed to create modules archive: %w", err)
 			}
-			fileType := info.Type()
-			if !fileType.IsRegular() && !fileType.IsDir() {
+			fileMode := d.Type()
+			if !fileMode.IsRegular() && !fileMode.IsDir() {
 				return nil
 			}
-			fileInfo, err := info.Info()
+			fileInfo, err := d.Info()
 			if err != nil {
 				return xerrors.Errorf("failed to archive module file %q: %w", filePath, err)
 			}
-			header, err := tar.FileInfoHeader(fileInfo, "")
+			header, err := fileHeader(filePath, fileMode, fileInfo)
 			if err != nil {
 				return xerrors.Errorf("failed to archive module file %q: %w", filePath, err)
 			}
-			header.Name = filePath
-			if fileType.IsDir() {
-				header.Name += "/"
-			}
-
 			err = w.WriteHeader(header)
 			if err != nil {
 				return xerrors.Errorf("failed to add module file %q to archive: %w", filePath, err)
 			}
 
-			if !fileType.IsRegular() {
+			if !fileMode.IsRegular() {
 				return nil
 			}
 			empty = false
@@ -140,13 +136,7 @@ func GetModulesArchive(root fs.FS) ([]byte, error) {
 		}
 	}
 
-	err = w.WriteHeader(&tar.Header{
-		Name: ".terraform/modules/modules.json",
-		Size: int64(len(modulesFileContent)),
-		Mode: 0o644,
-		Uid:  1000,
-		Gid:  1000,
-	})
+	err = w.WriteHeader(defaultFileHeader(".terraform/modules/modules.json", len(modulesFileContent)))
 	if err != nil {
 		return nil, xerrors.Errorf("failed to write modules.json to archive: %w", err)
 	}
@@ -163,3 +153,33 @@ func GetModulesArchive(root fs.FS) ([]byte, error) {
 	}
 	return b.Bytes(), nil
 }
+
+func fileHeader(filePath string, fileMode fs.FileMode, fileInfo fs.FileInfo) (*tar.Header, error) {
+	header, err := tar.FileInfoHeader(fileInfo, "")
+	if err != nil {
+		return nil, xerrors.Errorf("failed to archive module file %q: %w", filePath, err)
+	}
+	header.Name = filePath
+	if fileMode.IsDir() {
+		header.Name += "/"
+	}
+	// Erase a bunch of metadata that we don't need so that we get more consistent
+	// hashes from the resulting archive.
+	header.AccessTime = time.Time{}
+	header.ChangeTime = time.Time{}
+	header.ModTime = time.Time{}
+	header.Uname = ""
+	header.Gname = ""
+
+	return header, nil
+}
+
+func defaultFileHeader(filePath string, length int) *tar.Header {
+	return &tar.Header{
+		Name: filePath,
+		Size: int64(length),
+		Mode: 0o644,
+		Uid:  1000,
+		Gid:  1000,
+	}
+}
diff --git a/provisioner/terraform/modules_internal_test.go b/provisioner/terraform/modules_internal_test.go
@@ -1,13 +1,9 @@
 package terraform
 
 import (
-	"archive/tar"
 	"bytes"
 	"crypto/sha256"
 	"encoding/hex"
-	"errors"
-	"fmt"
-	"io"
 	"io/fs"
 	"os"
 	"path/filepath"
@@ -58,20 +54,11 @@ func TestGetModulesArchive(t *testing.T) {
 		_, err = fs.ReadFile(tarfs, ".terraform/modules/stuff_that_should_not_be_included/nothing.txt")
 		require.Error(t, err)
 
-		r := tar.NewReader(bytes.NewBuffer(archive))
-		for {
-			h, err := r.Next()
-			if errors.Is(err, io.EOF) {
-				break
-			}
-			fmt.Printf("- %v (%v) [%v:%v] %#v\n", h.Name, h.Size, h.Uid, h.Gid, h)
-		}
-
 		// It should always be byte-identical to optimize storage
 		hashBytes := sha256.Sum256(archive)
 		hash := hex.EncodeToString(hashBytes[:])
 		if runtime.GOOS != "windows" {
-			require.Equal(t, "b956016b8ddc50a0fe107f5f0e1d6a21e936df828e484be456969329dae0afe0", hash)
+			require.Equal(t, "8491a8ab368f00a7eb0e927a957a3b0e4bf5df322c5b330d7b92b8b043a3d1d9", hash)
 		} else {
 			require.Equal(t, "c219943913051e4637527cd03ae2b7303f6945005a262cdd420f9c2af490d572", hash)
 		}
