From b6e4d89a2ceb6223738a0a818fdeabf46573972a Mon Sep 17 00:00:00 2001
From: Joakim Persson <joakim.persson@icloud.com>
Date: Wed, 20 May 2026 22:45:27 +0200
Subject: [PATCH] ci: filter __pycache__ and macOS metadata from base hash
 compute

Defensive against local-vs-CI hash divergence. `find rootfs -type f`
includes gitignored junk like rootfs/__pycache__/*.pyc and macOS
.DS_Store/._AppleDouble files, which CI's clean checkout never sees.

This bit us during v1.15.4 debugging when a stale generate-config.cpython-314.pyc
on the local rootfs/ produced base-3605aa6b6ab1 while CI computed
base-35ee5fe7861a. Took meaningful time to track down because git status
doesn't surface gitignored files.

Verified: same filter applied to current clean tree still produces
35ee5fe7861a (the published v1.15.4b base digest).
---
 .gitea/README.md                          | 11 ++++++++++-
 .gitea/workflows/docker-publish-split.yml | 11 ++++++++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/.gitea/README.md b/.gitea/README.md
index 72c3554..36fb81c 100644
--- a/.gitea/README.md
+++ b/.gitea/README.md
@@ -81,11 +81,20 @@ content:
 ```sh
 {
   cat Dockerfile.base
-  find rootfs -type f -print0 | sort -z | xargs -0 cat
+  find rootfs -type f \
+    ! -path '*/__pycache__/*' \
+    ! -name '*.pyc' \
+    ! -name '.DS_Store' \
+    ! -name '._*' \
+    -print0 | sort -z | xargs -0 cat
   cat entrypoint.sh entrypoint-user.sh
 } | sha256sum | cut -c1-12
 ```
 
+Junk filters keep the local recompute reproducible against CI's clean
+checkout — `__pycache__/*.pyc` and macOS metadata files (`.DS_Store`,
+`._AppleDouble`) are gitignored but still walked by `find -type f`.
+
 The 12-character truncated hash becomes `base-<hash>`. Probe Docker Hub
 for this tag via `docker manifest inspect`:
 
diff --git a/.gitea/workflows/docker-publish-split.yml b/.gitea/workflows/docker-publish-split.yml
index 66be77f..6064581 100644
--- a/.gitea/workflows/docker-publish-split.yml
+++ b/.gitea/workflows/docker-publish-split.yml
@@ -63,10 +63,19 @@ jobs:
         run: |
           # Hash inputs that determine the base image's contents.
           # Order is fixed via `find -print0 | sort -z` for reproducibility.
+          # Junk filters: __pycache__/*.pyc and macOS metadata (.DS_Store,
+          # ._AppleDouble) are gitignored locally but still picked up by
+          # `find rootfs -type f`, which would diverge the local hash from
+          # CI's clean checkout. Exclude them defensively here.
           HASH=$(
             {
               cat Dockerfile.base
-              find rootfs -type f -print0 2>/dev/null | sort -z | xargs -0 cat 2>/dev/null
+              find rootfs -type f \
+                ! -path '*/__pycache__/*' \
+                ! -name '*.pyc' \
+                ! -name '.DS_Store' \
+                ! -name '._*' \
+                -print0 2>/dev/null | sort -z | xargs -0 cat 2>/dev/null
               cat entrypoint.sh entrypoint-user.sh
             } | sha256sum | cut -c1-12
           )