1.6 KiB
1.6 KiB
Scanner Release Determinism Checklist
Completes SCAN-DETER-186-010 by ensuring every release ships a reproducibility bundle.
What to publish
determinism.jsongenerated by the harness (scores, non-deterministic artefacts, thresholds).surface/determinism.jsoncopied from worker surface manifests (pins + runtime toggles + payload hashes).- Canonical artefacts per run (
run_i/*.json) and diffs for divergent runs.
Where to publish
- Object store bucket configured for releases (same as reports), prefix:
determinism/<release>/. - CAS-style paths:
cas://determinism/<head>/<sha>.tar.zstfor bundle archives. - Link from release notes and offline kit manifests.
How to generate
- Run determinism harness (
SCAN-DETER-186-009) against release image with frozen clock/seed/concurrency and pinned feeds/policy. - Export bundle using the harness CLI (pending) or the helper script
scripts/scanner/determinism-run.sh. - Copy worker-emitted
determinism.jsonfrom surface manifest cache intosurface/determinism.jsoninside the bundle for cross-checks. - Sign bundles with DSSE (determinism predicate) and, if enabled, submit to Rekor.
Acceptance gates
- Overall score >= 0.95 and per-image score >= 0.90.
- All bundle files present:
determinism.json,surface/determinism.json,run_*,diffs/(may be empty when fully deterministic). - Hashes in
surface/determinism.jsonmatch hashes indeterminism.jsonbaseline artefacts.
References
- docs/modules/scanner/determinism-score.md
- docs/modules/scanner/deterministic-execution.md
- docs/replay/DETERMINISTIC_REPLAY.md