build: enforce hermetic, reproducible local↔CI parity

- Use pinned Dockerfile.repro and containerized exec for all local/CI tasks
- Deterministic packaging + checksums; update workflows, gitignore/prettierignore, and add changeset

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

Author: davidturnbull

.changeset/reproducible-builds-parity.md

@@ -0,0 +1,10 @@
+---
+"lingo.dev": patch
+"@lingo.dev/_compiler": patch
+"@lingo.dev/_locales": patch
+"@lingo.dev/_sdk": patch
+"@lingo.dev/_spec": patch
+"@lingo.dev/_react": patch
+---
+
+Adopt fully hermetic, reproducible builds with containerized local/CI parity; deterministic packaging and checksums; containerized PR/release workflows.

.github/workflows/lingodotdev.yml

@@ -45,21 +45,31 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Use Node.js
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
+      - name: Build hermetic image
+        run: docker build -f Dockerfile.repro -t lingo-repro:20.12.2 .
+
+      - name: Prepare pnpm store path
+        run: echo "REPRO_PNPM_STORE=${{ runner.temp }}/pnpm-store" >> $GITHUB_ENV
 
-      - name: Lingo.dev
-        uses: ./
+      - name: Cache pnpm store
+        uses: actions/cache@v3
         with:
-          api-key: ${{ secrets.LINGODOTDEV_API_KEY }}
-          version: ${{ inputs.version }}
-          pull-request: ${{ inputs['pull-request'] }}
-          commit-message: ${{ inputs['commit-message'] }}
-          pull-request-title: ${{ inputs['pull-request-title'] }}
-          working-directory: ${{ inputs['working-directory'] }}
-          process-own-commits: ${{ inputs['process-own-commits'] }}
-          parallel: ${{ inputs.parallel }}
+          path: ${{ env.REPRO_PNPM_STORE }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Lingo.dev (container)
         env:
           GH_TOKEN: ${{ github.token }}
+          LINGODOTDEV_API_KEY: ${{ secrets.LINGODOTDEV_API_KEY }}
+        run: |
+          REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh \
+            npx lingo.dev@${{ inputs.version }} ci \
+              --api-key "$LINGODOTDEV_API_KEY" \
+              --pull-request "${{ inputs['pull-request'] }}" \
+              --commit-message "${{ inputs['commit-message'] }}" \
+              --pull-request-title "${{ inputs['pull-request-title'] }}" \
+              --working-directory "${{ inputs['working-directory'] }}" \
+              --process-own-commits "${{ inputs['process-own-commits'] }}" \
+              --parallel ${{ inputs.parallel }}

.github/workflows/pr-check.yml

@@ -30,47 +30,38 @@ jobs:
             exit 0
           fi
 
-      - name: Use Node.js
-        uses: actions/setup-node@v2
-        with:
-          node-version: 20.12.2
+      - name: Build hermetic image
+        run: docker build -f Dockerfile.repro -t lingo-repro:20.12.2 .
 
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
-        id: pnpm-install
-        with:
-          version: 9.12.3
-          run_install: false
+      - name: Prepare pnpm store path
+        run: echo "REPRO_PNPM_STORE=${{ runner.temp }}/pnpm-store" >> $GITHUB_ENV
 
-      - name: Configure pnpm cache
-        id: pnpm-cache
-        run: echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
-      - uses: actions/cache@v3
+      - name: Cache pnpm store
+        uses: actions/cache@v3
         with:
-          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
+          path: ${{ env.REPRO_PNPM_STORE }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
           restore-keys: |
             ${{ runner.os }}-pnpm-store-
 
-      - name: Install deps
-        run: pnpm install
+      - name: Mark repo as safe for git inside container
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh git config --global --add safe.directory /workspace
 
-      - name: Setup
-        run: |
-          pnpm turbo telemetry disable
+      - name: Install deps (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm install --frozen-lockfile
 
-      - name: Configure Turbo cache
-        uses: dtinth/setup-github-actions-caching-for-turbo@v1
+      - name: Disable turbo telemetry (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm turbo telemetry disable
 
-      - name: Check formatting
-        run: pnpm format:check
+      - name: Check formatting (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm format:check
 
-      - name: Build
-        run: pnpm turbo build --force
+      - name: Build (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm turbo build --force
 
-      - name: Test
-        run: pnpm turbo test --force
+      - name: Test (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm turbo test --force
 
-      - name: Require changeset to be present in PR
+      - name: Require changeset to be present in PR (container)
         if: github.event.pull_request.user.login != 'dependabot[bot]'
-        run: pnpm changeset status --since origin/main
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm changeset status --since origin/main

.github/workflows/release.yml

@@ -35,61 +35,55 @@ jobs:
             exit 0
           fi
 
-      - name: Use Node.js
-        uses: actions/setup-node@v2
-        with:
-          node-version: 20.12.2
+      - name: Build hermetic image
+        run: docker build -f Dockerfile.repro -t lingo-repro:20.12.2 .
 
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
-        id: pnpm-install
-        with:
-          version: 9.12.3
-          run_install: false
+      - name: Prepare pnpm store path
+        run: echo "REPRO_PNPM_STORE=${{ runner.temp }}/pnpm-store" >> $GITHUB_ENV
 
-      - name: Configure pnpm cache
-        id: pnpm-cache
-        run: echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
-      - uses: actions/cache@v3
+      - name: Cache pnpm store
+        uses: actions/cache@v3
         with:
-          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
+          path: ${{ env.REPRO_PNPM_STORE }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
           restore-keys: |
             ${{ runner.os }}-pnpm-store-
 
-      - name: Install deps
-        run: pnpm install
+      - name: Install deps (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm install --frozen-lockfile
 
-      - name: Lingo.dev
+      - name: Lingo.dev (container)
         if: ${{ !inputs.skip_lingo }}
-        uses: ./
-        with:
-          api-key: ${{ secrets.LINGODOTDEV_API_KEY }}
-          pull-request: true
-          parallel: true
         env:
           GH_TOKEN: ${{ github.token }}
-
-      - name: Setup
+          LINGODOTDEV_API_KEY: ${{ secrets.LINGODOTDEV_API_KEY }}
         run: |
-          pnpm turbo telemetry disable
+          REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh \
+            npx lingo.dev@latest ci \
+              --api-key "$LINGODOTDEV_API_KEY" \
+              --pull-request "true" \
+              --commit-message "feat: update translations via @LingoDotDev" \
+              --pull-request-title "feat: update translations via @LingoDotDev" \
+              --working-directory "." \
+              --process-own-commits "false" \
+              --parallel true
 
-      - name: Configure Turbo cache
-        uses: dtinth/setup-github-actions-caching-for-turbo@v1
+      - name: Disable turbo telemetry (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm turbo telemetry disable
 
-      - name: Build
-        run: pnpm turbo build --force
+      - name: Build (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm turbo build --force
 
-      - name: Test
-        run: pnpm turbo test --force
+      - name: Test (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm turbo test --force
 
       - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@v1
         with:
           title: "chore: bump package versions"
-          version: pnpm changeset version
-          publish: pnpm changeset publish
+          version: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm changeset version
+          publish: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm changeset publish
           commit: "chore: bump package version"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/reproducible-build.yml

@@ -0,0 +1,43 @@
+name: Reproducible Build
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [main]
+
+jobs:
+  reproducible:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build hermetic image
+        run: docker build -f Dockerfile.repro -t lingo-repro:20.12.2 .
+
+      - name: Prepare pnpm store path
+        run: echo "REPRO_PNPM_STORE=${{ runner.temp }}/pnpm-store" >> $GITHUB_ENV
+
+      - name: Cache pnpm store
+        uses: actions/cache@v3
+        with:
+          path: ${{ env.REPRO_PNPM_STORE }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Run hermetic build
+        env:
+          GIT_COMMIT: ${{ github.sha }}
+        run: |
+          REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh bash scripts/repro/build.sh
+
+      - name: Upload canonical artifact and checksums
+        uses: actions/upload-artifact@v4
+        with:
+          name: reproducible-artifacts-${{ github.sha }}
+          path: out/*

.gitignore

@@ -4,6 +4,7 @@
 node_modules
 .pnp
 .pnp.js
+.pnpm-store/
 
 # Local env files
 .env

.prettierignore

@@ -3,6 +3,7 @@ pnpm-lock.yaml
 packages/cli/demo/
 build/
 dist/
+.pnpm-store/
 .react-router/
 .turbo/
 .next/

Dockerfile.repro

@@ -0,0 +1,26 @@
+FROM node:20.12.2-bookworm-slim
+
+# Pinned, hermetic build environment for reproducible builds
+ENV DEBIAN_FRONTEND=noninteractive \
+    TZ=UTC \
+    LC_ALL=C \
+    LANG=C \
+    PNPM_HOME=/usr/local/pnpm
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+      bash git ca-certificates tzdata coreutils findutils gawk curl xz-utils \
+      tar gzip bzip2 \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV PATH=$PNPM_HOME:$PATH
+
+# Pin pnpm via corepack
+RUN corepack enable \
+    && corepack prepare pnpm@9.12.3 --activate
+
+WORKDIR /workspace
+
+# Intentionally no COPY; repository will be bind-mounted at runtime
+
+ENTRYPOINT ["bash", "-lc"]

package.json

@@ -9,7 +9,12 @@
     "new": "changeset",
     "new:empty": "changeset --empty",
     "format": "prettier . --write",
-    "format:check": "prettier . --check"
+    "format:check": "prettier . --check",
+    "repro:build": "bash scripts/repro/local.sh",
+    "repro:exec": "bash scripts/repro/exec.sh",
+    "repro:typecheck": "bash scripts/repro/exec.sh pnpm typecheck",
+    "repro:test": "bash scripts/repro/exec.sh pnpm test",
+    "repro:format:check": "bash scripts/repro/exec.sh pnpm format:check"
   },
   "devDependencies": {
     "@babel/generator": "^7.27.1",

packages/cli/tsup.config.ts

@@ -20,6 +20,10 @@ export default defineConfig({
   splitting: true,
   bundle: true,
   sourcemap: true,
+  esbuildOptions(options) {
+    options.legalComments = "none";
+    options.absWorkingDir = process.cwd();
+  },
   external: ["readline/promises", "@babel/traverse", "node-machine-id"],
   outExtension: (ctx) => ({
     js: ctx.format === "cjs" ? ".cjs" : ".mjs",