[FrasiertheLion]

We don't have reproducible builds because we attest the full OS image that we run, which is the Ubuntu image. Unfortunately bit-by-bit reproducible binaries for OS images is kind of an unsolved problem, because it requires the hundreds of package maintainers across all dependencies to eliminate any sources of non-determinism in the compilation. Things like timestamps and file reordering are very common and even one of these changes the entire hash.

So we do the next best thing. We decide to trust Github and rely on Github Actions to faithfully execute the build pipeline. We also make sure to pin all images and dependencies.