Checklist
Description
Introduce lock file-based dependency version pinning for both native and Docker setups to ensure reproducible builds. Currently, ROS APT packages, system APT packages, Python packages, Docker base images, and ROS 2 APT source versions are resolved dynamically at build time, making builds non-reproducible across different dates.
The approach adds an opt-in --locked flag to setup-dev-env.sh (and USE_LOCKFILE=true build arg for Docker) that loads pre-generated lock files containing exact package versions. Default behavior remains unchanged.
Design proposal: https://github.com/orgs/autowarefoundation/discussions/6861
Purpose
- Enable reproducible release builds: same commit always produces the same build environment
- Support reliable release management and regression debugging
- Maintain developer flexibility (latest packages by default, locked versions opt-in)
Possible approaches
See the design proposal for the full comparison. The selected approach is lock file method for both native (Ansible lock files) and Docker (lock files + base image digest pinning), chosen for its low implementation/operational cost and high compatibility with existing infrastructure.
Definition of done
Checklist
Description
Introduce lock file-based dependency version pinning for both native and Docker setups to ensure reproducible builds. Currently, ROS APT packages, system APT packages, Python packages, Docker base images, and ROS 2 APT source versions are resolved dynamically at build time, making builds non-reproducible across different dates.
The approach adds an opt-in
--lockedflag tosetup-dev-env.sh(andUSE_LOCKFILE=truebuild arg for Docker) that loads pre-generated lock files containing exact package versions. Default behavior remains unchanged.Design proposal: https://github.com/orgs/autowarefoundation/discussions/6861
Purpose
Possible approaches
See the design proposal for the full comparison. The selected approach is lock file method for both native (Ansible lock files) and Docker (lock files + base image digest pinning), chosen for its low implementation/operational cost and high compatibility with existing infrastructure.
Definition of done
--lockedoption tosetup-dev-env.sh, create lock file generation/validation scripts, and generate initial template lock filesuse_locked_versionsis set, withsnapshots.ros.orgsupport for ROS packagesUSE_LOCKFILEsupport to Dockerfiles, pin base image digests, and add--lockedflag todocker/build.sh