Make building Bazel more hermetic.
The -X option removes UID/GID information from the zip file, which of course is non-hermetic. There is still some weirdness with install_base_key, but I couldn't figure out what that is: the files that are checksummed are always the same and they are in the same order.
--
MOS_MIGRATED_REVID=107484288
diff --git a/src/BUILD b/src/BUILD
index 441bf60..f88c1c7 100644
--- a/src/BUILD
+++ b/src/BUILD
@@ -1,6 +1,6 @@
# Packaging
-md5_cmd = "set -e -o pipefail && cat $(SRCS) | %s | awk '{ print $$1; }' > $@"
+md5_cmd = "set -e -o pipefail && cat $(SRCS) | sort | %s | awk '{ print $$1; }' > $@"
# TODO(bazel-team): find a better way to handle dylib extensions.
filegroup(
diff --git a/src/create_embedded_tools.sh b/src/create_embedded_tools.sh
index 89375fc..2abd269 100755
--- a/src/create_embedded_tools.sh
+++ b/src/create_embedded_tools.sh
@@ -39,4 +39,4 @@
mv "$i" "$(dirname "$i")/BUILD"
done
find "${PACKAGE_DIR}" -exec touch -t 198001010000.00 '{}' ';'
-(cd "${PACKAGE_DIR}" && zip -qrD "${OUTPUT}" *)
+(cd "${PACKAGE_DIR}" && find . -type f | sort | zip -qDX@ "${OUTPUT}")
diff --git a/src/package-bazel.sh b/src/package-bazel.sh
index 9181d81..27d0f5e 100755
--- a/src/package-bazel.sh
+++ b/src/package-bazel.sh
@@ -42,4 +42,4 @@
(cd ${PACKAGE_DIR}/embedded_tools && unzip -q ${WORKDIR}/${EMBEDDED_TOOLS})
fi
-(cd ${PACKAGE_DIR}; zip -qrD ${WORKDIR}/${OUT} *)
+(cd ${PACKAGE_DIR} && find . -type f | sort | zip -qDX@ ${WORKDIR}/${OUT})
