fix: prevent cache pollution from builds without git metadata

CRITICAL FIX: The previous silent fallback to epoch 0 when commit is empty
caused cache pollution. Same source code would produce different checksums
depending on whether it was built from git clone or source tarball.

Changes:
1. **Fail fast in production**: Return error if no git commit and no SOURCE_DATE_EPOCH
2. **Support SOURCE_DATE_EPOCH**: Explicit override for reproducible builds
3. **Test environment detection**: Allow epoch fallback only in test binaries
4. **Clear error messages**: Guide users to fix their build environment

Why this matters:
- Prevents cache pollution (same source → different checksums)
- Maintains cache hit rates across build environments
- Forces proper git metadata in production builds
- Supports reproducible builds via SOURCE_DATE_EPOCH

Test environment detection:
- Checks if binary ends with '.test' (go test)
- Checks LEEWAY_TEST_MODE environment variable
- Only allows epoch fallback in tests

This ensures cache consistency and prevents silent failures that would
degrade cache performance over time.

Co-authored-by: Ona <[email protected]>

Author: leodido

pkg/leeway/build.go

@@ -2401,12 +2401,30 @@ func createDockerExportMetadata(wd, version string, cfg DockerPkgConfig) error {
 
 // getDeterministicMtime returns the Unix timestamp to use for tar --mtime flag.
 // It uses the same timestamp source as SBOM normalization for consistency.
-// If no git commit is available (e.g., in test fixtures), returns 0 (Unix epoch).
+// For test environments, returns 0 (Unix epoch) when git is unavailable.
+// For production, fails fast to prevent cache pollution.
 func (p *Package) getDeterministicMtime() (int64, error) {
 	commit := p.C.Git().Commit
 	if commit == "" {
-		// No git commit available (e.g., test fixtures) - use Unix epoch for determinism
-		return 0, nil
+		// Try SOURCE_DATE_EPOCH first (explicit override for reproducible builds)
+		if epoch := os.Getenv("SOURCE_DATE_EPOCH"); epoch != "" {
+			timestamp, err := strconv.ParseInt(epoch, 10, 64)
+			if err != nil {
+				return 0, fmt.Errorf("invalid SOURCE_DATE_EPOCH: %w", err)
+			}
+			return timestamp, nil
+		}
+		
+		// Check if we're in a test environment
+		if isTestEnvironment() {
+			// Test fixtures don't have git - use epoch for determinism
+			return 0, nil
+		}
+		
+		// Production build without git is an error - prevents cache pollution
+		return 0, fmt.Errorf("no git commit available for deterministic mtime. "+
+			"Ensure repository is properly cloned with git history, or set SOURCE_DATE_EPOCH environment variable. "+
+			"Building from source tarballs without git metadata will cause cache inconsistencies")
 	}
 
 	timestamp, err := getGitCommitTimestamp(context.Background(), commit)
@@ -2418,6 +2436,22 @@ func (p *Package) getDeterministicMtime() (int64, error) {
 	return timestamp.Unix(), nil
 }
 
+// isTestEnvironment detects if we're running in a test context.
+// This allows test fixtures to use epoch fallback without polluting production cache.
+func isTestEnvironment() bool {
+	// Check if running as a test binary (compiled with go test)
+	if strings.HasSuffix(os.Args[0], ".test") {
+		return true
+	}
+	
+	// Check for explicit test mode environment variable
+	if os.Getenv("LEEWAY_TEST_MODE") == "true" {
+		return true
+	}
+	
+	return false
+}
+
 // Update buildGeneric to use compression arg helper
 func (p *Package) buildGeneric(buildctx *buildContext, wd, result string) (res *packageBuild, err error) {
 	cfg, ok := p.Config.(GenericPkgConfig)

pkg/leeway/compression_test.go

@@ -1,6 +1,7 @@
 package leeway
 
 import (
+	"os"
 	"strings"
 	"testing"
 )
@@ -163,3 +164,31 @@ func TestBuildTarCommand_MtimeWithOtherOptions(t *testing.T) {
 		}
 	}
 }
+
+func TestIsTestEnvironment(t *testing.T) {
+	// This test itself should be detected as a test environment
+	if !isTestEnvironment() {
+		t.Error("isTestEnvironment() should return true when running in test binary")
+	}
+	
+	// Test with explicit environment variable
+	originalEnv := os.Getenv("LEEWAY_TEST_MODE")
+	defer func() {
+		if originalEnv != "" {
+			os.Setenv("LEEWAY_TEST_MODE", originalEnv)
+		} else {
+			os.Unsetenv("LEEWAY_TEST_MODE")
+		}
+	}()
+	
+	os.Setenv("LEEWAY_TEST_MODE", "true")
+	if !isTestEnvironment() {
+		t.Error("isTestEnvironment() should return true when LEEWAY_TEST_MODE=true")
+	}
+	
+	os.Setenv("LEEWAY_TEST_MODE", "false")
+	// Should still be true because we're in a test binary
+	if !isTestEnvironment() {
+		t.Error("isTestEnvironment() should return true when running in test binary (even if LEEWAY_TEST_MODE=false)")
+	}
+}