Constellation CLI is not always reproducible

### Issue description

The build process for the `constellation` binary is not deterministic.

The CLI embeds an OCI image manifest hash for `ghcr.io/edgelesssys/constellation/qemu-metadata-api`. One of the layers consists of files from the Nix store. Depending on the optimisation settings of the Nix store, some files may or may not be hard links to others, resulting in a diff in the layer tarball. 

Workaround: try to stick close to the [reproducible builds workflow](https://github.com/edgelesssys/constellation/blob/96ac7124e3c9912f30a45bc0c061b570ff2d54d9/.github/workflows/reproducible-builds.yml#L17).

### Steps to reproduce the behavior

1. Start a new Ubuntu 24.04 VM.
2. Install Bazel (e.g. download binary from Github releases).
3. Install Nix with the https://github.com/DeterminateSystems/nix-installer (which configures `auto-optimise-store = true`).
4. Clone the repo and check out a released tag.
5. Build the CLI (e.g. `bazel build //cli:cli_enterprise_linux_amd64`).
6. Compare to the released binary.

### Version

This affects v2.19.0 and older releases.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Constellation CLI is not always reproducible #3453

Issue description

Steps to reproduce the behavior

Version

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Constellation CLI is not always reproducible #3453

Description

Issue description

Steps to reproduce the behavior

Version

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions