So, for the example given, it works as explained here. But if I pick (say) the java-maven example, I get a different SHA256 every time. I'm guessing this is because the compiled .class files will have a different timestamp each time I run the build. If that's the case, how reproducible are the builds really? Unless you have run-time interpreted source code (like bash or Python), most builds will involve a compile step and are therefore not really reproducible in the strict sense used here.

Am I missing something, or am I right to be skeptical?