This is the biggest issue we had, and we had to add a decent bit of complexity to our builds to support reproducible builds in the exact way they want.
But the silly part is that our extension involves building a wasm file from Rust, and after some back and forth it turned out that they don't require it to be reproducible (despite being core of our extension and containing 99% of our logic), which honestly feels like it defeats the point - who cares if JS reproduces if you can hide any arbitrary possibly-malicious code in wasm.
For a while we were seriously considering putting our prebuilt wasm in the source package or on npm, just to make the "reproducible build" on AMO side simpler, despite this making it even further from how it's actually built.
What kind of harmful code could you put in WASM? You could return a string that you eval on the javascript side, so the reviewers could possibly ask for the WASM source if they saw the eval, but other than that the purpose of WASM is to be a safe sandbox after all, right?
I'm not familiar with the security guarantees of WASM in the browser but I imagine they're more along the lines of preventing data exfiltration from the browser/OS, it would be difficult to prevent something like abusing your CPU resources to mine Bitcoin in the background for example.
One way to protect yourself from bitcoin mining is to not give a WASM program both an access to get incoming data and send data both into a 3rd party server. Another possibility is to threshold computation power on the WASM interpreter so that there's a limit of opcodes processed.
This is the biggest issue we had, and we had to add a decent bit of complexity to our builds to support reproducible builds in the exact way they want. But the silly part is that our extension involves building a wasm file from Rust, and after some back and forth it turned out that they don't require it to be reproducible (despite being core of our extension and containing 99% of our logic), which honestly feels like it defeats the point - who cares if JS reproduces if you can hide any arbitrary possibly-malicious code in wasm.
For a while we were seriously considering putting our prebuilt wasm in the source package or on npm, just to make the "reproducible build" on AMO side simpler, despite this making it even further from how it's actually built.