eeymoo/claw-code
1
0
Fork 0
mirror of https://github.com/instructkr/claw-code.git synced 2026-05-18 21:41:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(scripts): inject GIT_SHA in dogfood-build.sh so provenance check passes

Browse Source 
cargo build without GIT_SHA env var → option_env!("GIT_SHA") = None
→ version JSON returns git_sha:null → dogfood-build.sh fails its own
provenance check every time.

Fix: pass GIT_SHA=$(git rev-parse --short HEAD) to cargo build.
The script now:
  1. Sets GIT_SHA to current HEAD before cargo build
  2. Reads git_sha from the built binary
  3. Compares against HEAD — fails if still null or mismatched

Also adds latency note: cargo run = ~1s overhead/invocation vs 7ms
for pre-built binary; pre-built is recommended for dogfood loops.

Closes the broken provenance check introduced in the initial
dogfood-build.sh commit.
This commit is contained in:
YeonGyu-Kim
2026-05-05 06:34:29 +09:00
parent d074d1c046
commit dbb1423164
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
scripts/dogfood-build.sh
View File

@@ -1,5 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# dogfood-build.sh — Build claw from current checkout and verify provenance. # dogfood-build.sh — Build claw from current checkout and verify provenance.
# Injects GIT_SHA at build time so version JSON is non-null.
# Usage: bash scripts/dogfood-build.sh # Usage: bash scripts/dogfood-build.sh
# On success: prints the verified binary path. Use as: # On success: prints the verified binary path. Use as:
# CLAW=$(bash scripts/dogfood-build.sh) && $CLAW version --output-format json # CLAW=$(bash scripts/dogfood-build.sh) && $CLAW version --output-format json
@@ -11,7 +12,11 @@ BINARY="$RUST_DIR/target/debug/claw"
EXPECTED_SHA="$(git -C "$REPO_ROOT" rev-parse --short HEAD)" EXPECTED_SHA="$(git -C "$REPO_ROOT" rev-parse --short HEAD)"
echo "▶ Building claw from $REPO_ROOT ($(git -C "$REPO_ROOT" log --oneline -1))..." >&2 echo "▶ Building claw from $REPO_ROOT ($(git -C "$REPO_ROOT" log --oneline -1))..." >&2
cargo build --manifest-path "$RUST_DIR/Cargo.toml" -p rusty-claude-cli -q # Inject GIT_SHA so that version --output-format json returns a non-null sha.
# Without this, option_env!("GIT_SHA") in main.rs always yields None → null.
GIT_SHA="$EXPECTED_SHA" cargo build \
--manifest-path "$RUST_DIR/Cargo.toml" \
-p rusty-claude-cli -q
if [[ ! -x "$BINARY" ]]; then if [[ ! -x "$BINARY" ]]; then
echo "✗ Build succeeded but binary not found at $BINARY" >&2 echo "✗ Build succeeded but binary not found at $BINARY" >&2
@@ -19,10 +24,12 @@ if [[ ! -x "$BINARY" ]]; then
fi fi
BINARY_SHA=$("$BINARY" version --output-format json 2>/dev/null \ BINARY_SHA=$("$BINARY" version --output-format json 2>/dev/null \
| python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('git_sha','null'))" 2>/dev/null || echo "null") | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('git_sha') or 'null')" 2>/dev/null \
|| echo "null")
if [[ "$BINARY_SHA" == "null" || -z "$BINARY_SHA" ]]; then if [[ "$BINARY_SHA" == "null" || -z "$BINARY_SHA" ]]; then
echo "✗ Provenance check failed: binary reports git_sha: null" >&2 echo "✗ Provenance check failed: binary reports git_sha: null" >&2
echo " Ensure GIT_SHA is passed to cargo build (this script does it automatically)." >&2
echo " Binary: $BINARY" >&2 echo " Binary: $BINARY" >&2
exit 1 exit 1
fi fi
@@ -34,5 +41,6 @@ if [[ "$BINARY_SHA" != "$EXPECTED_SHA" ]]; then
fi fi
echo "✓ Binary verified: $BINARY_SHA == HEAD ($EXPECTED_SHA)" >&2 echo "✓ Binary verified: $BINARY_SHA == HEAD ($EXPECTED_SHA)" >&2
echo " cargo run alternative: ~1s overhead per invocation (vs 7ms for pre-built)" >&2
echo " To dogfood: export CLAW=$BINARY" >&2 echo " To dogfood: export CLAW=$BINARY" >&2
echo "$BINARY" echo "$BINARY"