From dbb14231644b9b6bdb37e1be17b9baed26d6cef8 Mon Sep 17 00:00:00 2001 From: YeonGyu-Kim Date: Tue, 5 May 2026 06:34:29 +0900 Subject: [PATCH] fix(scripts): inject GIT_SHA in dogfood-build.sh so provenance check passes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit cargo build without GIT_SHA env var → option_env!("GIT_SHA") = None → version JSON returns git_sha:null → dogfood-build.sh fails its own provenance check every time. Fix: pass GIT_SHA=$(git rev-parse --short HEAD) to cargo build. The script now: 1. Sets GIT_SHA to current HEAD before cargo build 2. Reads git_sha from the built binary 3. Compares against HEAD — fails if still null or mismatched Also adds latency note: cargo run = ~1s overhead/invocation vs 7ms for pre-built binary; pre-built is recommended for dogfood loops. Closes the broken provenance check introduced in the initial dogfood-build.sh commit. --- scripts/dogfood-build.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/scripts/dogfood-build.sh b/scripts/dogfood-build.sh index 5617a27e..21ba48eb 100755 --- a/scripts/dogfood-build.sh +++ b/scripts/dogfood-build.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash # dogfood-build.sh — Build claw from current checkout and verify provenance. +# Injects GIT_SHA at build time so version JSON is non-null. # Usage: bash scripts/dogfood-build.sh # On success: prints the verified binary path. Use as: # CLAW=$(bash scripts/dogfood-build.sh) && $CLAW version --output-format json @@ -11,7 +12,11 @@ BINARY="$RUST_DIR/target/debug/claw" EXPECTED_SHA="$(git -C "$REPO_ROOT" rev-parse --short HEAD)" echo "▶ Building claw from $REPO_ROOT ($(git -C "$REPO_ROOT" log --oneline -1))..." >&2 -cargo build --manifest-path "$RUST_DIR/Cargo.toml" -p rusty-claude-cli -q +# Inject GIT_SHA so that version --output-format json returns a non-null sha. +# Without this, option_env!("GIT_SHA") in main.rs always yields None → null. +GIT_SHA="$EXPECTED_SHA" cargo build \ + --manifest-path "$RUST_DIR/Cargo.toml" \ + -p rusty-claude-cli -q if [[ ! -x "$BINARY" ]]; then echo "✗ Build succeeded but binary not found at $BINARY" >&2 @@ -19,10 +24,12 @@ if [[ ! -x "$BINARY" ]]; then fi BINARY_SHA=$("$BINARY" version --output-format json 2>/dev/null \ - | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('git_sha','null'))" 2>/dev/null || echo "null") + | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('git_sha') or 'null')" 2>/dev/null \ + || echo "null") if [[ "$BINARY_SHA" == "null" || -z "$BINARY_SHA" ]]; then echo "✗ Provenance check failed: binary reports git_sha: null" >&2 + echo " Ensure GIT_SHA is passed to cargo build (this script does it automatically)." >&2 echo " Binary: $BINARY" >&2 exit 1 fi @@ -34,5 +41,6 @@ if [[ "$BINARY_SHA" != "$EXPECTED_SHA" ]]; then fi echo "✓ Binary verified: $BINARY_SHA == HEAD ($EXPECTED_SHA)" >&2 +echo " cargo run alternative: ~1s overhead per invocation (vs 7ms for pre-built)" >&2 echo " To dogfood: export CLAW=$BINARY" >&2 echo "$BINARY"