Skip to content

build: make mpc-node repro binary independent of local tags#3441

Merged
gilcu3 merged 1 commit into
mainfrom
3393-reproducible-builds-affected-by-the-existence-of-local-tags
Jun 2, 2026
Merged

build: make mpc-node repro binary independent of local tags#3441
gilcu3 merged 1 commit into
mainfrom
3393-reproducible-builds-affected-by-the-existence-of-local-tags

Conversation

@gilcu3

@gilcu3 gilcu3 commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Closes #3393

EDIT: verified locally, binary did not change after clearing tags

@gilcu3 gilcu3 linked an issue Jun 2, 2026 that may be closed by this pull request
@gilcu3 gilcu3 marked this pull request as ready for review June 2, 2026 10:02
@claude

claude Bot commented Jun 2, 2026

Copy link
Copy Markdown

PR title type suggestion: This PR changes only a build/deployment script, so the type prefix should probably be build: instead of fix:.
Suggested title: build: make mpc-node repro binary independent of local tags

@gilcu3 gilcu3 force-pushed the 3393-reproducible-builds-affected-by-the-existence-of-local-tags branch from 2a17baa to 2ded4cc Compare June 2, 2026 10:05
@claude

claude Bot commented Jun 2, 2026

Copy link
Copy Markdown

PR title type suggestion: This PR changes only build/deployment scripts, so the type prefix should probably be build: instead of fix:.

Suggested title: build: make mpc-node repro binary independent of local tags

@gilcu3 gilcu3 changed the title fix: make mpc-node repro binary independent of local tags build: make mpc-node repro binary independent of local tags Jun 2, 2026
@claude

claude Bot commented Jun 2, 2026

Copy link
Copy Markdown

Pull request overview

Pins the built crate's GIT_VERSION field to the 7-char commit SHA via the BUILT_OVERRIDE_mpc_node_GIT_VERSION env var so that any local git tags present in the build environment no longer mutate the reproducible mpc-node binary digest. The override is also forwarded into repro-env so it reaches the cargo build inside the container. Closes #3393.

Changes:

  • deployment/build-images.sh: export BUILT_OVERRIDE_mpc_node_GIT_VERSION from ${GIT_COMMIT_HASH:0:7} and pass it through to repro-env.

Reviewed changes

Per-file summary
File Description
deployment/build-images.sh Adds env var override that pins built::GIT_VERSION to the short commit SHA and forwards it into the repro-env invocation.

Findings

Non-blocking (nits, follow-ups, suggestions):

  • deployment/build-images.sh:167 — The override targets only GIT_VERSION. Worth double-checking with cargo expand/strings on a binary built with and without local tags that GIT_VERSION is in fact the only tag-derived constant ending up in .rodata. built also emits GIT_DIRTY (bool, tag-independent) and GIT_COMMIT_HASH{,_SHORT} (pure SHA, tag-independent), so this should be correct, but it would be reassuring if the PR description included before/after binary hashes from a run with git tag v0.0.0-test HEAD proving the digest is now stable.
  • deployment/build-images.sh:167BUILT_OVERRIDE_mpc_node_GIT_VERSION relies on built 0.8.1's convention of BUILT_OVERRIDE_<pkg_with_hyphens_replaced_by_underscores>_<FIELD> using the literal Cargo name casing. The Cargo.toml has name = "mpc-node", so lowercase mpc_node matches; just flagging this for verification since a casing mismatch would silently no-op rather than fail loudly.
  • deployment/build-images.sh:166 — The `# ... ` inline-comment-via-command-substitution idiom works (subshell sees # first, comment consumes the rest), but it's fragile (an apostrophe in the comment is fine here only because # is the first char) and unusual enough that a future editor may break it. Consider moving the comment above the env-var assignments block alongside the existing rationale at line 142, e.g.:
    # ... existing rationale ...
    # Pin built's GIT_VERSION to the short commit SHA so any local git tags
    # in the build environment don't get embedded in the binary.
  • The deployment script change is exercised only by the release pipeline; consider adding a CI smoke check that runs ./deployment/build-images.sh --node against a commit with a synthetic local tag and asserts the binary hash is unchanged vs. without the tag. Otherwise this regression class can quietly come back the next time built is upgraded or another const is added that consumes git state.

✅ Approved

@gilcu3 gilcu3 enabled auto-merge June 2, 2026 10:53
@gilcu3 gilcu3 added this pull request to the merge queue Jun 2, 2026
Merged via the queue into main with commit d78386f Jun 2, 2026
18 checks passed
@gilcu3 gilcu3 deleted the 3393-reproducible-builds-affected-by-the-existence-of-local-tags branch June 2, 2026 11:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

reproducible builds affected by the existence of local tags

3 participants