Problem
CI pins keep to a specific SHA (currently 81a820f6... duplicated in both ci.yml and release.yml). Local developers clone keep at main, so their build may use a different version than CI. This produces drift and blocks reproducibility.
Proposal
Introduce a single keep.version file at repo root containing the pinned SHA.
ci.yml and release.yml: replace hardcoded SHAs with $(cat keep.version) in the actions/checkout steps.- Gradle
verifyKeepVersion task wired into :app:preBuild alongside buildRust. It reads keep.version, runs git -C $KEEP_REPO rev-parse HEAD (following symlinks, so sibling-repo layouts work), and compares.
- On missing
keep/ the task errors with the exact clone + checkout command. No auto-clone.
- On SHA mismatch the build fails with an actionable error suggesting
git -C keep checkout <pinned-sha>.
- Bumping the pin is a manual edit to
keep.version; no Gradle helper task in this issue.
Acceptance
- CI and local builds use the same
keep commit
- Bumping is a single-file change
- Mismatch produces an actionable error, not a mysterious binding failure
- Works with symlinked
keep/ layouts (checks resolved target's HEAD, not path)
Follow-up from #221.
Problem
CI pins
keepto a specific SHA (currently81a820f6...duplicated in bothci.ymlandrelease.yml). Local developers clonekeepatmain, so their build may use a different version than CI. This produces drift and blocks reproducibility.Proposal
Introduce a single
keep.versionfile at repo root containing the pinned SHA.ci.ymlandrelease.yml: replace hardcoded SHAs with$(cat keep.version)in theactions/checkoutsteps.verifyKeepVersiontask wired into:app:preBuildalongsidebuildRust. It readskeep.version, runsgit -C $KEEP_REPO rev-parse HEAD(following symlinks, so sibling-repo layouts work), and compares.keep/the task errors with the exact clone + checkout command. No auto-clone.git -C keep checkout <pinned-sha>.keep.version; no Gradle helper task in this issue.Acceptance
keepcommitkeep/layouts (checks resolved target's HEAD, not path)Follow-up from #221.