feat(provenance): pin build toolchain via source.yaml image (run build in Docker)#21
Merged
Merged
Conversation
…`image` Provenance compares the entire build-info JSON (including compiler settings like evmVersion), so the rebuild must use the same toolchain that produced the committed file. Previously the only way to pin that was to bake `docker run ...` into each entry's `build` command, which is verbose, easy to get wrong, and mutates nothing-on-host only if the author remembers the right flags. Add an optional `image` field to source provenance (and per-contract overrides). When set, Catapult runs the build command inside `docker run <image>` with the checkout bind-mounted at /workspace (also workdir and $HOME), the command run via `sh -c`, and — on POSIX — the container as the caller's uid:gid so output is owned by the caller and the temp checkout cleans up. The toolchain is pinned per entry (different build-info files can use different images) and the host/runner is untouched. - types/source: add image to SourceProvenance + SourceProvenanceOverride - parser: accept/validate image as a string field (also in contract overrides) - provenance: runBuild() wraps build in runDockerBuild() when image is set; include image in the build cache key - tests + README
e0c9969 to
2164347
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds an optional
imagefield tosource.yamlprovenance entries. When set, Catapult runs the entry'sbuildcommand insidedocker run <image>instead of on the host.Why
provenance verifycompares the entire normalized build-info JSON, including compiler settings such assettings.evmVersion. So the rebuild must use the same toolchain that produced the committed file — otherwise a drifting default fails the compare. (Concretely: Foundry's default EVM target movedprague→osakabetween stable and nightly, which silently broke a verify whose committed artifact wasprague.)Until now the only way to pin the toolchain was to bake the whole
docker run …invocation into each entry'sbuildstring — verbose, easy to get the mount/user/HOME flags wrong, and duplicated across every entry. The toolchain is really a property of the build, so Catapult should own that plumbing.Behavior
When
imageis set, the build runs in a container with:/workspace(also the working directory and$HOME, so toolchains that cache to$HOME— e.g. solc downloads — write into the disposable checkout);sh -c(entrypoint overridden, so it's image-agnostic);--user <uid>:<gid>so generated build-info is owned by the caller and the temp checkout can be read back and cleaned up.This keeps the toolchain pinned per entry (different build-info files can use different images), leaves the host/runner untouched, and requires only that Docker be installed and running.
imageis also honored in per-contractcontractsoverrides. Whenimageis omitted, behavior is unchanged (build runs on the host shell).Changes
types/source:image?: stringonSourceProvenance+SourceProvenanceOverrideparsers/source: validateimageas a string field (also in contract overrides)provenance:runBuild()dispatches torunDockerBuild()whenimageis set;imageadded to the build cache keyAll 676 existing tests pass; the new docker path is intentionally not exercised in unit tests (would require Docker on the runner) — it's validated end-to-end against a real project.