Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add build checksum to version endpoint #2016

Closed
wants to merge 1 commit into from
Closed

feat: add build checksum to version endpoint #2016

wants to merge 1 commit into from

Conversation

pedro-pelicioni-cw
Copy link
Contributor

@pedro-pelicioni-cw pedro-pelicioni-cw commented Feb 14, 2025
edited by github-actions bot
Loading

User description

Generate unique build checksum using SHA-256 based on:

  • Build timestamp
  • Package version
  • Target architecture
  • Build profile
  • Enabled features

This helps with build traceability and verification.

PR Type

Enhancement

Description

  • Add build checksum to version endpoint

  • Generate SHA-256 checksum based on build info

  • Include checksum in build info JSON output

  • Update dependencies to include sha2 crate

Changes walkthrough 📝

Relevant files
Enhancement
build.rs
Generate and export build checksum                                             

build.rs

  • Import SystemTime, UNIX_EPOCH, and Sha256
  • Generate build info string with timestamp, version, target, profile,
    and features
  • Create SHA-256 checksum from build info
  • Export BUILD_BINARY_CHECKSUM as compile-time environment variable
    		• +27/-0   
    build_info.rs
    Add binary checksum to build info                                               

    src/infra/build_info.rs

  • Add BUILD_BINARY_CHECKSUM constant
  • Include binary_checksum in as_json() output
    		• +2/-0     
    Dependencies
    Cargo.toml
    Add sha2 crate dependency                                                               

    Cargo.toml

    • Add sha2 crate dependency (version 0.10.8)
    		 +1/-0     
    Need help?
  • Type /help how to ... in the comments thread for any questions about PR-Agent usage.
  • Check out the documentation for more information.
    •

    @pedro-pelicioni-cw
    feat: add build checksum to version endpoint
    a14776c 
    Generate unique build checksum using SHA-256 based on:
- Build timestamp
- Package version
- Target architecture
- Build profile
- Enabled features

This helps with build traceability and verification.
    @pedro-pelicioni-cw pedro-pelicioni-cw self-assigned this Feb 14, 2025
    @github-actions GitHub Actions
    Copy link

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 No relevant tests
    🔒 No security concerns identified
    ⚡ Recommended focus areas for review

    Potential Performance Issue

    The build checksum generation is using SystemTime::now() which might be slow or inaccurate. Consider using a more precise and faster time measurement method.

    SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs(),
    Missing Error Handling

    The unwrap() calls on environment variables could potentially panic if the variables are not set. Consider using unwrap_or_default() or a more robust error handling approach.

    std::env::var("CARGO_PKG_VERSION").unwrap_or_default(),
// Target
std::env::var("TARGET").unwrap_or_default(),
// Profile (debug/release)
std::env::var("PROFILE").unwrap_or_default(),
// Features ativadas
std::env::var("CARGO_FEATURES").unwrap_or_default()

    @github-actions GitHub Actions
    Copy link

    PR Code Suggestions ✨

    Explore these optional code suggestions:

    CategorySuggestion                                                                                                                                    Impact
    General
    Enhance build checksum uniqueness

    The build checksum generation uses a fixed set of build information. Consider
    including more dynamic information such as the git commit hash or a unique build
    identifier to make the checksum more unique and informative.

    build.rs [84-96]

     let build_info = format!(
-    "{}-{}-{}-{}-{}",
-    // Timestamp do build
-    SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs(),
-    // Versão do pacote
+    "{}-{}-{}-{}-{}-{}",
+    SystemTime::now().duration_since(UNIX_EPOCH).unwrap_or_default().as_secs(),
     std::env::var("CARGO_PKG_VERSION").unwrap_or_default(),
-    // Target
     std::env::var("TARGET").unwrap_or_default(),
-    // Profile (debug/release)
     std::env::var("PROFILE").unwrap_or_default(),
-    // Features ativadas
-    std::env::var("CARGO_FEATURES").unwrap_or_default()
+    std::env::var("CARGO_FEATURES").unwrap_or_default(),
+    std::env::var("VERGEN_GIT_SHA").unwrap_or_default()
 );
    Suggestion importance[1-10]: 8

    __

    Why: This suggestion significantly improves the uniqueness and informativeness of the build checksum by including the git commit hash. It enhances the ability to identify and track specific builds, which is valuable for debugging and version control.

    		Medium
    Use more robust timestamp generation

    Consider using a more robust method for generating the build timestamp. The current
    approach using SystemTime::now() may be affected by system clock changes. Consider
    using a monotonic clock or a more stable timestamp source.

    build.rs [87]

    -SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs(),
+std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH).unwrap_or_default().as_secs(),
    Suggestion importance[1-10]: 7

    __

    Why: The suggestion improves error handling by using unwrap_or_default(), which prevents potential panics if the system time calculation fails. This enhances the robustness of the build process.

    		Medium

    gabriel-aranha-cw
    gabriel-aranha-cw reviewed Feb 14, 2025
    View reviewed changes
    Copy link
    Contributor

    @gabriel-aranha-cw gabriel-aranha-cw left a comment

    Choose a reason for hiding this comment

    The reason will be displayed to describe this comment to others. Learn more.

    We need to generate the checksum as an additional artifact (.txt file or something) when building the binary. When an user downloads Stratus, then the user can see the checksum of that build in this file and run the checksum if wants to on the binary to validate.
    Example: https://github.com/goreleaser/goreleaser/releases/tag/v2.7.0

    arthurmm-cloudwalk
    arthurmm-cloudwalk reviewed Feb 17, 2025
    View reviewed changes
    build.rs
    @@ -76,6 +80,29 @@ fn generate_build_info() {
    println!("cargo:rustc-env=BUILD_OPENSSL_VERSION={}", openssl_version.trim());
    println!("cargo:rustc-env=BUILD_GLIBC_VERSION={}", glibc_version.trim());

    // Coletar informações disponíveis durante o build
    Copy link
    Contributor

    Choose a reason for hiding this comment

    The reason will be displayed to describe this comment to others. Learn more.

    Let's keep all comments in english

    @pedro-pelicioni-cw pedro-pelicioni-cw deleted the feat/add-binary-checksum branch February 17, 2025 17:35
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers

    @arthurmm-cloudwalk arthurmm-cloudwalk arthurmm-cloudwalk left review comments

    @gabriel-aranha-cw gabriel-aranha-cw gabriel-aranha-cw left review comments

    Assignees

    @pedro-pelicioni-cw pedro-pelicioni-cw

    Labels
    None yet
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.
    3 participants
    @pedro-pelicioni-cw @arthurmm-cloudwalk @gabriel-aranha-cw