Skip to content

fix(release): block SwiftPM checksum drift#509

Open
shubhamsinnh wants to merge 1 commit into
RunanywhereAI:mainfrom
shubhamsinnh:fix/issue-499-spm-checksum-release
Open

fix(release): block SwiftPM checksum drift#509
shubhamsinnh wants to merge 1 commit into
RunanywhereAI:mainfrom
shubhamsinnh:fix/issue-499-spm-checksum-release

Conversation

@shubhamsinnh

@shubhamsinnh shubhamsinnh commented Jun 22, 2026

Copy link
Copy Markdown

Fixes #499

Description

Strengthens the release pipeline so future SwiftPM tags cannot publish with binary target checksums that differ from the freshly built XCFramework zips. SwiftPM resolves Package.swift from the immutable Git tag, so release-time checksum drift must block publishing instead of being patched into a release asset that consumers never read.

Type of Change

  • Bug fix
  • New feature
  • Documentation update
  • Refactoring

Summary

  • Fail release validation when the tagged Package.swift is still in local-native mode.
  • Change the release publish step from post-build checksum patching to checksum verification against the tagged manifest.
  • Update scripts/release/sync-versions.sh so release prep sets useLocalNatives = false before tagging.

Root Cause

SwiftPM resolves Package.swift from the immutable Git tag. The release workflow previously ran sync-checksums.sh after artifacts were built and attached a corrected Package.swift.updated asset, but external SPM consumers never read that asset. If the tagged manifest checksums did not already match the uploaded zips, the release was still unresolvable.

Testing

  • Lint passes locally
  • Added/updated tests for changes

Validation performed:

  • git diff --check
  • release.yml parsed with Python/PyYAML
  • bash -n scripts/release/sync-versions.sh
  • bash -n sdk/runanywhere-swift/scripts/sync-checksums.sh
  • Controlled checksum drift test confirmed sync-checksums.sh changes Package.swift when generated zips do not match the tagged checksums

Platform-Specific Testing (check all that apply)

Swift SDK / iOS Sample:

  • Tested on iPhone (Simulator or Device)
  • Tested on iPad / Tablet
  • Tested on Mac (macOS target)

Kotlin SDK / Android Sample:

  • Tested on Android Phone (Emulator or Device)
  • Tested on Android Tablet

Flutter SDK / Flutter Sample:

  • Tested on iOS
  • Tested on Android

React Native SDK / React Native Sample:

  • Tested on iOS
  • Tested on Android

Playground:

  • Tested on target platform
  • Verified no regressions in existing Playground projects

Web SDK / Web Sample:

  • Tested in Chrome (Desktop)
  • Tested in Firefox
  • Tested in Safari
  • WASM backends load (LlamaCpp + ONNX)
  • OPFS storage persistence verified (survives page refresh)
  • Settings persistence verified (localStorage)

Labels

Please add the appropriate label(s):

SDKs:

  • Swift SDK - Changes to Swift SDK release consumption (Package.swift / SwiftPM release flow)
  • Kotlin SDK - Changes to Kotlin SDK (sdk/runanywhere-kotlin)
  • Flutter SDK - Changes to Flutter SDK (sdk/runanywhere-flutter)
  • React Native SDK - Changes to React Native SDK (sdk/runanywhere-react-native)
  • Web SDK - Changes to Web SDK (sdk/runanywhere-web)
  • Commons - Changes to shared native code (sdk/runanywhere-commons)

Sample Apps:

  • iOS Sample - Changes to iOS example app (examples/ios)
  • Android Sample - Changes to Android example app (examples/android)
  • Flutter Sample - Changes to Flutter example app (examples/flutter)
  • React Native Sample - Changes to React Native example app (examples/react-native)
  • Web Sample - Changes to Web example app (examples/web)

Checklist

  • Code follows project style guidelines
  • Self-review completed
  • Documentation updated (if needed)

Notes

This prevents future releases from shipping mismatched SwiftPM binary target checksums. It does not rewrite existing tags such as v0.19.10 through v0.19.13; those require a new patch release or maintainer-side asset remediation.

Screenshots

Not applicable; release automation change only.

Summary by CodeRabbit

  • Bug Fixes
    • Improved release validation so mismatched package metadata is caught before publishing.
    • Added stricter checks to ensure release packages match the tagged manifest, reducing the chance of inconsistent downloads.
    • Updated release automation to keep version information aligned with the published artifacts.

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 42b5334c-5778-4c48-b00d-d552d8093a48

📥 Commits

Reviewing files that changed from the base of the PR and between b6265a9 and 657c400.

📒 Files selected for processing (2)
  • .github/workflows/release.yml
  • scripts/release/sync-versions.sh
🚧 Files skipped from review as they are similar to previous changes (2)
  • scripts/release/sync-versions.sh
  • .github/workflows/release.yml

📝 Walkthrough

Walkthrough

The release pipeline now enforces useLocalNatives = false in Package.swift before tagging and changes publish-time checksum handling from syncing to verification. sync-versions.sh updates the manifest and its release notes, and release.yml now fails when the tagged manifest or checksum state does not match release expectations.

Changes

SPM Checksum Drift Prevention

Layer / File(s) Summary
sync-versions.sh: useLocalNatives=false bump and docs
scripts/release/sync-versions.sh
Adds a bump_line call that sets useLocalNatives = false with a release-mode comment in Package.swift, and expands inline documentation to describe the SwiftPM XCFramework checksum workflow and immutable-tag constraint.
release.yml validate: pre-tag useLocalNatives guard
.github/workflows/release.yml
Adds a check in the validate job's version-parsing step that exits non-zero if Package.swift does not already contain let useLocalNatives = false, blocking tags that would break external SPM binaryTarget resolution.
release.yml publish: checksum verification instead of sync
.github/workflows/release.yml
Replaces the publish-job sync-checksums step with a verification step: copies Package.swift to a temp file, runs sync-checksums.sh, diffs the result, prints detailed error output and restores the original on mismatch, and exits 1 to block publishing when checksums diverge.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

  • RunanywhereAI/runanywhere-sdks#490: Previously fixed the checksum sync step glob and cross-target contamination in the same publish flow this PR now replaces with a fail-fast verifier.
  • RunanywhereAI/runanywhere-sdks#491: Updated Package.swift checksum literals to match built v0.19.13 binaries — the exact type of post-tag drift this PR's verification step is designed to prevent going forward.
  • RunanywhereAI/runanywhere-sdks#484: Modified the auto-tag workflow to verify sync-versions.sh effects, directly upstream of the useLocalNatives = false bump added here.

Suggested labels: release:patch

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the release-side SwiftPM checksum-drift fix.
Description check ✅ Passed The description follows the template well and includes the required sections with substantive details.
Linked Issues check ✅ Passed The changes address #499 by blocking publish when tagged SwiftPM checksums drift and by ensuring release prep sets local natives off.
Out of Scope Changes check ✅ Passed The diff stays focused on release validation and version-sync behavior for SwiftPM checksums without unrelated changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@shubhamsinnh shubhamsinnh marked this pull request as ready for review June 22, 2026 03:41
@shubhamsinnh shubhamsinnh force-pushed the fix/issue-499-spm-checksum-release branch from b6265a9 to 657c400 Compare July 4, 2026 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: SPM resolution fails for v0.19.10–v0.19.13: binary target checksums in Package.swift don't match the zips on GitHub Releases

1 participant