build(wasm_sandbox): commit compiled WIT artifact + CI drift check

simongdavies · simongdavies · commit a85359108c5b · 2026-05-14T15:08:11.000+01:00
host_bindgen!() consumes a compiled WIT component (sandbox-world.wasm),
which was previously .gitignored and only produced by `just wasm
guest-compile-wit`. That left silent breakage for source-distribution
consumers (`pip install git+...`, `cargo install`, etc.) because
the artifact is read by transitive deps -- specifically the
hyperlight-wasm-runtime proc-macro -- BEFORE our own build scripts can
run. A build.rs in this crate cannot solve the bootstrap (the runtime
is compiled first in the dep graph, and would race ABI with our
fresh bindings even if it succeeded).

The pragmatic, well-trodden fix used by most WIT-component projects:
check the compiled artifact into git so it exists from clone time.

Changes:

- .gitignore: add `!src/wasm_sandbox/wit/sandbox-world.wasm` to opt
  this specific artifact out of the broad `*.wasm` exclusion.
- Commit the current 16235-byte canonical artifact produced by
  `wasm-tools component wit ... -w`.
- CI: add a `Check WIT artifact is in sync` step to the wasm-sandbox
  matrix job that regenerates the file via `just wasm
  guest-compile-wit` then `git diff --exit-code`s it, failing fast
  if a contributor edits the .wit source without committing the
  regenerated artifact.

Developer flow stays the same: edit .wit, run `just wasm
guest-compile-wit` (also chained inside `just wasm build`), commit
both files together.

Signed-off-by: Simon Davies &lt;simongdavies@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -87,6 +87,15 @@ jobs:
           sudo udevadm trigger --name-match=kvm
           sudo chmod 666 /dev/kvm
 
+      - name: Check WIT artifact is in sync with .wit source
+        # sandbox-world.wasm is the compiled WIT used by host_bindgen!. It
+        # is consumed by transitive deps (hyperlight-wasm-runtime) before
+        # our crate's build scripts run, so it must live in git. Detect any
+        # drift between the committed artifact and the .wit source.
+        run: |
+          just wasm guest-compile-wit
+          git diff --exit-code -- src/wasm_sandbox/wit/sandbox-world.wasm
+
       - name: Build
         run: just wasm build
 
diff --git a/.gitignore b/.gitignore
@@ -2,6 +2,11 @@ target/
 .venv/
 *.aot
 *.wasm
+# Exception: the compiled WIT artifact is checked in as a build input.
+# host_bindgen! reads this file *before* our build scripts can run (it is
+# consumed by transitive deps like hyperlight-wasm-runtime), so the file
+# must exist from `git clone` time. CI regenerates and diffs to catch drift.
+!src/wasm_sandbox/wit/sandbox-world.wasm
 __pycache__/
 *.so
 *.pyd
diff --git a/src/wasm_sandbox/wit/sandbox-world.wasm b/src/wasm_sandbox/wit/sandbox-world.wasm
