apollo_compile_to_casm,apollo_compile_to_native: switch to script-based compiler installation

crates/apollo_compilation_utils/src/build_utils.rs

@@ -3,15 +3,15 @@ use std::process::Command;
 
 use tempfile::TempDir;
 
-use crate::paths::{binary_path, shared_folder_dir};
+use crate::paths::{legacy_binary_path, shared_folder_dir};
 
 pub fn install_compiler_binary(
     binary_name: &str,
     required_version: &str,
     cargo_install_args: &[&str],
     out_dir: &std::path::Path,
 ) {
-    let binary_path = binary_path(out_dir, binary_name);
+    let binary_path = legacy_binary_path(out_dir, binary_name);
     match Command::new(&binary_path).args(["--version"]).output() {
         Ok(binary_version) => {
             let binary_version = String::from_utf8(binary_version.stdout)

crates/apollo_compilation_utils/src/paths.rs

@@ -2,6 +2,8 @@
 // It must not contain functionality that is available in only in one of these modes. Specifically,
 // it must avoid relying on env variables such as 'CARGO_*' or 'OUT_DIR'.
 
+use std::path::PathBuf;
+
 fn target_dir(out_dir: &std::path::Path) -> std::path::PathBuf {
     out_dir
         .ancestors()
@@ -14,6 +16,56 @@ pub fn shared_folder_dir(out_dir: &std::path::Path) -> std::path::PathBuf {
     target_dir(out_dir).join("shared_executables")
 }
 
-pub fn binary_path(out_dir: &std::path::Path, binary_name: &str) -> std::path::PathBuf {
+/// Returns the absolute path to `binary_name`, resolved through `$PATH` at call time.
+///
+/// Resolving the absolute path here (rather than relying on `Command::new(binary_name)`
+/// to re-resolve each call) means the binary identity is locked in at startup. After
+/// the process starts, no later `$PATH` mutation (env-var injection, dropped binary
+/// earlier in `$PATH`) can redirect compiler invocations. Panics if the binary is not
+/// on `$PATH`, which is the correct behavior: refusing to start is safer than starting
+/// and silently using the wrong binary at the first compilation request.
+pub fn binary_path(binary_name: &str) -> PathBuf {
+    resolve_on_path(binary_name).unwrap_or_else(|| {
+        panic!(
+            "{binary_name} not found on PATH. Run 'scripts/install_compiler_binaries.sh' to \
+             install it."
+        )
+    })
+}
+
+fn resolve_on_path(binary_name: &str) -> Option<PathBuf> {
+    // Reject path-segment-containing names; the caller passes just a basename.
+    if binary_name.is_empty() || binary_name.contains(std::path::MAIN_SEPARATOR) {
+        return None;
+    }
+    let path_var = std::env::var_os("PATH")?;
+    for dir in std::env::split_paths(&path_var) {
+        if dir.as_os_str().is_empty() {
+            continue;
+        }
+        let candidate = dir.join(binary_name);
+        if is_executable_file(&candidate) {
+            return Some(candidate);
+        }
+    }
+    None
+}
+
+#[cfg(unix)]
+fn is_executable_file(path: &std::path::Path) -> bool {
+    use std::os::unix::fs::PermissionsExt;
+    match std::fs::metadata(path) {
+        Ok(metadata) => metadata.is_file() && metadata.permissions().mode() & 0o111 != 0,
+        Err(_) => false,
+    }
+}
+
+#[cfg(not(unix))]
+fn is_executable_file(path: &std::path::Path) -> bool {
+    std::fs::metadata(path).is_ok_and(|metadata| metadata.is_file())
+}
+
+// TODO(Avi): Remove once build.rs callers are gone.
+pub fn legacy_binary_path(out_dir: &std::path::Path, binary_name: &str) -> std::path::PathBuf {
     shared_folder_dir(out_dir).join(binary_name)
 }

crates/apollo_compile_to_casm/Cargo.toml

@@ -16,6 +16,7 @@ workspace = true
 apollo_compilation_utils.workspace = true
 apollo_compile_to_casm_types.workspace = true
 apollo_infra.workspace = true
+apollo_infra_utils.workspace = true
 apollo_metrics.workspace = true
 apollo_proc_macros.workspace = true
 apollo_sierra_compilation_config.workspace = true
@@ -29,12 +30,7 @@ tracing.workspace = true
 
 [dev-dependencies]
 apollo_compilation_utils = { workspace = true, features = ["testing"] }
-apollo_infra_utils.workspace = true
 assert_matches.workspace = true
 expect-test.workspace = true
 mempool_test_utils.workspace = true
 regex.workspace = true
-
-[build-dependencies]
-apollo_compilation_utils.workspace = true
-apollo_infra_utils.workspace = true

crates/apollo_compile_to_casm/src/compiler.rs

@@ -1,9 +1,11 @@
 use std::path::PathBuf;
 
+use apollo_compilation_utils::build_utils::verify_compiler_binary;
 use apollo_compilation_utils::compiler_utils::compile_with_args;
 use apollo_compilation_utils::errors::CompilationUtilError;
 use apollo_compilation_utils::paths::binary_path;
 use apollo_compilation_utils::resource_limits::ResourceLimits;
+use apollo_infra_utils::cairo_compiler_version::CAIRO1_COMPILER_VERSION;
 use apollo_sierra_compilation_config::config::SierraCompilationConfig;
 use cairo_lang_starknet_classes::casm_contract_class::CasmContractClass;
 use cairo_lang_starknet_classes::contract_class::ContractClass;
@@ -19,7 +21,8 @@ pub struct SierraToCasmCompiler {
 
 impl SierraToCasmCompiler {
     pub fn new(config: SierraCompilationConfig) -> Self {
-        let path_to_binary = binary_path(&out_dir(), CAIRO_LANG_BINARY_NAME);
+        let path_to_binary = binary_path(CAIRO_LANG_BINARY_NAME);
+        verify_compiler_binary(&path_to_binary, CAIRO1_COMPILER_VERSION);
         info!("Using Sierra compiler binary at: {:?}", path_to_binary);
         Self { config, path_to_binary }
     }
@@ -51,8 +54,3 @@ impl SierraToCasmCompiler {
         Ok(serde_json::from_slice::<CasmContractClass>(&stdout)?)
     }
 }
-
-// Returns the OUT_DIR. This function is only operable at run time.
-fn out_dir() -> PathBuf {
-    env!("RUNTIME_ACCESSIBLE_OUT_DIR").into()
-}

crates/apollo_compile_to_native/Cargo.toml

@@ -23,7 +23,3 @@ assert_matches.workspace = true
 mempool_test_utils.workspace = true
 rstest.workspace = true
 toml_test_utils.workspace = true
-
-[build-dependencies]
-apollo_compilation_utils.workspace = true
-apollo_infra_utils.workspace = true

crates/apollo_compile_to_native/src/compiler.rs

@@ -1,5 +1,6 @@
-use std::path::{Path, PathBuf};
+use std::path::PathBuf;
 
+use apollo_compilation_utils::build_utils::verify_compiler_binary;
 use apollo_compilation_utils::compiler_utils::compile_with_args;
 use apollo_compilation_utils::errors::CompilationUtilError;
 use apollo_compilation_utils::paths::binary_path;
@@ -9,7 +10,7 @@ use cairo_lang_starknet_classes::contract_class::ContractClass;
 use cairo_native::executor::AotContractExecutor;
 use tempfile::NamedTempFile;
 
-use crate::constants::CAIRO_NATIVE_BINARY_NAME;
+use crate::constants::{CAIRO_NATIVE_BINARY_NAME, REQUIRED_CAIRO_NATIVE_VERSION};
 
 #[derive(Clone)]
 pub struct SierraToNativeCompiler {
@@ -21,7 +22,11 @@ impl SierraToNativeCompiler {
     pub fn new(config: SierraCompilationConfig) -> Self {
         let path_to_binary = match &config.compiler_binary_path {
             Some(path) => path.clone(),
-            None => binary_path(&out_dir(), CAIRO_NATIVE_BINARY_NAME),
+            None => {
+                let path = binary_path(CAIRO_NATIVE_BINARY_NAME);
+                verify_compiler_binary(&path, REQUIRED_CAIRO_NATIVE_VERSION);
+                path
+            }
         };
         Self { config, path_to_binary }
     }
@@ -50,13 +55,8 @@ impl SierraToNativeCompiler {
             resource_limits,
         )?;
 
-        Ok(AotContractExecutor::from_path(Path::new(&output_file_path))
+        Ok(AotContractExecutor::from_path(output_file.path())
             .map_err(|e| CompilationUtilError::CompilationError(e.to_string()))?
             .unwrap())
     }
 }
-
-// Returns the OUT_DIR. This function is only operable at run time.
-fn out_dir() -> PathBuf {
-    env!("RUNTIME_ACCESSIBLE_OUT_DIR").into()
-}

crates/blockifier_reexecution/replay/Dockerfile

@@ -82,6 +82,9 @@ RUN cargo chef cook --release -p blockifier_reexecution --features cairo_native
 COPY . .
 RUN cargo build --release -p blockifier_reexecution --features cairo_native
 
+# Install compiler binaries used for Sierra compilation at runtime.
+RUN scripts/install_compiler_binaries.sh --dest /usr/local/bin
+
 # =============================================================================
 # Stage 4: Final runtime image
 # =============================================================================
@@ -100,8 +103,8 @@ WORKDIR /app
 
 # Copy the binary and both compilers (Sierra-to-CASM and Sierra-to-Native).
 COPY --from=builder /app/target/release/blockifier_reexecution ./target/release/blockifier_reexecution
-COPY --from=builder /app/target/release/shared_executables/starknet-sierra-compile ./target/release/shared_executables/starknet-sierra-compile
-COPY --from=builder /app/target/release/shared_executables/starknet-native-compile ./target/release/shared_executables/starknet-native-compile
+COPY --from=builder /usr/local/bin/starknet-sierra-compile /usr/local/bin/starknet-sierra-compile
+COPY --from=builder /usr/local/bin/starknet-native-compile /usr/local/bin/starknet-native-compile
 COPY --from=builder /usr/bin/tini /usr/bin/tini
 
 RUN set -ex; \

crates/starknet_transaction_prover/Dockerfile

@@ -135,6 +135,9 @@ RUN BUILD_FLAGS=$([ "$BUILD_MODE" = "release" ] && echo "--release" || true); \
         cargo build $BUILD_FLAGS -p starknet_transaction_prover --features stwo_proving; \
     fi
 
+# Install compiler binary used for Sierra to CASM compilation at runtime.
+RUN scripts/install_compiler_binaries.sh --sierra --dest /usr/local/bin
+
 # =============================================================================
 # Stage 4: Final runtime image
 # =============================================================================
@@ -158,7 +161,7 @@ COPY --from=builder /app/target/${BUILD_MODE}/starknet_transaction_prover ./targ
 COPY --from=builder /app/crates/starknet_transaction_prover/resources ./crates/starknet_transaction_prover/resources
 
 # Copy starknet-sierra-compile binary required for Sierra to Casm compilation.
-COPY --from=builder /app/target/${BUILD_MODE}/shared_executables/starknet-sierra-compile ./target/${BUILD_MODE}/shared_executables/starknet-sierra-compile
+COPY --from=builder /usr/local/bin/starknet-sierra-compile /usr/local/bin/starknet-sierra-compile
 
 # Copy tini for proper init handling.
 COPY --from=builder /usr/bin/tini /usr/bin/tini

deployments/images/base/Dockerfile

@@ -8,11 +8,17 @@ FROM ubuntu:24.04 AS base
 
 COPY scripts/install_build_tools.sh scripts/install_build_tools.sh
 COPY scripts/install_cargo_tools.sh scripts/install_cargo_tools.sh
+COPY scripts/compiler_versions.sh scripts/compiler_versions.sh
+COPY scripts/install_compiler_binaries.sh scripts/install_compiler_binaries.sh
+COPY scripts/install_llvm19.sh scripts/install_llvm19.sh
 COPY scripts/dependencies.sh scripts/dependencies.sh
 COPY scripts/apt_utils.sh scripts/apt_utils.sh
 COPY scripts/cargo_tool_utils.sh scripts/cargo_tool_utils.sh
 COPY scripts/requirements.txt scripts/requirements.txt
 COPY rust-toolchain.toml .
+# Version files read by compiler_versions.sh (the single source of truth).
+COPY crates/apollo_infra_utils/src/cairo_compiler_version.txt crates/apollo_infra_utils/src/cairo_compiler_version.txt
+COPY crates/apollo_compile_to_native/src/native_compiler_version.txt crates/apollo_compile_to_native/src/native_compiler_version.txt
 
 RUN apt update && apt -y install \
     bzip2 \
@@ -24,19 +30,33 @@ ENV RUSTUP_HOME=/var/tmp/rust
 ENV CARGO_HOME=${RUSTUP_HOME}
 ENV PATH=$PATH:${RUSTUP_HOME}/bin
 
-RUN scripts/install_build_tools.sh
-RUN rustup toolchain install
-RUN cargo install --locked cargo-chef
-
+# LLVM env vars must be set before install_build_tools.sh so that
+# cargo install starknet-native-compile can find LLVM.
 ENV LLVM_SYS_191_PREFIX="/usr/lib/llvm-19/"
 ENV MLIR_SYS_190_PREFIX="/usr/lib/llvm-19/"
 ENV TABLEGEN_190_PREFIX="/usr/lib/llvm-19/"
 
+RUN scripts/install_build_tools.sh
+RUN rustup toolchain install
+RUN cargo install --locked cargo-chef
+
 # Define python venv and install python packages.
 ENV VIRTUAL_ENV=/opt/sequencer_venv
 RUN python3 -m venv ${VIRTUAL_ENV}
 RUN ${VIRTUAL_ENV}/bin/pip install -r scripts/requirements.txt
 ENV PATH="${VIRTUAL_ENV}/bin:$PATH"
 
 # Cleanup.
-RUN rm -f scripts/install_build_tools.sh scripts/install_cargo_tools.sh scripts/cargo_tool_utils.sh scripts/dependencies.sh scripts/apt_utils.sh scripts/requirements.txt
+RUN rm -f \
+    scripts/install_build_tools.sh \
+    scripts/install_cargo_tools.sh \
+    scripts/install_compiler_binaries.sh \
+    scripts/install_llvm19.sh \
+    scripts/compiler_versions.sh \
+    scripts/cargo_tool_utils.sh \
+    scripts/dependencies.sh \
+    scripts/apt_utils.sh \
+    scripts/requirements.txt \
+    crates/apollo_infra_utils/src/cairo_compiler_version.txt \
+    crates/apollo_compile_to_native/src/native_compiler_version.txt && \
+    rmdir -p crates/apollo_infra_utils/src crates/apollo_compile_to_native/src 2>/dev/null || true

deployments/images/sequencer/Dockerfile

@@ -35,6 +35,9 @@ RUN BUILD_FLAGS=""; \
     fi; \
     cargo build $BUILD_FLAGS --bin apollo_node --features cairo_native
 
+# Install compiler binaries used for Sierra compilation at runtime.
+RUN scripts/install_compiler_binaries.sh --dest /usr/local/bin
+
 
 FROM ubuntu:24.04 AS final_stage
 
@@ -48,8 +51,8 @@ RUN apt-get update && apt-get install -y ca-certificates binutils libc6-dev
 ENV ID=1001
 WORKDIR /app
 COPY --from=builder /app/target/${BUILD_MODE}/apollo_node ./target/${BUILD_MODE}/apollo_node
-COPY --from=builder /app/target/${BUILD_MODE}/shared_executables/starknet-sierra-compile ./target/${BUILD_MODE}/shared_executables/starknet-sierra-compile
-COPY --from=builder /app/target/${BUILD_MODE}/shared_executables/starknet-native-compile ./target/${BUILD_MODE}/shared_executables/starknet-native-compile
+COPY --from=builder /usr/local/bin/starknet-sierra-compile /usr/local/bin/starknet-sierra-compile
+COPY --from=builder /usr/local/bin/starknet-native-compile /usr/local/bin/starknet-native-compile
 COPY --from=builder /usr/bin/tini /usr/bin/tini
 
 # Copy apollo config schema, used when it loads its configuration.

scripts/build_native_blockifier.sh

@@ -15,6 +15,10 @@ function build() {
     source /tmp/venv/bin/activate
     rustup toolchain install
     cargo build --release -p native_blockifier --features "cairo_native" || ret=$?
+    # Install starknet-native-compile and place a copy at a known relative path
+    # so the workflow's GCS upload key is stable (decoupled from $CARGO_HOME).
+    "$(dirname "${BASH_SOURCE[0]}")/install_compiler_binaries.sh" \
+        --native --dest target/release/shared_executables || ret=$?
     clean
     return $ret
 }