Skip to content

Commit 0d9eb15

Browse files
committed
fix(fspy/build): match main's cache workflow — hash extracted binary
Port main's `fetch_macos_binaries` cache logic: hash the cached file on every build, skip download when it matches `expected_sha256`, and verify the freshly-extracted binary against the same value on a cache miss. The hash is now over the extracted binary (not the tarball), which lets the cached file itself vouch for its own integrity without needing the original tarball on disk.
1 parent 0e6a788 commit 0d9eb15

1 file changed

Lines changed: 18 additions & 14 deletions

File tree

crates/fspy/build.rs

Lines changed: 18 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -60,8 +60,9 @@ struct BinaryDownload {
6060
url: &'static str,
6161
/// Path of the binary within the tarball.
6262
path_in_targz: &'static str,
63-
/// SHA-256 of the tarball at `url`. Each value can be obtained from the
64-
/// release download page.
63+
/// SHA-256 of the extracted binary. Doubles as the cache key: an
64+
/// already-extracted binary in `OUT_DIR` whose content hashes to this
65+
/// value is reused without hitting the network.
6566
expected_sha256: &'static str,
6667
}
6768

@@ -74,14 +75,14 @@ const MACOS_BINARY_DOWNLOADS: &[(&str, &[BinaryDownload])] = &[
7475
name: "oils_for_unix",
7576
url: "https://github.com/branchseer/oils-for-unix-build/releases/download/oils-for-unix-0.37.0/oils-for-unix-0.37.0-darwin-arm64.tar.gz",
7677
path_in_targz: "oils-for-unix",
77-
expected_sha256: "3a35f7ae2be85fcd32392cd8171522f5822f20a69125c5e9d8d68b2f5c857098",
78+
expected_sha256: "ce4bb80b15f0a0371af08b19b65bfa5ea17d30429ebb911f487de3d2bcc7a07d",
7879
},
7980
// https://github.com/uutils/coreutils/releases/tag/0.4.0
8081
BinaryDownload {
8182
name: "coreutils",
8283
url: "https://github.com/uutils/coreutils/releases/download/0.4.0/coreutils-0.4.0-aarch64-apple-darwin.tar.gz",
8384
path_in_targz: "coreutils-0.4.0-aarch64-apple-darwin/coreutils",
84-
expected_sha256: "a148b660eeaf409af7a4406903f93d0e6713a5eb9adcaf71a1d732f1e3cc3522",
85+
expected_sha256: "8e8f38d9323135a19a73d617336fce85380f3c46fcb83d3ae3e031d1c0372f21",
8586
},
8687
],
8788
),
@@ -93,14 +94,14 @@ const MACOS_BINARY_DOWNLOADS: &[(&str, &[BinaryDownload])] = &[
9394
name: "oils_for_unix",
9495
url: "https://github.com/branchseer/oils-for-unix-build/releases/download/oils-for-unix-0.37.0/oils-for-unix-0.37.0-darwin-x86_64.tar.gz",
9596
path_in_targz: "oils-for-unix",
96-
expected_sha256: "aa12258d1bd553020144ad61fdac18e7dfbe3fc3965da32ee458840153169151",
97+
expected_sha256: "cf1a95993127770e2a5fff277cd256a2bb28cf97d7f83ae42fdccc172cdb540d",
9798
},
9899
// https://github.com/uutils/coreutils/releases/tag/0.4.0
99100
BinaryDownload {
100101
name: "coreutils",
101102
url: "https://github.com/uutils/coreutils/releases/download/0.4.0/coreutils-0.4.0-x86_64-apple-darwin.tar.gz",
102103
path_in_targz: "coreutils-0.4.0-x86_64-apple-darwin/coreutils",
103-
expected_sha256: "6e4be8429efe86c9a60247ae7a930221ed11770a975fb4b6fd09ff8d39b9a15c",
104+
expected_sha256: "6be8bee6e8b91fc44a465203b9cc30538af00084b6657dc136d9e55837753eb1",
104105
},
105106
],
106107
),
@@ -120,18 +121,21 @@ fn fetch_macos_binaries(out_dir: &Path) -> anyhow::Result<()> {
120121

121122
for BinaryDownload { name, url, path_in_targz, expected_sha256 } in downloads {
122123
let dest = out_dir.join(name);
123-
// Reuse the extracted binary if it's already in OUT_DIR; the sha256
124-
// of the tarball was verified on the initial download. This avoids
125-
// hitting the network on incremental build-script reruns.
126-
if !dest.exists() {
124+
// Cache hit: an already-extracted binary whose contents hash to
125+
// `expected_sha256` is known-good and reused without redownloading.
126+
let cached = matches!(
127+
fs::read(&dest),
128+
Ok(existing) if sha256_hex(&existing) == *expected_sha256,
129+
);
130+
if !cached {
127131
let tarball = download(url).context(format!("Failed to download {url}"))?;
128-
let actual_sha256 = sha256_hex(&tarball);
132+
let data = unpack_tar_gz(Cursor::new(tarball), path_in_targz)
133+
.context(format!("Failed to extract {path_in_targz} from {url}"))?;
134+
let actual_sha256 = sha256_hex(&data);
129135
assert_eq!(
130136
&actual_sha256, expected_sha256,
131-
"sha256 of {url} does not match — update expected value in MACOS_BINARY_DOWNLOADS",
137+
"sha256 of {path_in_targz} in {url} does not match — update expected value in MACOS_BINARY_DOWNLOADS",
132138
);
133-
let data = unpack_tar_gz(Cursor::new(tarball), path_in_targz)
134-
.context(format!("Failed to extract {path_in_targz} from {url}"))?;
135139
fs::write(&dest, &data).with_context(|| format!("writing {}", dest.display()))?;
136140
}
137141
bundled_artifact_build::register(name, &dest);

0 commit comments

Comments
 (0)