chainwayxyz · ozankaymak · Oct 20, 2025 · Oct 20, 2025 · Oct 20, 2025 · Oct 20, 2025
diff --git a/.cargo/config.toml b/.cargo/config.toml
@@ -0,0 +1,13 @@
+[target.x86_64-pc-windows-gnu]
+linker = "x86_64-w64-mingw32-gcc"
+runner = "wine64"
+rustflags = [
+    "-C", "debuginfo=0",
+    "-C", "opt-level=3",
+    "-C", "codegen-units=1",
+    # force dynamic CRT/winpthreads (do NOT use +crt-static)
+    "-C", "target-feature=-crt-static",
+    # make sure the linker flips back to dynamic for system libs
+    "-C", "link-arg=-Wl,-Bdynamic",
+    "-C", "link-arg=-Wl,--defsym,__ImageBase=0"
+]
diff --git a/.github/workflows/reproducible-builds.yml b/.github/workflows/reproducible-builds.yml
@@ -0,0 +1,264 @@
+name: Reproducible Builds Verification
+
+# Platform coverage:
+# - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix)
+# - Windows: Native build (x86_64-pc-windows-msvc via cargo)
+# - macOS: Intel (x86_64), Apple Silicon (arm64) (via Nix)
+
+on:
+  pull_request:
+    branches:
+      - main
+    types: [opened, synchronize, reopened, ready_for_review]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  verify-reproducibility-windows:
+    name: Verify Reproducible Windows Build (Native)
+    runs-on: windows-latest
+    if: github.event.pull_request.draft == false
+
+    steps:
+      - name: Collect Workflow Telemetry
+        uses: catchpoint/workflow-telemetry-action@v2
+        with:
+          comment_on_pr: false
+
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: "1.89.0"
+          components: rustfmt, rust-src
+
+      - name: Build
+        shell: bash
+        env:
+          SOURCE_DATE_EPOCH: "1"
+          RUSTFLAGS: "-C debuginfo=0 -C opt-level=3 -C codegen-units=1 -C strip=none -C link-arg=/PDBALTPATH:clementine-cli.pdb -C link-arg=/Brepro"
+        run: |
+          echo "Building for Windows native (x86_64-pc-windows-msvc) with reproducible settings..."
+          cargo build --release
+          echo "Build complete"
+
+      - name: Calculate build hash
+        id: hash
+        shell: bash
+        run: |
+          HASH=$(sha256sum target/release/clementine-cli.exe | awk '{print $1}')
+          echo "hash=$HASH" >> $GITHUB_OUTPUT
+          echo "Build hash: $HASH"
+
+      - name: Upload binary artifact
+        if: success()
+        uses: actions/upload-artifact@v4
+        with:
+          name: clementine-cli-windows-native
+          path: target/release/clementine-cli.exe
+          retention-days: 7
+
+  verify-hash-documentation-linux:
@@ -1,4 +1,6 @@
 name: Reproducible Builds Verification
+permissions:
+  contents: read
 # Platform coverage:
 # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix)
@@ -1,4 +1,6 @@
 name: Reproducible Builds Verification
+permissions:
+  contents: read

 # Platform coverage:
 # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix)
+    name: Build & Verify Documented Hashes (Linux/Windows-Nix)
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - x86_64-linux-gnu
+          - aarch64-linux-gnu
+          - arm-linux-gnueabihf
+          - riscv64-linux-gnu
+          - win64
+
+    steps:
+      - name: Collect Workflow Telemetry
+        uses: catchpoint/workflow-telemetry-action@v2
+        with:
+          comment_on_pr: false
+
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - name: Setup Cachix (optional binary cache)
+        uses: cachix/cachix-action@v13
+        with:
+          name: clementine-cli
+          skipPush: true
+        continue-on-error: true
+
+      - name: Build ${{ matrix.platform }}
+        run: |
+          echo "Building ${{ matrix.platform }} to verify documented hash..."
+          nix build .#${{ matrix.platform }}
+          echo "Build complete"
+
+      - name: Upload binary artifact
+        if: success()
+        uses: actions/upload-artifact@v4
+        with:
+          name: clementine-cli-${{ matrix.platform }}
+          path: result/bin/*
+          retention-days: 7
+
+      - name: Verify documented hash for ${{ matrix.platform }}
+        run: |
+          ACTUAL_HASH=$(nix hash path ./result)
+
+          # Extract documented hash from reproducible-builds.md
+          # Platform names are in bold (**platform**) in the markdown table
+          # Table format: | **platform** | `hash` |
+          DOCUMENTED_HASH=$(grep "\*\*${{ matrix.platform }}\*\*" docs/reproducible-builds.md | sed 's/.*`\(sha256-[^`]*\)`.*/\1/')
+
+          echo "Platform: ${{ matrix.platform }}"
+          echo "Documented hash: $DOCUMENTED_HASH"
+          echo "Actual hash:     $ACTUAL_HASH"
+          echo ""
+
+          if [ -z "$DOCUMENTED_HASH" ]; then
+            echo "ERROR: No documented hash found for ${{ matrix.platform }}"
+            echo "Please add the hash to docs/reproducible-builds.md Expected Hashes table:"
+            echo "  $ACTUAL_HASH"
+            exit 1
+          elif [ "$DOCUMENTED_HASH" != "$ACTUAL_HASH" ]; then
+            echo "ERROR: Documented hash does not match actual build hash!"
+            echo "The hash in docs/reproducible-builds.md is outdated."
+            echo ""
+            echo "Please update docs/reproducible-builds.md with the new hash:"
+            echo "  Platform: ${{ matrix.platform }}"
+            echo "  Old hash: $DOCUMENTED_HASH"
+            echo "  New hash: $ACTUAL_HASH"
+            exit 1
+          else
+            echo "OK: Documented hash matches actual build for ${{ matrix.platform }}"
+          fi
+
+  verify-hash-documentation-macos:
@@ -1,4 +1,6 @@
 name: Reproducible Builds Verification
+permissions:
+  contents: read
 # Platform coverage:
 # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix)
@@ -1,4 +1,6 @@
 name: Reproducible Builds Verification
+permissions:
+  contents: read

 # Platform coverage:
 # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix)
+    name: Build & Verify Documented Hashes (macOS)
+    runs-on: macos-latest
+    if: github.event.pull_request.draft == false
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - x86_64-apple-darwin
+          - arm64-apple-darwin
+
+    steps:
+      - name: Collect Workflow Telemetry
+        uses: catchpoint/workflow-telemetry-action@v2
+        with:
+          comment_on_pr: false
+
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - name: Setup Cachix (optional binary cache)
+        uses: cachix/cachix-action@v13
+        with:
+          name: clementine-cli
+          skipPush: true
+        continue-on-error: true
+
+      - name: Build ${{ matrix.platform }}
+        run: |
+          echo "Building ${{ matrix.platform }} to verify documented hash..."
+          nix build .#${{ matrix.platform }}
+          echo "Build complete"
+
+      - name: Upload binary artifact
+        if: success()
+        uses: actions/upload-artifact@v4
+        with:
+          name: clementine-cli-${{ matrix.platform }}
+          path: result/bin/*
+          retention-days: 7
+
+      - name: Verify documented hash for ${{ matrix.platform }}
+        run: |
+          ACTUAL_HASH=$(nix hash path ./result)
+
+          # Extract documented hash from reproducible-builds.md
+          # Platform names are in bold (**platform**) in the markdown table
+          # Table format: | **platform** | `hash` |
+          DOCUMENTED_HASH=$(grep "\*\*${{ matrix.platform }}\*\*" docs/reproducible-builds.md | sed 's/.*`\(sha256-[^`]*\)`.*/\1/')
+
+          echo "Platform: ${{ matrix.platform }}"
+          echo "Documented hash: $DOCUMENTED_HASH"
+          echo "Actual hash:     $ACTUAL_HASH"
+          echo ""
+
+          if [ -z "$DOCUMENTED_HASH" ]; then
+            echo "ERROR: No documented hash found for ${{ matrix.platform }}"
+            echo "Please add the hash to docs/reproducible-builds.md Expected Hashes table:"
+            echo "  $ACTUAL_HASH"
+            exit 1
+          elif [ "$DOCUMENTED_HASH" != "$ACTUAL_HASH" ]; then
+            echo "ERROR: Documented hash does not match actual build hash!"
+            echo "The hash in docs/reproducible-builds.md is outdated."
+            echo ""
+            echo "Please update docs/reproducible-builds.md with the new hash:"
+            echo "  Platform: ${{ matrix.platform }}"
+            echo "  Old hash: $DOCUMENTED_HASH"
+            echo "  New hash: $ACTUAL_HASH"
+            exit 1
+          else
+            echo "OK: Documented hash matches actual build for ${{ matrix.platform }}"
+          fi
+
+  build-summary:
@@ -1,4 +1,6 @@
 name: Reproducible Builds Verification
+permissions:
+  contents: read
 # Platform coverage:
 # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix)
@@ -1,4 +1,6 @@
 name: Reproducible Builds Verification
+permissions:
+  contents: read

 # Platform coverage:
 # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix)
+    name: Build Summary
+    runs-on: ubuntu-latest
+    needs: [verify-reproducibility-windows, verify-hash-documentation-linux, verify-hash-documentation-macos]
+    if: always()
+
+    steps:
+      - name: Check results
+        run: |
+          WINDOWS_RESULT="${{ needs.verify-reproducibility-windows.result }}"
+          DOCS_LINUX_RESULT="${{ needs.verify-hash-documentation-linux.result }}"
+          DOCS_MACOS_RESULT="${{ needs.verify-hash-documentation-macos.result }}"
+
+          echo "Build Results Summary:"
+          echo "  Windows (native):                 $WINDOWS_RESULT"
+          echo "  Nix Builds & Docs (Linux/Win):  $DOCS_LINUX_RESULT"
+          echo "  Nix Builds & Docs (macOS):      $DOCS_MACOS_RESULT"
+          echo ""
+
+          # All jobs must succeed
+          if [ "$WINDOWS_RESULT" = "success" ] && [ "$DOCS_LINUX_RESULT" = "success" ] && [ "$DOCS_MACOS_RESULT" = "success" ]; then
+            echo "OK: All verifications passed!"
+            echo ""
+            echo "Reproducible builds completed and verified:"
+            echo "  - Windows (x86_64-pc-windows-msvc) native via cargo"
+            echo "  - All Nix platforms (Linux, Windows-cross, macOS)"
+            echo ""
+            echo "Documentation verified:"
+            echo "  - All platform hashes match docs/reproducible-builds.md"
+            exit 0
+          else
+            echo "ERROR: Verification failed on one or more checks"
+            echo ""
+            if [ "$DOCS_LINUX_RESULT" != "success" ] || [ "$DOCS_MACOS_RESULT" != "success" ]; then
+              echo "    Documentation hash mismatch detected!"
+              echo "    This means the code/dependencies changed and docs need updating."
+              echo "    Please update docs/reproducible-builds.md with new hashes."
+              echo ""
+            fi
+            echo "Check the individual job logs for details"
+            exit 1
+          fi
@@ -1,4 +1,6 @@
 name: Reproducible Builds Verification
+permissions:
+  contents: read
 # Platform coverage:
 # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix)
@@ -1,4 +1,6 @@
 name: Reproducible Builds Verification
+permissions:
+  contents: read

 # Platform coverage:
 # - Linux: x86_64, ARM64 (aarch64), Windows cross-compile (via Nix)
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,7 @@
 /target
 ./bridge_cli_config.toml
+
+# Nix build artifacts
+result
+result-*
+.direnv