build(vulkan-smoke): embed compiled artifact provenance

apps/fparkan-vulkan-smoke/Cargo.toml

@@ -4,6 +4,7 @@ version.workspace = true
 edition.workspace = true
 license.workspace = true
 repository.workspace = true
+build = "build.rs"
 
 [dependencies]
 fparkan-platform = { path = "../../crates/fparkan-platform" }

apps/fparkan-vulkan-smoke/build.rs

@@ -0,0 +1,88 @@
+//! Build-time provenance for native smoke artifacts.
+
+use std::env;
+use std::path::{Path, PathBuf};
+use std::process::Command;
+
+fn main() {
+    println!("cargo:rerun-if-env-changed=TARGET");
+    println!("cargo:rerun-if-env-changed=GITHUB_SHA");
+    println!("cargo:rerun-if-env-changed=SOURCE_VERSION");
+    println!("cargo:rerun-if-env-changed=BUILD_VCS_NUMBER");
+
+    if let Ok(target) = env::var("TARGET") {
+        println!("cargo:rustc-env=FPARKAN_BUILD_TARGET_TRIPLE={target}");
+    }
+
+    let workspace_root =
+        PathBuf::from(env::var("CARGO_MANIFEST_DIR").expect("manifest dir")).join("../..");
+    if let Some(git_dir) = git_dir(&workspace_root) {
+        emit_git_rerun_hints(&git_dir);
+    }
+
+    if let Some(commit_sha) = env_commit_sha().or_else(|| git_head_commit_sha(&workspace_root)) {
+        println!("cargo:rustc-env=FPARKAN_BUILD_COMMIT_SHA={commit_sha}");
+    }
+}
+
+fn env_commit_sha() -> Option<String> {
+    ["GITHUB_SHA", "SOURCE_VERSION", "BUILD_VCS_NUMBER"]
+        .into_iter()
+        .filter_map(|name| env::var(name).ok())
+        .find(|value| is_commit_sha(value))
+}
+
+fn git_head_commit_sha(workspace_root: &Path) -> Option<String> {
+    let output = Command::new("git")
+        .args(["-C"])
+        .arg(workspace_root)
+        .args(["rev-parse", "HEAD"])
+        .output()
+        .ok()?;
+    if !output.status.success() {
+        return None;
+    }
+    let value = String::from_utf8(output.stdout).ok()?;
+    let value = value.trim().to_string();
+    is_commit_sha(&value).then_some(value)
+}
+
+fn git_dir(workspace_root: &Path) -> Option<PathBuf> {
+    let output = Command::new("git")
+        .args(["-C"])
+        .arg(workspace_root)
+        .args(["rev-parse", "--git-dir"])
+        .output()
+        .ok()?;
+    if !output.status.success() {
+        return None;
+    }
+    let value = String::from_utf8(output.stdout).ok()?;
+    let value = value.trim();
+    (!value.is_empty()).then(|| workspace_root.join(value))
+}
+
+fn emit_git_rerun_hints(git_dir: &Path) {
+    let head = git_dir.join("HEAD");
+    println!("cargo:rerun-if-changed={}", head.display());
+    println!(
+        "cargo:rerun-if-changed={}",
+        git_dir.join("packed-refs").display()
+    );
+    let Some(reference) = std::fs::read_to_string(&head).ok().and_then(|value| {
+        value
+            .strip_prefix("ref: ")
+            .map(str::trim)
+            .map(ToOwned::to_owned)
+    }) else {
+        return;
+    };
+    println!(
+        "cargo:rerun-if-changed={}",
+        git_dir.join(reference).display()
+    );
+}
+
+fn is_commit_sha(value: &str) -> bool {
+    value.len() == 40 && value.chars().all(|ch| ch.is_ascii_hexdigit())
+}

apps/fparkan-vulkan-smoke/src/main.rs

@@ -197,12 +197,12 @@ impl SmokeApp {
         );
         let smoke_report = SmokeReport {
             schema_version: SCHEMA_VERSION,
-            commit_sha: current_git_commit_sha(),
+            commit_sha: compiled_commit_sha(),
             git_dirty: current_git_dirty(),
             runner_identity: measured_runner_identity(),
             runner_architecture: actual_architecture(),
             rust_toolchain: current_rustc_release(),
-            target_triple: current_rustc_host_triple(),
+            target_triple: compiled_target_triple(),
             platform: actual_platform(),
             status,
             failure_reason,
@@ -541,7 +541,13 @@ fn actual_architecture() -> &'static str {
     }
 }
 
-fn current_git_commit_sha() -> String {
+fn compiled_commit_sha() -> String {
+    option_env!("FPARKAN_BUILD_COMMIT_SHA")
+        .filter(|value| is_commit_sha(value))
+        .map_or_else(runtime_git_commit_sha, ToString::to_string)
+}
+
+fn runtime_git_commit_sha() -> String {
     Command::new("git")
         .args(["rev-parse", "HEAD"])
         .output()
@@ -549,7 +555,7 @@ fn current_git_commit_sha() -> String {
         .filter(|output| output.status.success())
         .and_then(|output| String::from_utf8(output.stdout).ok())
         .map(|value| value.trim().to_string())
-        .filter(|value| value.len() == 40 && value.chars().all(|ch| ch.is_ascii_hexdigit()))
+        .filter(|value| is_commit_sha(value))
         .unwrap_or_else(|| "unknown".to_string())
 }
 
@@ -578,6 +584,12 @@ fn current_rustc_release() -> String {
         .unwrap_or_else(|| "unknown".to_string())
 }
 
+fn compiled_target_triple() -> String {
+    option_env!("FPARKAN_BUILD_TARGET_TRIPLE")
+        .filter(|value| !value.trim().is_empty())
+        .map_or_else(current_rustc_host_triple, ToString::to_string)
+}
+
 fn measured_runner_identity() -> String {
     if std::env::var_os("GITHUB_ACTIONS").is_some() {
         let run_id = std::env::var("GITHUB_RUN_ID").unwrap_or_else(|_| "unknown-run".to_string());
@@ -608,6 +620,10 @@ fn current_rustc_host_triple() -> String {
         .unwrap_or_else(|| "unknown".to_string())
 }
 
+fn is_commit_sha(value: &str) -> bool {
+    value.len() == 40 && value.chars().all(|ch| ch.is_ascii_hexdigit())
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -697,6 +713,17 @@ mod tests {
         }
     }
 
+    #[test]
+    fn commit_sha_validation_accepts_hex_head() {
+        assert!(is_commit_sha("0123456789abcdef0123456789abcdef01234567"));
+    }
+
+    #[test]
+    fn commit_sha_validation_rejects_non_hex_or_wrong_length() {
+        assert!(!is_commit_sha("0123456789abcdef0123456789abcdef0123456"));
+        assert!(!is_commit_sha("zz23456789abcdef0123456789abcdef01234567"));
+    }
+
     #[test]
     fn smoke_report_json_contains_expected_fields() {
         let json = serde_json::to_string_pretty(&SmokeReport {