Codex's release gate (96fc1d3) had the right idea but two issues that the
verified gates (sh -n / prettier / git diff) structurally could not catch,
because none exercise the BUILD_CHANNEL=release path:
1. Blocker: check_release_gate was *called* at line ~105 but *defined* (and its
resolve_* dependencies defined) far below. In POSIX sh that's a call before
definition — with `set -e`, a release build aborted at exit 127
("check_release_gate: not found") before the gate ran. Moved the invocation
into the preflight section, after all helpers are defined.
2. Unsatisfiable + asymmetric: the gate required clawdie-ai to be on a vX.Y.Z
tag, but clawdie-ai has no v-tag and is being pruned — so release was
impossible. Replaced with reproducibility-by-record: every staged source
(clawdie-iso, clawdie-ai, colibri, zot) must be a clean, committed tree; the
manifest's recorded commits then fully describe the artifact. A recorded SHA
is as pinned as a tag. Dropped the tag requirement.
Also:
- "clean" now uses `git status --porcelain`, so untracked files (which a
diff-only check misses but which still change the build) fail the gate.
- Factored the repeated resolve+dirty boilerplate into assert_clean_repo.
- New scripts/test-release-gate.sh smoke test: asserts the porcelain semantics
and that the gate is invoked after its definition (guards the exit-127
regression). A 5-line test that the three "verified gates" could not provide.
Checks: sh -n build.sh; sh -n + run scripts/test-release-gate.sh (PASS);
git diff --check.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
42ec7b5ab1