The repo rule currently fetches Zig’s live index.json, which is convenient but makes behavior depend on mutable upstream metadata.
Current code:
zig/private/zig_repository.bzlzig/extensions.bzl
Tasks:
- Decide whether live index lookup remains supported, or whether releases should pin version metadata in-repo.
- Add a stable metadata source for known Zig versions/platforms.
- Document the upgrade workflow for adding a new Zig release.
- Ensure sha256 verification is mandatory for all downloaded archives.
Acceptance criteria:
- Toolchain resolution is reproducible for a pinned
zig_version.
- The process for adding new Zig versions is documented.
- Downloaded toolchains always verify checksums.
Parent issue: #2
The repo rule currently fetches Zig’s live
index.json, which is convenient but makes behavior depend on mutable upstream metadata.Current code:
zig/private/zig_repository.bzlzig/extensions.bzlTasks:
Acceptance criteria:
zig_version.Parent issue: #2