fix(docker): pin submodule SHAs so deploy builds match committed sources

[hardyjosh]

fly deploy started failing this week because the Dockerfile cloned
rain.math.float via git submodule add (always HEAD of upstream main).
Upstream bumped wasm-bindgen past our pinned =0.2.100:

rain-math-float v0.1.7 -> wasm-bindgen ^0.2.122
st0x-oracle-server -> wasm-bindgen =0.2.100

Cargo resolves the conflict by failing the build. Local builds were fine
because we use the working-tree submodule pointer (currently 1cf3969 =
v0.1.0), but the Docker build saw a totally different source tree on
every run.

Pin both submodules' SHAs as Dockerfile ARGs and git checkout them
explicitly after the initial clone, then recursively init nested
submodules. SHAs match what's in the working tree right now, which is
what Cargo.lock was resolved against.

Verified by running docker build -t oracle-test . end-to-end: pulls
rain-math-float v0.1.0 (correct) and the final image compiles.

When the submodules need updating, bump the two ARGs in lockstep with
the working-tree pointers.

Co-Authored-By: Claude Opus 4.7 noreply@anthropic.com

Summary by CodeRabbit

• Chores
  • Improved Docker build configuration to explicitly pin dependency submodule versions using build arguments, preventing potential version mismatches between build artifacts and dependency specifications.

[hardyjosh]

• fix(docker): pin submodule SHAs so deploy builds match committed sources #13 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8634a505-87a6-4603-aecd-bf37d6c989b3

📥 Commits

Reviewing files that changed from the base of the PR and between 991dd0a and 5d4eed9.

📒 Files selected for processing (1)

• Dockerfile

---

📝 Walkthrough

Walkthrough

The Dockerfile builder stage now pins Git submodule checkouts to specific commit SHAs provided as build-time arguments, replacing the previous unpinned git submodule add that tracked upstream HEAD. The change adds RAIN_MATH_FLOAT_SHA and RAIN_WASM_SHA ARGs with explicit checkout and recursive update steps, and includes comments explaining how unpinned submodules cause lockfile mismatches.

Changes

Pinned Submodule Checkouts

Layer / File(s)	Summary
Pinned submodule checkout with SHAs Dockerfile	Builder stage adds RAIN_MATH_FLOAT_SHA and RAIN_WASM_SHA ARGs, then updates submodule initialization to checkout each submodule at the pinned commit and run recursive updates; includes comments explaining lockfile/workspace mismatch prevention.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A Docker builds with submodules pinned,
No more surprises from upstream winds,
SHAs locked in place, both math and wasm flow,
Deterministic now, from build to repo!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(docker): pin submodule SHAs so deploy builds match committed sources' directly and clearly describes the main change: pinning Docker submodule SHAs to ensure consistent builds. It accurately summarizes the primary objective of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/pin-dockerfile-submodule-shas

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}