In Fedimint we have developed a quite neat way to embedded verision hashes in all the binaries.
It works both for builds in a local dev shell and in the build artifacts produced as Nix flake outputs. It does not unnecessarily invalidate the Nix derivations.
I'm not saying it's perfect, but it works great for us. If you have ideas for any improvements, please let me know.
It starts with a fedimint-build library that is called by build.rs scripts of cargo packages producing end-user binaries.
Inside it detects the git hash from the local git repo (or uses value forced via env variable) and defines a build-time environment
variable for the Rust code so it can use it as it sees fit - show in clap etc. This on it own works for local dev builds.
For Nix flake output we build on top of it by building all Rust code forcing a placeholder value,
and then replace it with Nix-flake provided one using bbe
as very last build step (derivation).
And that's it. I hope this is clear enough to allow you to reproduce it.