ci, pre-commit: validate vendor hash via vendorhash check

Replace the grep/awk hash extraction in build.yml with a structured vendorhash check step; the PR review comment now reads expected/ actual values directly from $GITHUB_OUTPUT instead of scraping Nix stderr. Add a prek hook so divergence is caught locally before push.
2026-05-23 18:48:42 +09:00 · 2026-04-29 07:59:19 +00:00
parent e470774f6a
commit 9621a97ebe
2 changed files with 24 additions and 15 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -38,24 +38,19 @@ jobs:
            '**/flake.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

-      - name: Run nix build
-        id: build
+      - name: Check vendor hash
+        id: vendorhash
        if: steps.changed-files.outputs.files == 'true'
        run: |
-          nix build |& tee build-result
-          BUILD_STATUS="${PIPESTATUS[0]}"
+          nix develop --command -- go run ./cmd/vendorhash check | tee check-result
+          {
+            grep '^expected_sri=' check-result || true
+            grep '^actual_sri='   check-result || true
+          } >> "$GITHUB_OUTPUT"

-          OLD_HASH=$(cat build-result | grep specified: | awk -F ':' '{print $2}' | sed 's/ //g')
-          NEW_HASH=$(cat build-result | grep got: | awk -F ':' '{print $2}' | sed 's/ //g')
-
-          echo "OLD_HASH=$OLD_HASH" >> $GITHUB_OUTPUT
-          echo "NEW_HASH=$NEW_HASH" >> $GITHUB_OUTPUT
-
-          exit $BUILD_STATUS
-
-      - name: Nix gosum diverging
+      - name: Vendor hash diverging
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        if: failure() && steps.build.outcome == 'failure'
+        if: failure() && steps.vendorhash.outcome == 'failure'
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
@@ -63,9 +58,13 @@ jobs:
              pull_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
-              body: 'Nix build failed with wrong gosum, please update "vendorSha256" (${{ steps.build.outputs.OLD_HASH }}) for the "headscale" package in flake.nix with the new SHA: ${{ steps.build.outputs.NEW_HASH }}'
+              body: 'Vendor hash in `flakehashes.json` is stale (was `${{ steps.vendorhash.outputs.expected_sri }}`, should be `${{ steps.vendorhash.outputs.actual_sri }}`). Run `go run ./cmd/vendorhash update` and commit the result.'
            })

+      - name: Run nix build
+        if: steps.changed-files.outputs.files == 'true'
+        run: nix build
+
      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        if: steps.changed-files.outputs.files == 'true'
        with:
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -60,3 +60,13 @@ repos:
        language: system
        types: [go]
        pass_filenames: false
+
+      # vendor-hash keeps flakehashes.json in sync with go.mod/go.sum.
+      # Hot path (no input change) is a sha256 over two small files;
+      # only fires `go mod vendor` when the fingerprint actually drifts.
+      - id: vendor-hash
+        name: vendor-hash
+        entry: nix develop --command -- go run ./cmd/vendorhash check
+        language: system
+        files: ^(go\.mod|go\.sum|flakehashes\.json)$
+        pass_filenames: false