From 9621a97ebe47490bd27e535aa5d21f12f0bc2a15 Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Wed, 29 Apr 2026 07:59:19 +0000 Subject: [PATCH] ci, pre-commit: validate vendor hash via vendorhash check Replace the grep/awk hash extraction in build.yml with a structured vendorhash check step; the PR review comment now reads expected/ actual values directly from $GITHUB_OUTPUT instead of scraping Nix stderr. Add a prek hook so divergence is caught locally before push. --- .github/workflows/build.yml | 29 ++++++++++++++--------------- .pre-commit-config.yaml | 10 ++++++++++ 2 files changed, 24 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 594829f9..2c07660d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -38,24 +38,19 @@ jobs: '**/flake.lock') }} restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }} - - name: Run nix build - id: build + - name: Check vendor hash + id: vendorhash if: steps.changed-files.outputs.files == 'true' run: | - nix build |& tee build-result - BUILD_STATUS="${PIPESTATUS[0]}" + nix develop --command -- go run ./cmd/vendorhash check | tee check-result + { + grep '^expected_sri=' check-result || true + grep '^actual_sri=' check-result || true + } >> "$GITHUB_OUTPUT" - OLD_HASH=$(cat build-result | grep specified: | awk -F ':' '{print $2}' | sed 's/ //g') - NEW_HASH=$(cat build-result | grep got: | awk -F ':' '{print $2}' | sed 's/ //g') - - echo "OLD_HASH=$OLD_HASH" >> $GITHUB_OUTPUT - echo "NEW_HASH=$NEW_HASH" >> $GITHUB_OUTPUT - - exit $BUILD_STATUS - - - name: Nix gosum diverging + - name: Vendor hash diverging uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - if: failure() && steps.build.outcome == 'failure' + if: failure() && steps.vendorhash.outcome == 'failure' with: github-token: ${{secrets.GITHUB_TOKEN}} script: | @@ -63,9 +58,13 @@ jobs: pull_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, - body: 'Nix build failed with wrong gosum, please update "vendorSha256" (${{ steps.build.outputs.OLD_HASH }}) for the "headscale" package in flake.nix with the new SHA: ${{ steps.build.outputs.NEW_HASH }}' + body: 'Vendor hash in `flakehashes.json` is stale (was `${{ steps.vendorhash.outputs.expected_sri }}`, should be `${{ steps.vendorhash.outputs.actual_sri }}`). Run `go run ./cmd/vendorhash update` and commit the result.' }) + - name: Run nix build + if: steps.changed-files.outputs.files == 'true' + run: nix build + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: steps.changed-files.outputs.files == 'true' with: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a7d8c5b8..27432200 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -60,3 +60,13 @@ repos: language: system types: [go] pass_filenames: false + + # vendor-hash keeps flakehashes.json in sync with go.mod/go.sum. + # Hot path (no input change) is a sha256 over two small files; + # only fires `go mod vendor` when the fingerprint actually drifts. + - id: vendor-hash + name: vendor-hash + entry: nix develop --command -- go run ./cmd/vendorhash check + language: system + files: ^(go\.mod|go\.sum|flakehashes\.json)$ + pass_filenames: false