cmd/vendorhash: track vendor SRI in flakehashes.json

Move the headscale vendorHash out of flake.nix into a content- addressed flakehashes.json maintained by a small Go tool. The schema and goModFingerprint algorithm mirror upstream tailscale's tool/updateflakes so a future shared library extraction is trivial. vendorhash check verifies flakehashes.json against the current go.mod/go.sum. Hot path is a sha256 over those two files, so re-runs without input change are essentially free; only an actual fingerprint drift triggers go mod vendor + nardump.SRI. vendorhash update recomputes both fields and rewrites the JSON. The nix-vendor-sri devShell shim now wraps it.
2026-05-27 04:28:53 +09:00 · 2026-04-29 07:59:05 +00:00
parent 980622e9a5
commit e470774f6a
3 changed files with 231 additions and 10 deletions
--- a/flakehashes.json
+++ b/flakehashes.json
@@ -0,0 +1,6 @@
+{
+  "vendor": {
+    "goModSum": "sha256-IE0n9cSqO4XNX4RN+CGBk9VC46iACiZKDFf/215iivk=",
+    "sri": "sha256-ijEIP9NSomhlWOgsVN7tPvSuvkTiLtnvXvhZmatIDLM="
+  }
+}