From d2beaea52309cab104cd6b58f3c8196452254e65 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Sat, 24 Dec 2022 15:05:40 -0800 Subject: [PATCH] update-flake.sh: tooling to keep Nix SRI hashes in sync. Also fixes the Go toolchain SRI hash from a7f05c6bb0fed3f060435f0828625f705839d56d, it turns out I initialized the file with an SRI hash for an older toolchain version, and because of the unique way fixed-output derivations work in nix, nix didn't tell me about the mismatch because it just cache-hit on the older toolchain and moved on. Sigh. Updates #6845. Signed-off-by: David Anderson --- flake.nix | 7 +++++-- go.toolchain.sri | 2 +- pull-toolchain.sh | 3 ++- shell.nix | 2 +- update-flake.sh | 25 +++++++++++++++++++++++++ 5 files changed, 34 insertions(+), 5 deletions(-) create mode 100755 update-flake.sh diff --git a/flake.nix b/flake.nix index f99946c0d..9b51b6a5b 100644 --- a/flake.nix +++ b/flake.nix @@ -141,14 +141,17 @@ }; devShell = pkgs.mkShell { packages = with upstreamPkgs; [ - pkgs.tailscale_go + curl git - gotools gopls + gotools graphviz + perl + pkgs.tailscale_go ]; }; }; in flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system); } +# nix-direnv cache busting line: sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI= sha256-+5icFKDHXt3JMbUjLQGes4R+GeUi48xRgGd0yPKVrw0= diff --git a/go.toolchain.sri b/go.toolchain.sri index 8040b4a6f..667b62132 100644 --- a/go.toolchain.sri +++ b/go.toolchain.sri @@ -1 +1 @@ -sha256-BvwZ/90izw0Ip3lh8eNkJvU46LKnOOhEXF0axkBi/Es= +sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI= diff --git a/pull-toolchain.sh b/pull-toolchain.sh index f5a19e7d7..8bbf8dbb4 100755 --- a/pull-toolchain.sh +++ b/pull-toolchain.sh @@ -9,8 +9,9 @@ upstream=$(git ls-remote https://github.com/tailscale/go "$go_branch" | awk '{pr current=$(cat go.toolchain.rev) if [ "$upstream" != "$current" ]; then echo "$upstream" >go.toolchain.rev + ./update-flake.sh fi -if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev)" ]; then +if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev go.toolchain.sri go.mod.sri)" ]; then echo "pull-toolchain.sh: changes imported. Use git commit to make them permanent." >&2 fi diff --git a/shell.nix b/shell.nix index a1cdad3eb..a3133a049 100644 --- a/shell.nix +++ b/shell.nix @@ -7,7 +7,6 @@ # Also look into direnv: https://direnv.net/, this can make it so that you can # automatically get your environment set up when you change folders into the # project. - (import ( let lock = builtins.fromJSON (builtins.readFile ./flake.lock); @@ -17,3 +16,4 @@ ) { src = ./.; }).shellNix +# nix-direnv cache busting line: sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI= sha256-+5icFKDHXt3JMbUjLQGes4R+GeUi48xRgGd0yPKVrw0= diff --git a/update-flake.sh b/update-flake.sh new file mode 100755 index 000000000..81fd73cc5 --- /dev/null +++ b/update-flake.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# Updates SRI hashes for flake.nix. + +set -eu + +REV=$(cat go.toolchain.rev) + +OUT=$(mktemp -d -t nar-hash-XXXXXX) +rm -rf $OUT + +mkdir $OUT +curl --silent -L https://github.com/tailscale/go/archive/refs/tags/build-$REV.tar.gz | tar -zx -C $OUT --strip-components 1 +go run tailscale.com/cmd/nardump --sri $OUT >go.toolchain.sri +rm -rf $OUT + +go mod vendor -o $OUT +go run tailscale.com/cmd/nardump --sri $OUT >go.mod.sri +rm -rf $OUT + +# nix-direnv only watches the top-level nix file for changes. As a +# result, when we change a referenced SRI file, we have to cause some +# change to shell.nix and flake.nix as well, so that nix-direnv +# notices and reevaluates everything. Sigh. +perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," shell.nix +perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," flake.nix