update-flake.sh: tooling to keep Nix SRI hashes in sync.

Also fixes the Go toolchain SRI hash from a7f05c6bb0,
it turns out I initialized the file with an SRI hash for an older
toolchain version, and because of the unique way fixed-output derivations
work in nix, nix didn't tell me about the mismatch because it just
cache-hit on the older toolchain and moved on. Sigh.

Updates #6845.

Signed-off-by: David Anderson <danderson@tailscale.com>
pull/6847/head
David Anderson 2 years ago committed by Dave Anderson
parent 3599364312
commit d2beaea523

@ -141,14 +141,17 @@
}; };
devShell = pkgs.mkShell { devShell = pkgs.mkShell {
packages = with upstreamPkgs; [ packages = with upstreamPkgs; [
pkgs.tailscale_go curl
git git
gotools
gopls gopls
gotools
graphviz graphviz
perl
pkgs.tailscale_go
]; ];
}; };
}; };
in in
flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system); flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
} }
# nix-direnv cache busting line: sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI= sha256-+5icFKDHXt3JMbUjLQGes4R+GeUi48xRgGd0yPKVrw0=

@ -1 +1 @@
sha256-BvwZ/90izw0Ip3lh8eNkJvU46LKnOOhEXF0axkBi/Es= sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI=

@ -9,8 +9,9 @@ upstream=$(git ls-remote https://github.com/tailscale/go "$go_branch" | awk '{pr
current=$(cat go.toolchain.rev) current=$(cat go.toolchain.rev)
if [ "$upstream" != "$current" ]; then if [ "$upstream" != "$current" ]; then
echo "$upstream" >go.toolchain.rev echo "$upstream" >go.toolchain.rev
./update-flake.sh
fi fi
if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev)" ]; then if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev go.toolchain.sri go.mod.sri)" ]; then
echo "pull-toolchain.sh: changes imported. Use git commit to make them permanent." >&2 echo "pull-toolchain.sh: changes imported. Use git commit to make them permanent." >&2
fi fi

@ -7,7 +7,6 @@
# Also look into direnv: https://direnv.net/, this can make it so that you can # Also look into direnv: https://direnv.net/, this can make it so that you can
# automatically get your environment set up when you change folders into the # automatically get your environment set up when you change folders into the
# project. # project.
(import ( (import (
let let
lock = builtins.fromJSON (builtins.readFile ./flake.lock); lock = builtins.fromJSON (builtins.readFile ./flake.lock);
@ -17,3 +16,4 @@
) { ) {
src = ./.; src = ./.;
}).shellNix }).shellNix
# nix-direnv cache busting line: sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI= sha256-+5icFKDHXt3JMbUjLQGes4R+GeUi48xRgGd0yPKVrw0=

@ -0,0 +1,25 @@
#!/bin/sh
# Updates SRI hashes for flake.nix.
set -eu
REV=$(cat go.toolchain.rev)
OUT=$(mktemp -d -t nar-hash-XXXXXX)
rm -rf $OUT
mkdir $OUT
curl --silent -L https://github.com/tailscale/go/archive/refs/tags/build-$REV.tar.gz | tar -zx -C $OUT --strip-components 1
go run tailscale.com/cmd/nardump --sri $OUT >go.toolchain.sri
rm -rf $OUT
go mod vendor -o $OUT
go run tailscale.com/cmd/nardump --sri $OUT >go.mod.sri
rm -rf $OUT
# nix-direnv only watches the top-level nix file for changes. As a
# result, when we change a referenced SRI file, we have to cause some
# change to shell.nix and flake.nix as well, so that nix-direnv
# notices and reevaluates everything. Sigh.
perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," shell.nix
perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," flake.nix
Loading…
Cancel
Save