go.toolchain.rev: use new statically built toolchain

Also removes the toolchain builds from flake.nix. For now the flake
build uses upstream Go 1.20, a followup change will switch it back to
our custom toolchain.

Updates tailscale/corp#9005

Signed-off-by: David Anderson <danderson@tailscale.com>

cmd/printdep/printdep.go

@@ -18,7 +18,6 @@ import (
 var (
 	goToolchain    = flag.Bool("go", false, "print the supported Go toolchain git hash (a github.com/tailscale/go commit)")
 	goToolchainURL = flag.Bool("go-url", false, "print the URL to the tarball of the Tailscale Go toolchain")
-	goToolchainSRI = flag.Bool("go-sri", false, "print the SRI hash of the Tailscale Go toolchain")
 	alpine         = flag.Bool("alpine", false, "print the tag of alpine docker image")
 )
 
@@ -48,7 +47,4 @@ func main() {
 		}
 		fmt.Printf("https://github.com/tailscale/go/releases/download/build-%s/%s%s.tar.gz\n", strings.TrimSpace(ts.GoToolchainRev), runtime.GOOS, suffix)
 	}
-	if *goToolchainSRI {
-		fmt.Println(strings.TrimSpace(ts.GoToolchainSRI))
-	}
 }

flake.nix

@@ -49,44 +49,6 @@
     # doesn't build any software.
     fileContents = nixpkgs.legacyPackages.x86_64-linux.lib.fileContents;
 
-    tailscale-go-rev = fileContents ./go.toolchain.rev;
-    tailscale-go-sri = fileContents ./go.toolchain.sri;
-
-    # pkgsWithTailscaleGo takes a nixpkgs package set, and replaces
-    # its Go 1.19 compiler with tailscale's fork.
-    #
-    # We need to do this because the buildGoModule helper function is
-    # constructed with legacy nix imports, so we cannot construct a
-    # buildGoModule variant that uses tailscale's toolchain. Instead,
-    # we have to replace the toolchain in nixpkgs, and let lazy
-    # evaluation propagate it into the nixpkgs instance of
-    # buildGoModule.
-    #
-    # This is a bit roundabout, but there doesn't seem to be a more
-    # elegant way of resolving the impedance mismatch between legacy
-    # nixpkgs style imports and flake semantics, unless upstream
-    # nixpkgs exposes the buildGoModule constructor func explicitly.
-    pkgsWithTailscaleGo = pkgs: pkgs.extend (final: prev: rec {
-      tailscale_go = prev.lib.overrideDerivation prev.go_1_20 (attrs: rec {
-        name = "tailscale-go-${version}";
-        version = tailscale-go-rev;
-        src = pkgs.fetchFromGitHub {
-          owner = "tailscale";
-          repo = "go";
-          rev = tailscale-go-rev;
-          sha256 = tailscale-go-sri;
-        };
-        nativeBuildInputs = attrs.nativeBuildInputs ++ [ pkgs.git ];
-		    # Remove dependency on xcbuild as that causes iOS/macOS builds to fail.
-        propagatedBuildInputs = [];
-        checkPhase = "";
-        TAILSCALE_TOOLCHAIN_REV = tailscale-go-rev;
-      });
-      # Override go_1_20 so that buildGo120Module below uses
-      # tailscale's toolchain as well.
-      go_1_20 = tailscale_go;
-    });
-
     # tailscaleRev is the git commit at which this flake was imported,
     # or the empty string when building from a local checkout of the
     # tailscale repo.
@@ -100,7 +62,7 @@
     # specify vendorSha256, and that sha changes any time we alter
     # go.mod. We don't want to force a nix dependency on everyone
     # hacking on Tailscale, so this flake is likely to have broken
-    # builds periodically until somoene comes through and manually
+    # builds periodically until someone comes through and manually
     # fixes them up. I sure wish there was a way to express "please
     # just trust the local go.mod, vendorSha256 has no benefit here",
     # but alas.
@@ -131,27 +93,25 @@
     # OS/CPU combos that nix supports, as well as a dev shell so that
     # "nix develop" and "nix-shell" give you a dev env.
     flakeForSystem = nixpkgs: system: let
-      upstreamPkgs = nixpkgs.legacyPackages.${system};
+      pkgs = nixpkgs.legacyPackages.${system};
-      pkgs = pkgsWithTailscaleGo upstreamPkgs;
       ts = tailscale pkgs;
     in {
       packages = {
-        tailscale-go = pkgs.tailscale-go;
         tailscale = ts;
       };
       devShell = pkgs.mkShell {
-        packages = with upstreamPkgs; [
+        packages = with pkgs; [
           curl
           git
           gopls
           gotools
           graphviz
           perl
-          pkgs.tailscale_go
+          go_1_20
         ];
       };
     };
   in
     flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-afcuo/pcLnfFHYTViYi8rPM0ovnUuawuZ26cYhZ1hss= sha256-dhoXBuYV9lE+ssIK4i/TG4cFbzUKSOKnQP47qEEcvsQ=
+# nix-direnv cache busting line: sha256-Y4HgqikudINw28LcX4EVONxmtR0CEGKM3M76ahzfuFY=

go.mod.sri

@@ -1 +1 @@
-sha256-dhoXBuYV9lE+ssIK4i/TG4cFbzUKSOKnQP47qEEcvsQ=
+sha256-Y4HgqikudINw28LcX4EVONxmtR0CEGKM3M76ahzfuFY=

go.toolchain.rev

@@ -1 +1 @@
-6a17f14c058e230cc620b72cf80099c2aa7f7335
+178d6bce616ceefcdd687341cb74d7d8868877a7

go.toolchain.sri

@@ -1 +0,0 @@
-sha256-afcuo/pcLnfFHYTViYi8rPM0ovnUuawuZ26cYhZ1hss=

pull-toolchain.sh

@@ -12,6 +12,6 @@ if [ "$upstream" != "$current" ]; then
 	./update-flake.sh
 fi
 
-if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev go.toolchain.sri go.mod.sri)" ]; then
+if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev go.mod.sri)" ]; then
     echo "pull-toolchain.sh: changes imported. Use git commit to make them permanent." >&2
 fi

shell.nix

@@ -16,4 +16,4 @@
 ) {
   src =  ./.;
 }).shellNix
-# nix-direnv cache busting line: sha256-afcuo/pcLnfFHYTViYi8rPM0ovnUuawuZ26cYhZ1hss= sha256-dhoXBuYV9lE+ssIK4i/TG4cFbzUKSOKnQP47qEEcvsQ=
+# nix-direnv cache busting line: sha256-Y4HgqikudINw28LcX4EVONxmtR0CEGKM3M76ahzfuFY=

tool/go

@@ -58,14 +58,7 @@ get_cached() {
     rm -f "$archive.new" "$TOOLCHAIN.extracted"
     if [ ! -e "$archive" ]; then
             log "Need to download go '$REV'."
-            if [ "$ARCH" = "amd64" ]; then
+            curl -f -L -o "$archive.new" "https://github.com/tailscale/go/releases/download/build-${REV}/${GOOS}-${ARCH}.tar.gz"
-                # For historic reasons, the tailscale/go amd64 release artifacts don't
-                # have the arch in their name.
-                BUILD="$GOOS"
-            else
-                BUILD="$GOOS-$ARCH"
-            fi
-            curl -f -L -o "$archive.new" "https://github.com/tailscale/go/releases/download/build-${REV}/${BUILD}.tar.gz"
             rm -f "$archive"
             mv "$archive.new" "$archive"
     fi

update-flake.sh

@@ -8,11 +8,6 @@ REV=$(cat go.toolchain.rev)
 OUT=$(mktemp -d -t nar-hash-XXXXXX)
 rm -rf $OUT
 
-mkdir $OUT
-curl --silent -L https://github.com/tailscale/go/archive/refs/tags/build-$REV.tar.gz | tar -zx -C $OUT --strip-components 1
-go run tailscale.com/cmd/nardump --sri $OUT >go.toolchain.sri
-rm -rf $OUT
-
 go mod vendor -o $OUT
 go run tailscale.com/cmd/nardump --sri $OUT >go.mod.sri
 rm -rf $OUT
@@ -21,5 +16,5 @@ rm -rf $OUT
 # result, when we change a referenced SRI file, we have to cause some
 # change to shell.nix and flake.nix as well, so that nix-direnv
 # notices and reevaluates everything. Sigh.
-perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," shell.nix
+perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.mod.sri)," shell.nix
-perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," flake.nix
+perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.mod.sri)," flake.nix

version-embed.go

@@ -17,9 +17,3 @@ var AlpineDockerTag string
 //
 //go:embed go.toolchain.rev
 var GoToolchainRev string
-
-// GoToolchainSRI is the Nix SRI hash of the Go toolchain identified
-// by GoToolchainRev. It may end in a newline.
-//
-//go:embed go.toolchain.sri
-var GoToolchainSRI string