update-flake.sh: tooling to keep Nix SRI hashes in sync.

Also fixes the Go toolchain SRI hash from a7f05c6bb0fed3f060435f0828625f705839d56d, it turns out I initialized the file with an SRI hash for an older toolchain version, and because of the unique way fixed-output derivations work in nix, nix didn't tell me about the mismatch because it just cache-hit on the older toolchain and moved on. Sigh. Updates #6845. Signed-off-by: David Anderson <danderson@tailscale.com>
2025-02-18 02:48:40 +00:00 · 2022-12-24 15:05:40 -08:00 · 2022-12-24 15:05:40 -08:00 · d2beaea523
commit d2beaea523
parent 3599364312
5 changed files with 34 additions and 5 deletions
--- a/flake.nix
+++ b/flake.nix
@ -141,14 +141,17 @@
      };
      devShell = pkgs.mkShell {
        packages = with upstreamPkgs; [
-          pkgs.tailscale_go
+          curl
          git
-          gotools
          gopls
+          gotools
          graphviz
+          perl
+          pkgs.tailscale_go
        ];
      };
    };
  in
    flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
+# nix-direnv cache busting line: sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI= sha256-+5icFKDHXt3JMbUjLQGes4R+GeUi48xRgGd0yPKVrw0=
--- a/go.toolchain.sri
+++ b/go.toolchain.sri
@ -1 +1 @@
-sha256-BvwZ/90izw0Ip3lh8eNkJvU46LKnOOhEXF0axkBi/Es=
+sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI=
--- a/pull-toolchain.sh
+++ b/pull-toolchain.sh
@ -9,8 +9,9 @@ upstream=$(git ls-remote https://github.com/tailscale/go "$go_branch" | awk '{pr
 current=$(cat go.toolchain.rev)
 if [ "$upstream" != "$current" ]; then
 	echo "$upstream" >go.toolchain.rev
+	./update-flake.sh
 fi

-if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev)" ]; then
+if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev go.toolchain.sri go.mod.sri)" ]; then
    echo "pull-toolchain.sh: changes imported. Use git commit to make them permanent." >&2
 fi
--- a/shell.nix
+++ b/shell.nix
@ -7,7 +7,6 @@
 # Also look into direnv: https://direnv.net/, this can make it so that you can
 # automatically get your environment set up when you change folders into the
 # project.
-
 (import (
  let
    lock = builtins.fromJSON (builtins.readFile ./flake.lock);
@ -17,3 +16,4 @@
 ) {
  src =  ./.;
 }).shellNix
+# nix-direnv cache busting line: sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI= sha256-+5icFKDHXt3JMbUjLQGes4R+GeUi48xRgGd0yPKVrw0=
--- a/update-flake.sh
+++ b/update-flake.sh
@ -0,0 +1,25 @@
+#!/bin/sh
+# Updates SRI hashes for flake.nix.
+
+set -eu
+
+REV=$(cat go.toolchain.rev)
+
+OUT=$(mktemp -d -t nar-hash-XXXXXX)
+rm -rf $OUT
+
+mkdir $OUT
+curl --silent -L https://github.com/tailscale/go/archive/refs/tags/build-$REV.tar.gz | tar -zx -C $OUT --strip-components 1
+go run tailscale.com/cmd/nardump --sri $OUT >go.toolchain.sri
+rm -rf $OUT
+
+go mod vendor -o $OUT
+go run tailscale.com/cmd/nardump --sri $OUT >go.mod.sri
+rm -rf $OUT
+
+# nix-direnv only watches the top-level nix file for changes. As a
+# result, when we change a referenced SRI file, we have to cause some
+# change to shell.nix and flake.nix as well, so that nix-direnv
+# notices and reevaluates everything. Sigh.
+perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," shell.nix
+perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," flake.nix