tailscale/update-flake.sh
David Anderson d2beaea523 update-flake.sh: tooling to keep Nix SRI hashes in sync.
Also fixes the Go toolchain SRI hash from a7f05c6bb0fed3f060435f0828625f705839d56d,
it turns out I initialized the file with an SRI hash for an older
toolchain version, and because of the unique way fixed-output derivations
work in nix, nix didn't tell me about the mismatch because it just
cache-hit on the older toolchain and moved on. Sigh.

Updates #6845.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-24 15:22:41 -08:00

26 lines
954 B
Bash
Executable File

#!/bin/sh
# Updates SRI hashes for flake.nix.
set -eu
REV=$(cat go.toolchain.rev)
OUT=$(mktemp -d -t nar-hash-XXXXXX)
rm -rf $OUT
mkdir $OUT
curl --silent -L https://github.com/tailscale/go/archive/refs/tags/build-$REV.tar.gz | tar -zx -C $OUT --strip-components 1
go run tailscale.com/cmd/nardump --sri $OUT >go.toolchain.sri
rm -rf $OUT
go mod vendor -o $OUT
go run tailscale.com/cmd/nardump --sri $OUT >go.mod.sri
rm -rf $OUT
# nix-direnv only watches the top-level nix file for changes. As a
# result, when we change a referenced SRI file, we have to cause some
# change to shell.nix and flake.nix as well, so that nix-direnv
# notices and reevaluates everything. Sigh.
perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," shell.nix
perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," flake.nix