@@ -21,120 +21,133 @@ on:
2121 - " .github/workflows/nix-hashes.yml"
2222
2323jobs :
24- nix-hashes :
25- if : github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
24+ # Native runners required: bun install cross-compilation flags (--os/--cpu)
25+ # do not produce byte-identical node_modules as native installs.
26+ compute-hash :
27+ strategy :
28+ fail-fast : false
29+ matrix :
30+ include :
31+ - system : x86_64-linux
32+ runner : blacksmith-4vcpu-ubuntu-2404
33+ - system : aarch64-linux
34+ runner : blacksmith-4vcpu-ubuntu-2404-arm
35+ - system : x86_64-darwin
36+ runner : macos-15-intel
37+ - system : aarch64-darwin
38+ runner : macos-latest
39+ runs-on : ${{ matrix.runner }}
40+
41+ steps :
42+ - name : Checkout repository
43+ uses : actions/checkout@v6
44+
45+ - name : Setup Nix
46+ uses : nixbuild/nix-quick-install-action@v34
47+
48+ - name : Compute node_modules hash
49+ id : hash
50+ env :
51+ SYSTEM : ${{ matrix.system }}
52+ run : |
53+ set -euo pipefail
54+
55+ BUILD_LOG=$(mktemp)
56+ trap 'rm -f "$BUILD_LOG"' EXIT
57+
58+ # Build with fakeHash to trigger hash mismatch and reveal correct hash
59+ nix build ".#packages.${SYSTEM}.node_modules_updater" --no-link 2>&1 | tee "$BUILD_LOG" || true
60+
61+ HASH="$(grep -E 'got:\s+sha256-' "$BUILD_LOG" | sed -E 's/.*got:\s+(sha256-[A-Za-z0-9+/=]+).*/\1/' | head -n1 || true)"
62+ if [ -z "$HASH" ]; then
63+ HASH="$(grep -A2 'hash mismatch' "$BUILD_LOG" | grep 'got:' | sed -E 's/.*got:\s+(sha256-[A-Za-z0-9+/=]+).*/\1/' | head -n1 || true)"
64+ fi
65+
66+ if [ -z "$HASH" ]; then
67+ echo "::error::Failed to compute hash for ${SYSTEM}"
68+ cat "$BUILD_LOG"
69+ exit 1
70+ fi
71+
72+ echo "$HASH" > hash.txt
73+ echo "Computed hash for ${SYSTEM}: $HASH"
74+
75+ name : Upload hash
76+ uses : actions/upload-artifact@v4
77+ with :
78+ name : hash-${{ matrix.system }}
79+ path : hash.txt
80+ retention-days : 1
81+
82+ update-hashes :
83+ needs : compute-hash
84+ if : github.event_name != 'pull_request'
2685 runs-on : blacksmith-4vcpu-ubuntu-2404
27- env :
28- TITLE : node_modules hashes
2986
3087 steps :
3188 - name : Checkout repository
3289 uses : actions/checkout@v6
3390 with :
3491 token : ${{ secrets.GITHUB_TOKEN }}
3592 fetch-depth : 0
36- ref : ${{ github.head_ref || github.ref_name }}
37- repository : ${{ github.event.pull_request.head.repo.full_name || github.repository }}
93+ ref : ${{ github.ref_name }}
3894
3995 - name : Setup git committer
40- id : committer
4196 uses : ./.github/actions/setup-git-committer
4297 with :
4398 opencode-app-id : ${{ vars.OPENCODE_APP_ID }}
4499 opencode-app-secret : ${{ secrets.OPENCODE_APP_SECRET }}
45100
46- - name : Setup Nix
47- uses : nixbuild/nix-quick-install-action@v34
48-
49101 - name : Pull latest changes
50- env :
51- TARGET_BRANCH : ${{ github.head_ref || github.ref_name }}
52102 run : |
53- BRANCH="${TARGET_BRANCH:-${GITHUB_REF_NAME}}"
54- git pull --rebase --autostash origin "$BRANCH"
103+ git pull --rebase --autostash origin "$GITHUB_REF_NAME"
55104
56- name : Compute all node_modules hashes
105+ name : Download hash artifacts
106+ uses : actions/download-artifact@v4
107+ with :
108+ path : hashes
109+ pattern : hash-*
110+
111+ - name : Update hashes.json
57112 run : |
58113 set -euo pipefail
59114
60115 HASH_FILE="nix/hashes.json"
61- SYSTEMS="x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin"
62-
63- if [ ! -f "$HASH_FILE" ]; then
64- mkdir -p "$(dirname "$HASH_FILE")"
65- echo '{"nodeModules":{}}' > "$HASH_FILE"
66- fi
67-
68- for SYSTEM in $SYSTEMS; do
69- echo "Computing hash for ${SYSTEM}..."
70- BUILD_LOG=$(mktemp)
71- trap 'rm -f "$BUILD_LOG"' EXIT
72116
73- # The updater derivations use fakeHash, so they will fail and reveal the correct hash
74- UPDATER_ATTR=".#packages.x86_64-linux.${SYSTEM}_node_modules"
75-
76- nix build "$UPDATER_ATTR" --no-link 2>&1 | tee "$BUILD_LOG" || true
77-
78- CORRECT_HASH="$(grep -E 'got:\s+sha256-[A-Za-z0-9+/=]+' "$BUILD_LOG" | awk '{print $2}' | head -n1 || true)"
79-
80- if [ -z "$CORRECT_HASH" ]; then
81- CORRECT_HASH="$(grep -A2 'hash mismatch' "$BUILD_LOG" | grep 'got:' | awk '{print $2}' | sed 's/sha256:/sha256-/' || true)"
82- fi
83-
84- if [ -z "$CORRECT_HASH" ]; then
85- echo "Failed to determine correct node_modules hash for ${SYSTEM}."
86- cat "$BUILD_LOG"
87- exit 1
117+ [ -f "$HASH_FILE" ] || echo '{"nodeModules":{}}' > "$HASH_FILE"
118+
119+ for SYSTEM in x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin; do
120+ FILE="hashes/hash-${SYSTEM}/hash.txt"
121+ if [ -f "$FILE" ]; then
122+ HASH="$(tr -d '[:space:]' < "$FILE")"
123+ echo "${SYSTEM}: ${HASH}"
124+ jq --arg sys "$SYSTEM" --arg h "$HASH" '.nodeModules[$sys] = $h' "$HASH_FILE" > tmp.json
125+ mv tmp.json "$HASH_FILE"
126+ else
127+ echo "::warning::Missing hash for ${SYSTEM}"
88128 fi
89-
90- echo " ${SYSTEM}: ${CORRECT_HASH}"
91- jq --arg sys "$SYSTEM" --arg h "$CORRECT_HASH" \
92- '.nodeModules[$sys] = $h' "$HASH_FILE" > "${HASH_FILE}.tmp"
93- mv "${HASH_FILE}.tmp" "$HASH_FILE"
94129 done
95130
96- echo "All hashes computed:"
97131 cat "$HASH_FILE"
98132
99- name : Commit ${{ env.TITLE }} changes
100- env :
101- TARGET_BRANCH : ${{ github.head_ref || github.ref_name }}
133+ name : Commit changes
102134 run : |
103135 set -euo pipefail
104136
105137 HASH_FILE="nix/hashes.json"
106- echo "Checking for changes..."
107-
108- summarize() {
109- local status="$1"
110- {
111- echo "### Nix $TITLE"
112- echo ""
113- echo "- ref: ${GITHUB_REF_NAME}"
114- echo "- status: ${status}"
115- } >> "$GITHUB_STEP_SUMMARY"
116- if [ -n "${GITHUB_SERVER_URL:-}" ] && [ -n "${GITHUB_REPOSITORY:-}" ] && [ -n "${GITHUB_RUN_ID:-}" ]; then
117- echo "- run: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" >> "$GITHUB_STEP_SUMMARY"
118- fi
119- echo "" >> "$GITHUB_STEP_SUMMARY"
120- }
121-
122- FILES=("$HASH_FILE")
123- STATUS="$(git status --short -- "${FILES[@]}" || true)"
124- if [ -z "$STATUS" ]; then
125- echo "No changes detected."
126- summarize "no changes"
138+
139+ if [ -z "$(git status --short -- "$HASH_FILE")" ]; then
140+ echo "No changes to commit"
141+ echo "### Nix hashes" >> "$GITHUB_STEP_SUMMARY"
142+ echo "Status: no changes" >> "$GITHUB_STEP_SUMMARY"
127143 exit 0
128144 fi
129145
130- echo "Changes detected:"
131- echo "$STATUS"
132- git add "${FILES[@]}"
146+ git add "$HASH_FILE"
133147 git commit -m "chore: update nix node_modules hashes"
134148
135- BRANCH="${TARGET_BRANCH:-${GITHUB_REF_NAME}}"
136- git pull --rebase --autostash origin "$BRANCH"
137- git push origin HEAD:"$BRANCH"
138- echo "Changes pushed successfully"
149+ git pull --rebase --autostash origin "$GITHUB_REF_NAME"
150+ git push origin HEAD:"$GITHUB_REF_NAME"
139151
140- summarize "committed $(git rev-parse --short HEAD)"
152+ echo "### Nix hashes" >> "$GITHUB_STEP_SUMMARY"
153+ echo "Status: committed $(git rev-parse --short HEAD)" >> "$GITHUB_STEP_SUMMARY"
0 commit comments