Skip to content

Automate Nix vendorHash updates in nix-shell-test workflow #1664

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Automate Nix vendorHash updates in nix-shell-test workflow #1664

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
99702e7
Initial plan
Copilot Nov 24, 2025
b11a1f3
Automate nix vendorHash updates in workflow
Copilot Nov 24, 2025
9bf5d91
Fix regex for hash extraction to be more compatible
Copilot Nov 24, 2025
dc968de
Address code review: improve regex, validation, and security
Copilot Nov 24, 2025
dc9ccd6
Remove trailing spaces from workflow file
Copilot Nov 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 49 additions & 1 deletion .github/workflows/go.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ jobs:
nix-shell-test:
runs-on: ubuntu-latest
needs: go-test
permissions:
contents: write
steps:
- uses: actions/checkout@v4

Expand All @@ -60,9 +62,55 @@ jobs:
nix_path: nixpkgs=channel:nixos-unstable

- name: Check nix-shell default.nix
id: nix-test
continue-on-error: true
run: |
set -o pipefail
make test-nix 2>&1 | sed -u 's|\s\+got:|::error file=pkgs/defang/cli.nix,line=9::Replace the vendorHash in cli.nix with the correct value:|'
make test-nix 2>&1 | tee /tmp/nix-test-output.log
exit ${PIPESTATUS[0]}

- name: Update vendorHash if needed
if: steps.nix-test.outcome == 'failure'
run: |
# Extract the correct hash from the error output
NEW_HASH=$(grep 'got:' /tmp/nix-test-output.log | grep -oP 'sha256-[A-Za-z0-9+/]+=*' | head -1)

if [ -n "$NEW_HASH" ]; then
# Validate hash format (should be sha256- followed by 44 base64 characters)
if ! echo "$NEW_HASH" | grep -qE '^sha256-[A-Za-z0-9+/]{43}=$'; then
echo "❌ Extracted hash has invalid format: $NEW_HASH"
exit 1
fi

echo "Found new hash: $NEW_HASH"

# Update the vendorHash in cli.nix
OLD_HASH=$(grep -oP 'vendorHash = "\Ksha256-[A-Za-z0-9+/]+=*' pkgs/defang/cli.nix)
echo "Old hash: $OLD_HASH"

# Use @ as delimiter since it won't appear in base64 hashes
sed -i "s@vendorHash = \"$OLD_HASH\"@vendorHash = \"$NEW_HASH\"@" pkgs/defang/cli.nix

# Configure git
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"

# Commit and push the change
git add pkgs/defang/cli.nix
git commit -m "Update Nix vendorHash to $NEW_HASH"
git push

echo "✅ Updated vendorHash and committed the change"
else
echo "❌ Could not extract hash from error output"
echo "Last 20 lines of output:"
tail -20 /tmp/nix-test-output.log
exit 1
fi

- name: Verify nix-shell after update
if: steps.nix-test.outcome == 'failure'
run: make test-nix

# go-byoc-test:
# runs-on: ubuntu-latest
Expand Down