DeterminateSystems · grahamc · Apr 14, 2025 · Mar 28, 2025 · Mar 28, 2025 · Mar 28, 2025
diff --git a/dist/index.js b/dist/index.js
diff --git a/src/annotate.ts b/src/annotate.ts
@@ -0,0 +1,66 @@
+import * as core from "@actions/core";
+
+import type { Fix, FixHashesOutputV1, Mismatch } from "./fixHashes.js";
+
+function prettyDerivation(derivation: string): string {
+  return derivation.replace(/\/nix\/store\/\w+-/, "").replace(/.drv$/, "");
+}
+
+function annotateSingle(
+  file: string,
+  line: number,
+  { derivation, replacement }: Mismatch,
+): void {
+  const pretty = prettyDerivation(derivation);
+  core.error(`To correct the hash mismatch for ${pretty}, use ${replacement}`, {
+    file,
+    startLine: line,
+  });
+}
+
+function annotateMultiple(
+  file: string,
+  { line, found, mismatches }: Fix,
+): void {
+  const matches = mismatches
+    .map(({ derivation, replacement }) => {
+      const pretty = prettyDerivation(derivation);
+      return `* For the derivation ${pretty}, use ${replacement}`;
+    })
+    .join("\n");
+
+  core.error(
+    `There are multiple replacements for the expression ${found}:\n${matches}`,
+    {
+      file,
+      startLine: line,
+    },
+  );
+}
+
+function annotate(file: string, fix: Fix): void {
+  if (fix.mismatches.length === 1) {
+    annotateSingle(file, fix.line, fix.mismatches[0]);
+  } else {
+    annotateMultiple(file, fix);
+  }
+}
+
+/**
+ * Annotates fixed-output derivation hash mismatches using GitHub Actions'
+ *
+ * @param output The output of `determinate-nixd fix hashes --json`
+ * @returns The number of annotations reported to the user
+ */
+export function annotateMismatches(output: FixHashesOutputV1): number {
+  let count = 0;
+
+  for (const { file, fixes } of output.files) {
+    for (const fix of fixes) {
+      annotate(file, fix);
+      count++;
+    }
+  }
+
+  return count;
+}
diff --git a/src/fixHashes.ts b/src/fixHashes.ts
@@ -0,0 +1,38 @@
+import { getExecOutput } from "@actions/exec";
+
+export interface Mismatch {
+  readonly derivation: string;
+  readonly replacement: string;
+}
+
+export interface Fix {
+  readonly line: number;
+  readonly found: string;
+  readonly mismatches: readonly Mismatch[];
+}
+
+export interface FileFix {
+  readonly file: string;
+  readonly fixes: readonly Fix[];
+}
+
+export interface FixHashesOutputV1 {
+  readonly version: "v1";
+  readonly files: readonly FileFix[];
+}
+
+export async function getFixHashes(): Promise<FixHashesOutputV1> {
+  const output = await getExecOutput("determinate-nixd", [
+    "fix",
+    "hashes",
+    "--json",
+  ]);
-  const output = await getExecOutput("determinate-nixd", [
-    "fix",
-    "hashes",
-    "--json",
-  ]);
+  const output = await getExecOutput("determinate-nixd", [
+    "fix",
+    "hashes",
+    "--json",
+  ], {
+    silent: true,
+  });
-  const output = await getExecOutput("determinate-nixd", [
-    "fix",
-    "hashes",
-    "--json",
-  ]);
+  const output = await getExecOutput("determinate-nixd", [
+    "fix",
+    "hashes",
+    "--json",
+  ], {
+    silent: true,
+  });
+
+  if (output.exitCode !== 0) {
+    throw new Error(
+      `determinate-nixd fix hashes returned non-zero exit code ${output.exitCode} with the following error output:\n${output.stderr}`,
+    );
+  }
+
+  return JSON.parse(output.stdout);
+}
diff --git a/src/index.ts b/src/index.ts
@@ -10,6 +10,8 @@ import { DetSysAction, inputs, platform, stringifyError } from "detsys-ts";
 import { randomUUID } from "node:crypto";
 import got from "got";
 import { setTimeout } from "node:timers/promises";
+import { getFixHashes } from "./fixHashes.js";
+import { annotateMismatches } from "./annotate.js";
 
 // Nix installation events
 const EVENT_INSTALL_NIX_FAILURE = "install_nix_failure";
@@ -27,6 +29,10 @@ const EVENT_LOGIN_TO_FLAKEHUB = "login_to_flakehub";
 
 // Other events
 const EVENT_CONCLUDE_JOB = "conclude_job";
+const EVENT_FOD_ANNOTATE = "fod_annotate";
+
+// Feature flag names
+const FEAT_ANNOTATIONS = "hash-mismatch-annotations";
 
 // Facts
 const FACT_DETERMINATE_NIX = "determinate_nix";
@@ -124,6 +130,7 @@ class NixInstallerAction extends DetSysAction {
   }
 
   async post(): Promise<void> {
+    await this.annotateMismatches();
     await this.cleanupDockerShim();
     await this.reportOverall();
   }
@@ -1104,6 +1111,38 @@ class NixInstallerAction extends DetSysAction {
       );
     }
   }
+
+  private async annotateMismatches(): Promise<void> {
+    if (!this.determinate) {
+      return;
+    }
+
+    const active = this.getFeature(FEAT_ANNOTATIONS)?.variant;
+    if (!active) {
+      actionsCore.debug("The annotations feature is disabled for this run");
+      return;
+    }
+
+    try {
+      actionsCore.debug("Getting hash fixes from determinate-nixd");
+      const mismatches = await getFixHashes();
+      if (mismatches.version !== "v1") {
+        throw new Error(
+          `Unsupported \`determinate-nixd fix hashes\` output (got ${mismatches.version}, expected v1)`,
+        );
+      }
+
+      actionsCore.debug("Annotating mismatches");
+      const count = annotateMismatches(mismatches);
+      this.recordEvent(EVENT_FOD_ANNOTATE, { count });
+    } catch (error) {
+      // Don't hard fail the action if something exploded; this feature is only a nice-to-have
+      actionsCore.warning(`Could not consume hash mismatch events: ${error}`);
+      this.recordEvent("annotation-mismatch-execution:error", {
+        exception: stringifyError(error),
+      });
+    }
+  }
 }
 
 type ExecuteEnvironment = {