Skip to content

chore(nix): add reproducible tarball build with nix #258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ryoppippi wants to merge 8 commits into from
Closed

chore(nix): add reproducible tarball build with nix #258

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f292ca5
feat(nix): add package build derivation for tarball generation
ryoppippi Dec 21, 2025
7900b6a
chore(hooks): add pre-commit hook for pnpm deps hash update
ryoppippi Dec 21, 2025
c8766bb
ci(publish): use nix build for package tarball generation
ryoppippi Dec 21, 2025
8b443b3
chore(git): ignore nix build result symlink
ryoppippi Dec 21, 2025
38078e9
ci: split build-and-test into separate build and test jobs
ryoppippi Dec 21, 2025
ffce38e
chore(package): remove preinstall only-allow pnpm check
ryoppippi Dec 21, 2025
39eca4c
fix(nix): use system-specific hashes for pnpm deps
ryoppippi Dec 21, 2025
5878e77
ci: add --print-build-logs and revert dry-publish
ryoppippi Dec 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
- name: Run Lint
run: nix develop --command pnpm run lint

build-and-test:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
Expand All @@ -47,8 +47,17 @@ jobs:
- name: Setup Nix
uses: ./.github/actions/setup-nix

- name: Run Build
run: nix develop --command pnpm run build
- name: Build package
run: nix build

test:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

- name: Setup Nix
uses: ./.github/actions/setup-nix

- name: Run Tests
run: nix develop --command pnpm test
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/dry-publish.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,8 @@ jobs:
- name: Setup Nix
uses: ./.github/actions/setup-nix

- name: 📦 Build package
run: nix build

- name: 🚀 Dry Run Publish Package
run: nix develop --command pnpm dlx pkg-pr-new publish --pnpm
run: nix develop --command pnpm dlx pkg-pr-new publish result/*.tgz
Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The glob pattern result/*.tgz is passed to pkg-pr-new publish which may not handle glob patterns correctly. Shell glob expansion happens before the command is executed, but if no files match or multiple files match, the behavior might be unexpected. Consider explicitly using shell expansion with quotes or verifying the exact tarball path before passing it to the command.

Suggested change
run: nix develop --command pnpm dlx pkg-pr-new publish result/*.tgz
run: |
shopt -s nullglob
tgzs=(result/*.tgz)
if [ "${#tgzs[@]}" -ne 1 ]; then
echo "Expected exactly one .tgz file in result/, found ${#tgzs[@]}." >&2
exit 1
fi
nix develop --command pnpm dlx pkg-pr-new publish "${tgzs[0]}"

Copilot uses AI. Check for mistakes.
6 changes: 3 additions & 3 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,12 @@ jobs:
registry-url: 'https://registry.npmjs.org'
node-version: lts/*

- name: 📦 Pack package
run: nix develop --command pnpm pack
- name: 📦 Build package
run: nix build

- name: 🚀 Publish package
shell: bash
run: |
PACKAGE_TGZ=$(ls *.tgz | head -n 1)
PACKAGE_TGZ=$(ls result/*.tgz | head -n 1)
Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The command ls result/*.tgz | head -n 1 assumes that the nix build command creates exactly one .tgz file in the result directory. If multiple .tgz files exist or if the build produces a different file structure, this will either select an unexpected file or fail. Consider being more explicit about the expected filename pattern or adding error handling to verify exactly one tarball exists before attempting to publish.

Suggested change
PACKAGE_TGZ=$(ls result/*.tgz | head -n 1)
set -euo pipefail
shopt -s nullglob
files=(result/*.tgz)
if [ "${#files[@]}" -eq 0 ]; then
echo "Error: No .tgz package files found in result/." >&2
exit 1
elif [ "${#files[@]}" -gt 1 ]; then
echo "Error: Multiple .tgz package files found in result/: ${files[*]}" >&2
exit 1
fi
PACKAGE_TGZ="${files[0]}"

Copilot uses AI. Check for mistakes.
echo "Publishing package: $PACKAGE_TGZ"
npm publish "$PACKAGE_TGZ" --access public
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,3 +181,4 @@ dist
.direnv
!.envrc

result
43 changes: 42 additions & 1 deletion flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,49 @@
];

perSystem =
{ pkgs, ... }:
{ pkgs, system, ... }:
{
packages.default =
let
packageJson = builtins.fromJSON (builtins.readFile ./package.json);
pnpmDepsHash = {
x86_64-linux = "sha256-PrCGXf5r03gfsoGJAzew592Al1G5dx6xa/qFxazuqUo=";
aarch64-linux = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The package name "stackone-ai" in the derivation doesn't match the actual npm package name "@stackone/ai" from package.json. While this doesn't break the build since pnpm.fetchDeps doesn't publish to npm, it creates inconsistency and could cause confusion. Consider using the actual package name without the @ symbol (e.g., "stackone-ai-node" to match the GitHub repo name, or extract it from package.json).

Copilot uses AI. Check for mistakes.
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Dec 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Placeholder hash for aarch64-linux will cause build failures. The hash sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= is not a valid pnpm deps hash - it needs to be computed by running nix build on an aarch64-linux system and using the resulting hash from the error message.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At flake.nix, line 26:

<comment>Placeholder hash for `aarch64-linux` will cause build failures. The hash `sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=` is not a valid pnpm deps hash - it needs to be computed by running `nix build` on an aarch64-linux system and using the resulting hash from the error message.</comment>

<file context>
@@ -16,11 +16,16 @@
               packageJson = builtins.fromJSON (builtins.readFile ./package.json);
+              pnpmDepsHash = {
+                x86_64-linux = &quot;sha256-PrCGXf5r03gfsoGJAzew592Al1G5dx6xa/qFxazuqUo=&quot;;
+                aarch64-linux = &quot;sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=&quot;;
+                aarch64-darwin = &quot;sha256-GDY7RZUl6A0d3l8Rz6X1sHQfwHgM2GKpcJ65yAKOmrg=&quot;;
+              };
</file context>
Fix with Cubic

aarch64-darwin = "sha256-GDY7RZUl6A0d3l8Rz6X1sHQfwHgM2GKpcJ65yAKOmrg=";
};
in
pkgs.stdenv.mkDerivation (finalAttrs: {
pname = "stackone-ai";
version = packageJson.version;

src = ./.;

nativeBuildInputs = with pkgs; [
nodejs_24
pnpm_10
pnpm_10.configHook
];

pnpmDeps = pkgs.pnpm_10.fetchDeps {
inherit (finalAttrs) pname version src;
hash = pnpmDepsHash.${system};
fetcherVersion = 1;
};

buildPhase = ''
runHook preBuild
pnpm run build
runHook postBuild
'';

installPhase = ''
runHook preInstall
mkdir -p $out
pnpm pack --pack-destination $out
runHook postInstall
'';
});

devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [
# runtime
Expand Down
4 changes: 4 additions & 0 deletions lefthook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ pre-commit:
glob: '*.nix'
run: nix develop --command nixfmt {staged_files}
stage_fixed: true
- name: update-pnpm-hash
glob: 'pnpm-lock.yaml'
run: ./scripts/update-pnpm-hash.sh
Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The script path ./scripts/update-pnpm-hash.sh uses a relative path and won't work correctly if the git hook is triggered from a subdirectory. Lefthook runs commands from the repository root, but the script should be executable. Consider adding execute permissions to the script file or using bash ./scripts/update-pnpm-hash.sh explicitly to ensure it runs correctly.

Suggested change
run: ./scripts/update-pnpm-hash.sh
run: bash ./scripts/update-pnpm-hash.sh

Copilot uses AI. Check for mistakes.
stage_fixed: true

pre-push:
jobs:
Expand Down
1 change: 0 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@
"lint:oxfmt": "oxfmt --no-error-on-unmatched-pattern --check .",
"lint:oxlint": "oxlint --max-warnings=0 --type-aware --type-check",
"lint:knip": "knip",
"preinstall": "npx only-allow pnpm",
"prepack": "npm pkg delete scripts.preinstall && pnpm run build",
Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The prepack script attempts to delete scripts.preinstall with npm pkg delete scripts.preinstall, but the preinstall script is being removed in this PR. This will cause the prepack script to fail or have unexpected behavior. Since the preinstall script no longer exists, this deletion step should be removed from the prepack script.

Suggested change
"prepack": "npm pkg delete scripts.preinstall && pnpm run build",
"prepack": "pnpm run build",

Copilot uses AI. Check for mistakes.
"test": "vitest",
"coverage": "vitest run --coverage"
Expand Down
42 changes: 42 additions & 0 deletions scripts/update-pnpm-hash.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
#!/usr/bin/env bash
set -euo pipefail

Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The script lacks a proper shebang validation mechanism and doesn't verify that required commands (nix, sed, grep) are available before use. While the script uses set -euo pipefail for strict error handling, it would be more maintainable to check for command availability upfront and provide clear error messages if dependencies are missing.

Suggested change
# Ensure the script is running under Bash
if [[ -z "${BASH_VERSION:-}" ]]; then
echo "Error: This script must be run with bash." >&2
exit 1
fi
# Verify required commands are available
for cmd in nix sed grep; do
if ! command -v "$cmd" >/dev/null 2>&1; then
echo "Error: Required command '$cmd' not found in PATH." >&2
exit 1
fi
done

Copilot uses AI. Check for mistakes.
# Update pnpm deps hash in flake.nix for the current system
# This script runs nix build to get the correct hash and updates flake.nix

FLAKE_FILE="flake.nix"

# Check if flake.nix exists
if [[ ! -f "$FLAKE_FILE" ]]; then
echo "Error: $FLAKE_FILE not found"
exit 1
fi

Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The script assumes the presence of the nix command and doesn't check for its availability. If nix is not installed or not in PATH, the script will fail with an unclear error message. Consider adding a check to verify nix is available before attempting to run it, or handle the error more gracefully with a helpful error message.

Suggested change
# Check if nix is available
if ! command -v nix >/dev/null 2>&1; then
echo "Error: 'nix' command not found. Please install Nix and ensure it is in your PATH." >&2
exit 1
fi

Copilot uses AI. Check for mistakes.
# Detect current system
SYSTEM=$(nix eval --impure --raw --expr 'builtins.currentSystem')
echo "Current system: $SYSTEM"

# Run nix build and capture the output
echo "Calculating pnpm deps hash..."
OUTPUT=$(nix build --no-link 2>&1 || true)

# Check if there's a hash mismatch
if echo "$OUTPUT" | grep -q "hash mismatch"; then
# Extract the new hash
NEW_HASH=$(echo "$OUTPUT" | grep "got:" | sed 's/.*got:[[:space:]]*//' | tr -d '[:space:]')

if [[ -z "$NEW_HASH" ]]; then
echo "Error: Could not extract new hash"
Comment on lines +25 to +29
Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hash extraction pattern grep "got:" | sed 's/.*got:[[:space:]]*//' assumes a specific nix error message format. The pattern is fragile and may break if nix changes its error message format. Additionally, the sed regex pattern should be more explicit to match the expected format. Consider using a more robust extraction method or adding validation that the extracted hash matches the expected sha256 format (e.g., sha256-[A-Za-z0-9+/=]+).

Suggested change
# Extract the new hash
NEW_HASH=$(echo "$OUTPUT" | grep "got:" | sed 's/.*got:[[:space:]]*//' | tr -d '[:space:]')
if [[ -z "$NEW_HASH" ]]; then
echo "Error: Could not extract new hash"
# Extract the new hash by matching the expected sha256 format in the output
NEW_HASH=$(printf '%s\n' "$OUTPUT" | grep -oE 'sha256-[A-Za-z0-9+/=]+' | head -n1 || true)
if [[ -z "$NEW_HASH" || ! "$NEW_HASH" =~ ^sha256-[A-Za-z0-9+/=]+$ ]]; then
echo "Error: Could not extract valid sha256 hash from nix output"

Copilot uses AI. Check for mistakes.
exit 1
fi

echo "New hash for $SYSTEM: $NEW_HASH"

# Update the hash for current system in flake.nix
sed -i.bak "s|${SYSTEM} = \"sha256-[^\"]*\"|${SYSTEM} = \"${NEW_HASH}\"|" "$FLAKE_FILE"
rm -f "${FLAKE_FILE}.bak"

echo "Updated $FLAKE_FILE with new hash for $SYSTEM"
else
echo "Hash is up to date for $SYSTEM"
fi
Loading