From 158f7a115785ea5f9fd67504948e03cc039eeec2 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 23 Apr 2025 16:10:30 -0400
Subject: [PATCH 1/2] Automatically fix flake.nix hashes from dependabot PRs

I recently made this change in our fork of golinks, and thought I'd upstream it.

This patch uses Determinate Nix 3.3's feature of being able to automatically fix invalid Nix hashes in CI.

More context: https://determinate.systems/posts/changelog-determinate-nix-331/#automatic-hash-mismatches-fixes-in-github-actions

Signed-off-by: Graham Christensen <graham@grahamc.com>
---
 .github/workflows/nix.yml | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
index 6fc9734..6858a74 100644
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -10,6 +10,8 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
 
     steps:
@@ -17,7 +19,30 @@ jobs:
         with:
           fetch-depth: 2
 
-      - uses: cachix/install-nix-action@v16
+      - uses: DeterminateSystems/nix-installer-action@main
+        with:
+          determinate: true
 
       - name: Run build
         run: nix build
+
+      - name: Fix hash mismatches
+        if: failure() && github.event_name == 'pull_request'
+        id: fix-hashes
+        run: |
+          git stash --include-untracked
+          git fetch --depth=1 origin "$GITHUB_HEAD_REF"
+          git checkout -B "$GITHUB_HEAD_REF" "${{ github.event.pull_request.head.sha }}"
+
+          determinate-nixd fix hashes --auto-apply
+
+          if ! git diff --quiet; then
+            git config user.name "github-actions[bot]"
+            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git add --update --ignore-removal .
+            git commit -m "[dependabot skip] Automatically fix Nix hashes"
+            git push origin "$GITHUB_HEAD_REF"
+          fi
+
+          git checkout -
+          git stash pop || true

From 5f04dfc02610f90272cae6f30722ed3eccc907da Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 23 Apr 2025 16:52:54 -0400
Subject: [PATCH 2/2] Update .github/workflows/nix.yml: pin to the current
 commit

Signed-off-by: Graham Christensen <graham@grahamc.com>
---
 .github/workflows/nix.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
index 6858a74..934a397 100644
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -19,7 +19,7 @@ jobs:
         with:
           fetch-depth: 2
 
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/nix-installer-action@aacc1657a206483a9d7037b91370e00407cf3ec5
         with:
           determinate: true