Update Nix hashes #17
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Update Nix Binary Hashes' | |
| # Runs when a release is published (after you manually publish the draft) | |
| # or can be manually triggered with a version input | |
| on: | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'Version to update hashes for (without "app-v" prefix)' | |
| required: false | |
| type: string | |
| permissions: | |
| contents: write | |
| jobs: | |
| update-hashes: | |
| runs-on: ubuntu-latest | |
| # Run for app releases or manual dispatch | |
| if: | | |
| (github.event_name == 'release' && startsWith(github.event.release.tag_name, 'app-v')) || | |
| github.event_name == 'workflow_dispatch' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: master | |
| fetch-depth: 1 | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@v25 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-unstable | |
| - name: Extract version from tag or input | |
| id: version | |
| run: | | |
| if [ "${{ github.event_name }}" = "release" ]; then | |
| TAG="${{ github.event.release.tag_name }}" | |
| VERSION="${TAG#app-v}" | |
| else | |
| VERSION="${{ github.event.inputs.version }}" | |
| fi | |
| echo "version=$VERSION" >> "$GITHUB_OUTPUT" | |
| echo "Detected version: $VERSION" | |
| - name: Update Nix package hashes | |
| env: | |
| VERSION: ${{ steps.version.outputs.version }} | |
| run: | | |
| BIN_PACKAGE_FILE="nix/package-bin.nix" | |
| SRC_PACKAGE_FILE="nix/package.nix" | |
| BASE_URL="https://github.com/${{ github.repository }}/releases/download/app-v${VERSION}" | |
| echo "==> Updating Nix hashes for version $VERSION" | |
| echo "" | |
| # Function to download and hash a file | |
| get_hash() { | |
| local url="$1" | |
| local tmpfile=$(mktemp) | |
| echo " Downloading: $url" >&2 | |
| if curl -sL -o "$tmpfile" "$url"; then | |
| local hash=$(sha256sum "$tmpfile" | cut -d' ' -f1) | |
| # Convert to SRI format (base64 encoded) | |
| local sri="sha256-$(echo "$hash" | xxd -r -p | base64 | tr -d '\n')" | |
| rm -f "$tmpfile" | |
| echo "$sri" | |
| else | |
| rm -f "$tmpfile" | |
| echo "DOWNLOAD_FAILED" | |
| fi | |
| } | |
| echo "--- Binary Package (package-bin.nix) ---" | |
| echo "Fetching hashes for pre-built release assets..." | |
| echo "" | |
| X64_LINUX_HASH=$(get_hash "${BASE_URL}/caldav-tasks_${VERSION}_amd64.deb") | |
| echo " x86_64-linux: $X64_LINUX_HASH" | |
| ARM64_LINUX_HASH=$(get_hash "${BASE_URL}/caldav-tasks_${VERSION}_arm64.deb") | |
| echo " aarch64-linux: $ARM64_LINUX_HASH" | |
| X64_DARWIN_HASH=$(get_hash "${BASE_URL}/caldav-tasks_${VERSION}_x64.dmg") | |
| echo " x86_64-darwin: $X64_DARWIN_HASH" | |
| ARM64_DARWIN_HASH=$(get_hash "${BASE_URL}/caldav-tasks_${VERSION}_aarch64.dmg") | |
| echo " aarch64-darwin: $ARM64_DARWIN_HASH" | |
| echo "" | |
| echo "Updating $BIN_PACKAGE_FILE..." | |
| # Update version in binary package | |
| sed -i "s/version ? \"[^\"]*\"/version ? \"$VERSION\"/" "$BIN_PACKAGE_FILE" | |
| # Update hashes for each platform using awk for more reliable replacement | |
| awk -v x64_linux="$X64_LINUX_HASH" -v arm64_linux="$ARM64_LINUX_HASH" \ | |
| -v x64_darwin="$X64_DARWIN_HASH" -v arm64_darwin="$ARM64_DARWIN_HASH" ' | |
| { | |
| if ($0 ~ /"x86_64-linux"/) { platform = "x64_linux"; } | |
| else if ($0 ~ /"aarch64-linux"/) { platform = "arm64_linux"; } | |
| else if ($0 ~ /"x86_64-darwin"/) { platform = "x64_darwin"; } | |
| else if ($0 ~ /"aarch64-darwin"/) { platform = "arm64_darwin"; } | |
| if ($0 ~ /hash = "sha256-/) { | |
| if (platform == "x64_linux") { sub(/hash = "sha256-[^"]*"/, "hash = \"" x64_linux "\""); platform = ""; } | |
| else if (platform == "arm64_linux") { sub(/hash = "sha256-[^"]*"/, "hash = \"" arm64_linux "\""); platform = ""; } | |
| else if (platform == "x64_darwin") { sub(/hash = "sha256-[^"]*"/, "hash = \"" x64_darwin "\""); platform = ""; } | |
| else if (platform == "arm64_darwin") { sub(/hash = "sha256-[^"]*"/, "hash = \"" arm64_darwin "\""); platform = ""; } | |
| } | |
| print; | |
| }' "$BIN_PACKAGE_FILE" > "$BIN_PACKAGE_FILE.tmp" && mv "$BIN_PACKAGE_FILE.tmp" "$BIN_PACKAGE_FILE" | |
| echo "✓ Binary package updated" | |
| echo "" | |
| echo "--- Source Package (package.nix) ---" | |
| echo "Fetching hash for GitHub source tarball..." | |
| echo "" | |
| # Use nix-prefetch-url to get the correct hash for fetchFromGitHub | |
| # GitHub's fetchFromGitHub uses a specific URL format | |
| SOURCE_URL="https://github.com/${{ github.repository }}/archive/refs/tags/app-v${VERSION}.tar.gz" | |
| # Use nix-prefetch-url to get the hash (it handles the unpacking correctly) | |
| echo " Prefetching: $SOURCE_URL" | |
| SOURCE_HASH=$(nix-prefetch-url --unpack "$SOURCE_URL" --type sha256 | xargs nix-hash --to-sri --type sha256) | |
| echo " Source tarball: $SOURCE_HASH" | |
| echo "" | |
| echo "Updating $SRC_PACKAGE_FILE..." | |
| # Update version in source package | |
| sed -i "s/version = \"[^\"]*\";/version = \"$VERSION\";/" "$SRC_PACKAGE_FILE" | |
| # Update source hash using awk for reliable replacement | |
| awk -v source_hash="$SOURCE_HASH" ' | |
| { | |
| if (prev_line ~ /# Update this hash when releasing a new version/ && $0 ~ /hash = "sha256-/) { | |
| sub(/hash = "sha256-[^"]*"/, "hash = \"" source_hash "\""); | |
| } | |
| print; | |
| prev_line = $0; | |
| }' "$SRC_PACKAGE_FILE" > "$SRC_PACKAGE_FILE.tmp" && mv "$SRC_PACKAGE_FILE.tmp" "$SRC_PACKAGE_FILE" | |
| echo "✓ Source package updated" | |
| echo "" | |
| echo "--- Updating dependency hashes ---" | |
| echo "Running update-hashes.sh to update cargo and pnpm hashes..." | |
| echo "" | |
| # Run the hash update script to update cargo and pnpm dependencies | |
| chmod +x ./nix/update-hashes.sh | |
| ./nix/update-hashes.sh | |
| echo "" | |
| echo "==> All package files updated!" | |
| - name: Commit and push changes | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git add nix/package-bin.nix nix/package.nix | |
| if git diff --staged --quiet; then | |
| echo "No changes to commit (hashes already up to date)" | |
| else | |
| git commit -m "chore(nix): update package hashes for v${{ steps.version.outputs.version }}" | |
| git push origin master | |
| echo "✓ Successfully updated and pushed Nix package hashes" | |
| fi |