fix(nix): filter optional dependencies by target platform (#8033)

2026-02-01 22:48:16 +00:00 · 2026-01-12 19:49:06 +01:00
parent d527ceeb2b
commit ca1b597b01
5 changed files with 131 additions and 14 deletions
--- a/.github/workflows/update-nix-hashes.yml
+++ b/.github/workflows/update-nix-hashes.yml
@@ -17,7 +17,7 @@ on:
      - "packages/*/package.json"

 jobs:
-  update:
+  update-linux:
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    runs-on: blacksmith-4vcpu-ubuntu-2404
    env:
@@ -47,14 +47,14 @@ jobs:
          nix flake update
          echo "✅ flake.lock updated successfully"

-      - name: Update node_modules hash
+      - name: Update node_modules hash for x86_64-linux
        run: |
          set -euo pipefail
-          echo "🔄 Updating node_modules hash..."
+          echo "🔄 Updating node_modules hash for x86_64-linux..."
          nix/scripts/update-hashes.sh
-          echo "✅ node_modules hash updated successfully"
+          echo "✅ node_modules hash for x86_64-linux updated successfully"

-      - name: Commit hash changes
+      - name: Commit Linux hash changes
        env:
          TARGET_BRANCH: ${{ github.head_ref || github.ref_name }}
        run: |
@@ -65,7 +65,7 @@ jobs:
          summarize() {
            local status="$1"
            {
-              echo "### Nix Hash Update"
+              echo "### Nix Hash Update (x86_64-linux)"
              echo ""
              echo "- ref: ${GITHUB_REF_NAME}"
              echo "- status: ${status}"
@@ -89,7 +89,92 @@ jobs:
          echo "🔗 Staging files..."
          git add "${FILES[@]}"
          echo "💾 Committing changes..."
-          git commit -m "Update Nix flake.lock and hashes"
+          git commit -m "Update Nix flake.lock and x86_64-linux hash"
+          echo "✅ Changes committed"
+
+          BRANCH="${TARGET_BRANCH:-${GITHUB_REF_NAME}}"
+          echo "🌳 Pulling latest from branch: $BRANCH"
+          git pull --rebase origin "$BRANCH"
+          echo "🚀 Pushing changes to branch: $BRANCH"
+          git push origin HEAD:"$BRANCH"
+          echo "✅ Changes pushed successfully"
+
+          summarize "committed $(git rev-parse --short HEAD)"
+
+  update-macos:
+    needs: update-linux
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: macos-latest
+    env:
+      SYSTEM: aarch64-darwin
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+          ref: ${{ github.head_ref || github.ref_name }}
+          repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+
+      - name: Setup Nix
+        uses: DeterminateSystems/nix-installer-action@v20
+
+      - name: Configure git
+        run: |
+          git config --global user.email "action@github.com"
+          git config --global user.name "Github Action"
+
+      - name: Pull latest changes
+        env:
+          TARGET_BRANCH: ${{ github.head_ref || github.ref_name }}
+        run: |
+          BRANCH="${TARGET_BRANCH:-${GITHUB_REF_NAME}}"
+          git pull origin "$BRANCH"
+
+      - name: Update node_modules hash for aarch64-darwin
+        run: |
+          set -euo pipefail
+          echo "🔄 Updating node_modules hash for aarch64-darwin..."
+          nix/scripts/update-hashes.sh
+          echo "✅ node_modules hash for aarch64-darwin updated successfully"
+
+      - name: Commit macOS hash changes
+        env:
+          TARGET_BRANCH: ${{ github.head_ref || github.ref_name }}
+        run: |
+          set -euo pipefail
+
+          echo "🔍 Checking for changes in tracked Nix files..."
+
+          summarize() {
+            local status="$1"
+            {
+              echo "### Nix Hash Update (aarch64-darwin)"
+              echo ""
+              echo "- ref: ${GITHUB_REF_NAME}"
+              echo "- status: ${status}"
+            } >> "$GITHUB_STEP_SUMMARY"
+            if [ -n "${GITHUB_SERVER_URL:-}" ] && [ -n "${GITHUB_REPOSITORY:-}" ] && [ -n "${GITHUB_RUN_ID:-}" ]; then
+              echo "- run: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" >> "$GITHUB_STEP_SUMMARY"
+            fi
+            echo "" >> "$GITHUB_STEP_SUMMARY"
+          }
+
+          FILES=(nix/hashes.json)
+          STATUS="$(git status --short -- "${FILES[@]}" || true)"
+          if [ -z "$STATUS" ]; then
+            echo "✅ No changes detected. Hash is already up to date."
+            summarize "no changes"
+            exit 0
+          fi
+
+          echo "📝 Changes detected:"
+          echo "$STATUS"
+          echo "🔗 Staging files..."
+          git add "${FILES[@]}"
+          echo "💾 Committing changes..."
+          git commit -m "Update aarch64-darwin hash"
          echo "✅ Changes committed"

          BRANCH="${TARGET_BRANCH:-${GITHUB_REF_NAME}}"
--- a/flake.nix
+++ b/flake.nix
@@ -27,11 +27,28 @@
        "aarch64-darwin" = "bun-darwin-arm64";
        "x86_64-darwin" = "bun-darwin-x64";
      };
-      defaultNodeModules = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+
+      # Parse "bun-{os}-{cpu}" to {os, cpu}
+      parseBunTarget =
+        target:
+        let
+          parts = lib.splitString "-" target;
+        in
+        {
+          os = builtins.elemAt parts 1;
+          cpu = builtins.elemAt parts 2;
+        };
+
      hashesFile = "${./nix}/hashes.json";
      hashesData =
        if builtins.pathExists hashesFile then builtins.fromJSON (builtins.readFile hashesFile) else { };
-      nodeModulesHash = hashesData.nodeModules or defaultNodeModules;
+      # Lookup hash: supports per-system ({system: hash}) or legacy single hash
+      nodeModulesHashFor =
+        system:
+        if builtins.isAttrs hashesData.nodeModules then
+          hashesData.nodeModules.${system}
+        else
+          hashesData.nodeModules;
      modelsDev = forEachSystem (
        system:
        let
@@ -63,8 +80,11 @@
        system:
        let
          pkgs = pkgsFor system;
+          bunPlatform = parseBunTarget bunTarget.${system};
          mkNodeModules = pkgs.callPackage ./nix/node-modules.nix {
-            hash = nodeModulesHash;
+            hash = nodeModulesHashFor system;
+            bunCpu = bunPlatform.cpu;
+            bunOs = bunPlatform.os;
          };
          mkOpencode = pkgs.callPackage ./nix/opencode.nix { };
          mkDesktop = pkgs.callPackage ./nix/desktop.nix { };
--- a/nix/hashes.json
+++ b/nix/hashes.json
@@ -1,3 +1,6 @@
 {
-  "nodeModules": "sha256-FbV9MDkPXCSPO0TL3uYvkMmfVTDH9Lyr2r1ZolYdWW0="
+  "nodeModules": {
+    "x86_64-linux": "sha256-8nur5CuUCSV/SzD16hNXVoIlKsiPBXDzCnoITK0IhC4=",
+    "aarch64-darwin": "sha256-vD1g9dviI2nMBTTPwI87sK01hSZ+cdnmb1V72AdJYq4="
+  }
 }
--- a/nix/node-modules.nix
+++ b/nix/node-modules.nix
@@ -5,6 +5,8 @@
  bun,
  cacert,
  curl,
+  bunCpu,
+  bunOs,
 }:
 args:
 stdenvNoCC.mkDerivation {
@@ -29,8 +31,8 @@ stdenvNoCC.mkDerivation {
    export HOME=$(mktemp -d)
    export BUN_INSTALL_CACHE_DIR=$(mktemp -d)
    bun install \
-      --cpu="*" \
-      --os="*" \
+      --cpu="${bunCpu}" \
+      --os="${bunOs}" \
      --frozen-lockfile \
      --ignore-scripts \
      --no-progress \
--- a/nix/scripts/update-hashes.sh
+++ b/nix/scripts/update-hashes.sh
@@ -33,9 +33,16 @@ trap cleanup EXIT

 write_node_modules_hash() {
  local value="$1"
+  local system="${2:-$SYSTEM}"
  local temp
  temp=$(mktemp)
-  jq --arg value "$value" '.nodeModules = $value' "$HASH_FILE" >"$temp"
+  
+  if jq -e '.nodeModules | type == "object"' "$HASH_FILE" >/dev/null 2>&1; then
+    jq --arg system "$system" --arg value "$value" '.nodeModules[$system] = $value' "$HASH_FILE" >"$temp"
+  else
+    jq --arg system "$system" --arg value "$value" '.nodeModules = {($system): $value}' "$HASH_FILE" >"$temp"
+  fi
+  
  mv "$temp" "$HASH_FILE"
 }