From ca1b597b010bdf624fd839de479533cf5e4010df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Benoit?= Date: Mon, 12 Jan 2026 19:49:06 +0100 Subject: [PATCH] fix(nix): filter optional dependencies by target platform (#8033) --- .github/workflows/update-nix-hashes.yml | 99 +++++++++++++++++++++++-- flake.nix | 26 ++++++- nix/hashes.json | 5 +- nix/node-modules.nix | 6 +- nix/scripts/update-hashes.sh | 9 ++- 5 files changed, 131 insertions(+), 14 deletions(-) diff --git a/.github/workflows/update-nix-hashes.yml b/.github/workflows/update-nix-hashes.yml index d2c60b08f0..46ea12d187 100644 --- a/.github/workflows/update-nix-hashes.yml +++ b/.github/workflows/update-nix-hashes.yml @@ -17,7 +17,7 @@ on: - "packages/*/package.json" jobs: - update: + update-linux: if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository runs-on: blacksmith-4vcpu-ubuntu-2404 env: @@ -47,14 +47,14 @@ jobs: nix flake update echo "✅ flake.lock updated successfully" - - name: Update node_modules hash + - name: Update node_modules hash for x86_64-linux run: | set -euo pipefail - echo "🔄 Updating node_modules hash..." + echo "🔄 Updating node_modules hash for x86_64-linux..." nix/scripts/update-hashes.sh - echo "✅ node_modules hash updated successfully" + echo "✅ node_modules hash for x86_64-linux updated successfully" - - name: Commit hash changes + - name: Commit Linux hash changes env: TARGET_BRANCH: ${{ github.head_ref || github.ref_name }} run: | @@ -65,7 +65,7 @@ jobs: summarize() { local status="$1" { - echo "### Nix Hash Update" + echo "### Nix Hash Update (x86_64-linux)" echo "" echo "- ref: ${GITHUB_REF_NAME}" echo "- status: ${status}" @@ -89,7 +89,92 @@ jobs: echo "🔗 Staging files..." git add "${FILES[@]}" echo "💾 Committing changes..." - git commit -m "Update Nix flake.lock and hashes" + git commit -m "Update Nix flake.lock and x86_64-linux hash" + echo "✅ Changes committed" + + BRANCH="${TARGET_BRANCH:-${GITHUB_REF_NAME}}" + echo "🌳 Pulling latest from branch: $BRANCH" + git pull --rebase origin "$BRANCH" + echo "🚀 Pushing changes to branch: $BRANCH" + git push origin HEAD:"$BRANCH" + echo "✅ Changes pushed successfully" + + summarize "committed $(git rev-parse --short HEAD)" + + update-macos: + needs: update-linux + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository + runs-on: macos-latest + env: + SYSTEM: aarch64-darwin + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + fetch-depth: 0 + ref: ${{ github.head_ref || github.ref_name }} + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} + + - name: Setup Nix + uses: DeterminateSystems/nix-installer-action@v20 + + - name: Configure git + run: | + git config --global user.email "action@github.com" + git config --global user.name "Github Action" + + - name: Pull latest changes + env: + TARGET_BRANCH: ${{ github.head_ref || github.ref_name }} + run: | + BRANCH="${TARGET_BRANCH:-${GITHUB_REF_NAME}}" + git pull origin "$BRANCH" + + - name: Update node_modules hash for aarch64-darwin + run: | + set -euo pipefail + echo "🔄 Updating node_modules hash for aarch64-darwin..." + nix/scripts/update-hashes.sh + echo "✅ node_modules hash for aarch64-darwin updated successfully" + + - name: Commit macOS hash changes + env: + TARGET_BRANCH: ${{ github.head_ref || github.ref_name }} + run: | + set -euo pipefail + + echo "🔍 Checking for changes in tracked Nix files..." + + summarize() { + local status="$1" + { + echo "### Nix Hash Update (aarch64-darwin)" + echo "" + echo "- ref: ${GITHUB_REF_NAME}" + echo "- status: ${status}" + } >> "$GITHUB_STEP_SUMMARY" + if [ -n "${GITHUB_SERVER_URL:-}" ] && [ -n "${GITHUB_REPOSITORY:-}" ] && [ -n "${GITHUB_RUN_ID:-}" ]; then + echo "- run: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" >> "$GITHUB_STEP_SUMMARY" + fi + echo "" >> "$GITHUB_STEP_SUMMARY" + } + + FILES=(nix/hashes.json) + STATUS="$(git status --short -- "${FILES[@]}" || true)" + if [ -z "$STATUS" ]; then + echo "✅ No changes detected. Hash is already up to date." + summarize "no changes" + exit 0 + fi + + echo "📝 Changes detected:" + echo "$STATUS" + echo "🔗 Staging files..." + git add "${FILES[@]}" + echo "💾 Committing changes..." + git commit -m "Update aarch64-darwin hash" echo "✅ Changes committed" BRANCH="${TARGET_BRANCH:-${GITHUB_REF_NAME}}" diff --git a/flake.nix b/flake.nix index e53053217f..4219a7e8e1 100644 --- a/flake.nix +++ b/flake.nix @@ -27,11 +27,28 @@ "aarch64-darwin" = "bun-darwin-arm64"; "x86_64-darwin" = "bun-darwin-x64"; }; - defaultNodeModules = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; + + # Parse "bun-{os}-{cpu}" to {os, cpu} + parseBunTarget = + target: + let + parts = lib.splitString "-" target; + in + { + os = builtins.elemAt parts 1; + cpu = builtins.elemAt parts 2; + }; + hashesFile = "${./nix}/hashes.json"; hashesData = if builtins.pathExists hashesFile then builtins.fromJSON (builtins.readFile hashesFile) else { }; - nodeModulesHash = hashesData.nodeModules or defaultNodeModules; + # Lookup hash: supports per-system ({system: hash}) or legacy single hash + nodeModulesHashFor = + system: + if builtins.isAttrs hashesData.nodeModules then + hashesData.nodeModules.${system} + else + hashesData.nodeModules; modelsDev = forEachSystem ( system: let @@ -63,8 +80,11 @@ system: let pkgs = pkgsFor system; + bunPlatform = parseBunTarget bunTarget.${system}; mkNodeModules = pkgs.callPackage ./nix/node-modules.nix { - hash = nodeModulesHash; + hash = nodeModulesHashFor system; + bunCpu = bunPlatform.cpu; + bunOs = bunPlatform.os; }; mkOpencode = pkgs.callPackage ./nix/opencode.nix { }; mkDesktop = pkgs.callPackage ./nix/desktop.nix { }; diff --git a/nix/hashes.json b/nix/hashes.json index 8de9c23195..b85e146d7f 100644 --- a/nix/hashes.json +++ b/nix/hashes.json @@ -1,3 +1,6 @@ { - "nodeModules": "sha256-FbV9MDkPXCSPO0TL3uYvkMmfVTDH9Lyr2r1ZolYdWW0=" + "nodeModules": { + "x86_64-linux": "sha256-8nur5CuUCSV/SzD16hNXVoIlKsiPBXDzCnoITK0IhC4=", + "aarch64-darwin": "sha256-vD1g9dviI2nMBTTPwI87sK01hSZ+cdnmb1V72AdJYq4=" + } } diff --git a/nix/node-modules.nix b/nix/node-modules.nix index be7edd9c7e..2a8f0a47cb 100644 --- a/nix/node-modules.nix +++ b/nix/node-modules.nix @@ -5,6 +5,8 @@ bun, cacert, curl, + bunCpu, + bunOs, }: args: stdenvNoCC.mkDerivation { @@ -29,8 +31,8 @@ stdenvNoCC.mkDerivation { export HOME=$(mktemp -d) export BUN_INSTALL_CACHE_DIR=$(mktemp -d) bun install \ - --cpu="*" \ - --os="*" \ + --cpu="${bunCpu}" \ + --os="${bunOs}" \ --frozen-lockfile \ --ignore-scripts \ --no-progress \ diff --git a/nix/scripts/update-hashes.sh b/nix/scripts/update-hashes.sh index 7bf183c5b3..22c556363a 100755 --- a/nix/scripts/update-hashes.sh +++ b/nix/scripts/update-hashes.sh @@ -33,9 +33,16 @@ trap cleanup EXIT write_node_modules_hash() { local value="$1" + local system="${2:-$SYSTEM}" local temp temp=$(mktemp) - jq --arg value "$value" '.nodeModules = $value' "$HASH_FILE" >"$temp" + + if jq -e '.nodeModules | type == "object"' "$HASH_FILE" >/dev/null 2>&1; then + jq --arg system "$system" --arg value "$value" '.nodeModules[$system] = $value' "$HASH_FILE" >"$temp" + else + jq --arg system "$system" --arg value "$value" '.nodeModules = {($system): $value}' "$HASH_FILE" >"$temp" + fi + mv "$temp" "$HASH_FILE" }