fix: add nix-update-hash as required status check to prevent stale flake.nix on main

[drewr]

Problem

I still occasionally get nix hash errors even though we have a nice workflow set up.

error: hash mismatch in fixed-output derivation '/nix/store/bv8n89sh111wawdz6kg695l50daylmjn-datumctl-dev-go-modules.drv':
         specified: sha256-gHeXQVHEEWCAVizX4WgOMn5sEGOvYXvzSuFcMJ1jZ8k=
            got:    sha256-XMUZHe7aU/erW1IgDpeyeSYHuTejIYpscC7BoEfDQ1w=
error: 1 dependencies of derivation '/nix/store/9q16alspb97yd7avlin2ba7r2c609x9q-datumctl-dev.drv' failed to build
make: *** [Makefile:7: home] Error 1

The nix-update-hash workflow was designed to update flake.nix with the correct vendorHash before a PR merges with any go dep change. However, Renovate is consistently merging dependency update PRs before the workflow finishes, causing flake.nix on main to fall behind.

Evidence from recent runs:

PR	Branch run finished	Merge triggered
#123 (activity)	11:37:21	11:37:12 — 9s early
#121 (milo)	10:48:59	10:48:24 — 35s early
#126 (controller-runtime)	10:22:42	10:21:54 — 48s early
#125 (kubernetes-monorepo)	10:21:14	10:19:20 — ~2m early

After each merge, the workflow re-runs on main, successfully computes the new hash, but then fails to push because branch protection requires changes to go through a PR:

remote: - Changes must be made through a pull request.
! [remote rejected] main -> main (push declined due to repository rule violations)

Root cause: the main ruleset (id 2955683) has no required_status_checks rule, so Renovate's auto-merge does not wait for nix-update-hash to complete.

Proposed Fix

Add a required_status_checks rule to the existing main ruleset requiring the update-hash job to pass before merge is allowed.

The check context name was verified against the live API: update-hash (GitHub Actions, integration_id 15368).

gh api --method PATCH repos/datum-cloud/datumctl/rulesets/2955683 \
  --input - <<'EOF'
{
  "rules": [
    {"type": "deletion"},
    {"type": "non_fast_forward"},
    {
      "type": "pull_request",
      "parameters": {
        "required_approving_review_count": 1,
        "dismiss_stale_reviews_on_push": true,
        "required_reviewers": [],
        "require_code_owner_review": true,
        "require_last_push_approval": true,
        "required_review_thread_resolution": false,
        "allowed_merge_methods": ["merge", "squash", "rebase"]
      }
    },
    {
      "type": "required_status_checks",
      "parameters": {
        "strict_required_status_checks_policy": false,
        "do_not_enforce_on_create": false,
        "required_status_checks": [
          {
            "context": "update-hash",
            "integration_id": 15368
          }
        ]
      }
    }
  ]
}
EOF

Expected Behaviour After Fix

1. Renovate pushes go.mod/go.sum changes → triggers nix-update-hash
2. Workflow pushes flake.nix update back to the branch → triggers a second nix-update-hash run on the new HEAD
3. Second run finds no changes → exits cleanly, required check passes
4. Renovate auto-merge proceeds with a correctly hashed flake.nix

[drewr]

Going to try the above. The command to revert if things go south:

gh api --method PATCH repos/datum-cloud/datumctl/rulesets/2955683 \
    --input - <<'REVERT'
  {
    "rules": [
      {"type": "deletion"},
      {"type": "non_fast_forward"},
      {
        "type": "pull_request",
        "parameters": {
          "required_approving_review_count": 1,
          "dismiss_stale_reviews_on_push": true,
          "required_reviewers": [],
          "require_code_owner_review": true,
          "require_last_push_approval": true,
          "required_review_thread_resolution": false,
          "allowed_merge_methods": ["merge", "squash", "rebase"]
        }
      }
    ]
  }
  REVERT

[drewr]

Update: Correct API Command

The change has been applied. Note that the correct HTTP verb is PUT, not PATCH — the GitHub API returns 404 for PATCH on rulesets even with admin access.

Corrected apply command:

gh api --method PUT repos/datum-cloud/datumctl/rulesets/2955683 \
  --input - <<'PAYLOAD'
{
  "name": "main",
  "rules": [
    {"type": "deletion"},
    {"type": "non_fast_forward"},
    {
      "type": "pull_request",
      "parameters": {
        "required_approving_review_count": 1,
        "dismiss_stale_reviews_on_push": true,
        "required_reviewers": [],
        "require_code_owner_review": true,
        "require_last_push_approval": true,
        "required_review_thread_resolution": false,
        "allowed_merge_methods": ["merge", "squash", "rebase"]
      }
    },
    {
      "type": "required_status_checks",
      "parameters": {
        "strict_required_status_checks_policy": false,
        "do_not_enforce_on_create": false,
        "required_status_checks": [
          {
            "context": "update-hash",
            "integration_id": 15368
          }
        ]
      }
    }
  ]
}
PAYLOAD

Corrected revert command:

gh api --method PUT repos/datum-cloud/datumctl/rulesets/2955683 \
  --input - <<'PAYLOAD'
{
  "name": "main",
  "rules": [
    {"type": "deletion"},
    {"type": "non_fast_forward"},
    {
      "type": "pull_request",
      "parameters": {
        "required_approving_review_count": 1,
        "dismiss_stale_reviews_on_push": true,
        "required_reviewers": [],
        "require_code_owner_review": true,
        "require_last_push_approval": true,
        "required_review_thread_resolution": false,
        "allowed_merge_methods": ["merge", "squash", "rebase"]
      }
    }
  ]
}
PAYLOAD