ci(vendor-hash): fix fake-hash leak; batch indirect Go deps#976
Merged
cpcloud merged 2 commits intomicasa-dev:mainfrom Apr 23, 2026
Merged
Conversation
The workflow replaces vendorHash with a fake sentinel before calling nix build, parses the real hash from the "got:" line, and substitutes it back. When old_hash equals new_hash, the early-return branch was exiting before performing that final substitution, leaving the fake hash in nix/package.nix. Combined with go.mod/go.sum changes from go mod tidy, the Commit and push step then committed the fake hash. See PR micasa-dev#974 for a concrete occurrence. Move the restoration sed ahead of the unchanged check so the file is always in a valid state before any exit. Also pipe grep through head -n1 to defend against multi-line output (e.g. multiple FOD failures reporting their own got: lines).
Disable separateMajorMinor, separateMultipleMajor, and separateMinorPatch on the go-indirect packageRule so Renovate collapses every indirect Go dependency update into one branch/PR regardless of semver level. Today Renovate splits indirects across separate branches per update type (e.g. renovate/major-go-indirect), producing per-severity PRs that churn nix/package.nix individually. Batching them is lower maintenance noise and lets go mod tidy settle the whole set once.
cpcloud
added
ci
cpcloud
added a commit
that referenced
this pull request
Apr 23, 2026
…ooks (#978) Follow-up to #976. PR #977 surfaced two gaps the first round didn't address: **1. Renovate keeps opening doomed major bumps for indirect Go deps.** #977 proposed `github.com/openai/openai-go` v1 -> v3 and `modernc.org/libc` v1 -> v2. Both new majors are different module paths, nothing in this repo imports them, and `go mod why github.com/openai/openai-go/v3` returns `(main module does not need package ...)`. `go mod tidy` strips them on every workflow run. The PR can never reconcile with main. Disable `matchUpdateTypes: ["major"]` for `indirect` deps under `gomod` so these PRs stop being opened. **2. The batched go-indirect workflow commit trips two pre-commit hooks as false positives.** When `go mod tidy` reshapes `go.sum` without altering vendor contents (exactly the state after tidy strips an unused major), `Commit and push` fails: - `vendor-hash-check` reports "go.sum changed but nix/package.nix is unchanged" -- but the workflow already ran the authoritative `nix build` hash computation in the previous step. - `go-mod-tidy` reports "tidy would modify files" -- the upstream `Tidy go modules` step already tidied. Scope a `SKIP: vendor-hash-check,go-mod-tidy` env to just the `Commit and push` step. This is a narrow per-hook skip via prek's `SKIP` variable, not a blanket bypass. All other hooks still run on that commit. ## Reproduction 1. Open any Renovate PR that bumps an indirect Go dep to a new major version (the new major is a different module path and nothing imports it). 2. Before this PR: the PR is unfixable, `go mod tidy` keeps reverting the bump, and the vendor-hash workflow cannot commit its tidy output because `vendor-hash-check` blocks. After this PR: Renovate never opens the PR in the first place, and if an equivalent tidy-only scenario arises from another path the workflow can still commit. ## Follow-up Close #977 -- its branch carries the stuck state and Renovate will skip that update-type under the new rule.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes accumulated while watching Renovate shake this out end-to-end (PRs #974 and #977).
What went wrong
update-vendor-hash.ymlcommitted a sentinel hash (PR #974). The compute step writessha256-AAAA...intonix/package.nix, runsnix build, parsesgot: sha256-.... On theold_hash == new_hashbranch it was exiting before the finalsedrestored the real hash, leaving the sentinel in the file.go mod tidystill touchedgo.mod/go.sum, sogit diff --cachedwas non-empty andCommit and pushran with the sentinel.Verify buildwas gated onchanged == 'true', so nothing caught it. See run 24829437487:vendorHash unchanged (sha256-wDz1EKWKPkubV8NcBGQnLnRi4XT0rCjOQBKtO/yRdds=), nothing to dofollowed by[renovate/major-go-indirect ee7cceb] chore: update vendorHash for Go dependency changes.Renovate kept opening major-version indirect bumps (PRs #974, #977).
github.com/openai/openai-goandmodernc.org/libcgot proposed v1 -> v3 and v1 -> v2 updates.go mod why github.com/openai/openai-go/v3returns(main module does not need package ...)-- the new major is a different module path and nothing in the repo imports it, sogo mod tidystrips the lines every time. The PR never reconciles with main.The batched
go-indirectrun (#977) then tripped two pre-commit hooks as false positives. Aftergo mod tidyreshapesgo.sumwithout altering vendor contents,Commit and pushhitsvendor-hash-check("go.sum changed but nix/package.nix is unchanged") andgo-mod-tidy("tidy would modify files" -- the upstreamTidy go modulesstep already tidied).Changes
.github/workflows/update-vendor-hash.ymlsedahead of the unchanged-check so the file always holds a real hash before any exit.| head -n1on thegrepto defend against multi-linegot:output.SKIP: vendor-hash-check,go-mod-tidyenv onCommit and push. Narrow per-hook skip via the prekSKIPvariable, scoped to the step that the workflow is itself the authority for. All other hooks still run.renovate.jsonseparateMajorMinor: false,separateMultipleMajor: false,separateMinorPatch: falseon thego-indirectrule so every indirect update lands in one PR regardless of semver.matchUpdateTypes: ["major"]forindirectdeps undergomod-- stops the doomed major-bump PRs at the source.Reproduction
go mod tidykeeps reverting. After this PR: (1) restores the real hash cleanly and (2) never gets opened.Follow-up
Close #974 and #977 -- their branches carry the broken commits and Renovate will open fresh batched non-major PRs under the new rules.