ci(nix): automate npmDeps hash and verify Nix builds on release tags#235
Conversation
Add nix run .#update-npm-deps-hash plus a lefthook hook for local lockfile changes, drop the daily nix-linux CI job, and sync the hash from publish-nix when version tags are pushed so Dependabot PRs are not blocked by Nix.
📝 WalkthroughWalkthroughThis PR automates npm dependencies hash synchronization in the Nix build system. A new shell utility script recalculates hashes from ChangesNPM Hash Synchronization Automation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish.yaml:
- Around line 105-116: The "Commit npmDeps hash to main" step can fail to
checkout main if the workspace is dirty (e.g., nix/obsidianirc.nix modified by
the prior "Verify tagged release builds" step); update the step to detect and
preserve local changes by stashing before switching branches and restoring
afterward (use git stash --include-untracked before git fetch/checkout/pull and
git stash pop after the sync) or, alternatively, reset only the generated file
(e.g., git checkout -- nix/obsidianirc.nix) before checkout; modify the script
in the "Commit npmDeps hash to main" run block to perform the stash/reset/pop
around git fetch/checkout/pull to avoid checkout failures.
- Around line 95-100: The workflow uses mutable action tags (actions/checkout@v6
and cachix/install-nix-action@v31) which must be pinned to immutable
40-character commit SHAs; update those two occurrences (and any other actions in
the same file) to their corresponding full commit SHAs (e.g.,
actions/checkout@<40-char-sha>, cachix/install-nix-action@<40-char-sha>) so the
workflow references exact commits for reproducibility and security.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: a77d2d9c-1a9d-4941-a18a-af17114e8ffa
📒 Files selected for processing (7)
.github/workflows/publish.yaml.github/workflows/workflow.yamlAGENTS.mdBUILD.mdflake.nixlefthook.ymlnix/update-npm-deps-hash.nix
💤 Files with no reviewable changes (1)
- .github/workflows/workflow.yaml
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Install Nix | ||
| uses: cachix/install-nix-action@v31 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify unpinned action references in this workflow.
rg -nP '^\s*uses:\s*[^@]+@(?!(?:[a-f0-9]{40})$).+' .github/workflows/publish.yamlRepository: ObsidianIRC/ObsidianIRC
Length of output: 1549
Pin all GitHub Actions to full commit SHAs.
Lines 95 and 100 use mutable tags (@v6, @v31), which presents a supply-chain security risk. This pattern appears across the entire workflow. Replace version tags with 40-character commit SHAs to ensure build reproducibility and prevent unexpected action updates.
Example pinning pattern
- - name: Checkout tag
- uses: actions/checkout@v6
+ - name: Checkout tag
+ uses: actions/checkout@<40-char-commit-sha> # v6
- - name: Install Nix
- uses: cachix/install-nix-action@v31
+ - name: Install Nix
+ uses: cachix/install-nix-action@<40-char-commit-sha> # v31🧰 Tools
🪛 zizmor (1.25.2)
[error] 95-95: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 100-100: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish.yaml around lines 95 - 100, The workflow uses
mutable action tags (actions/checkout@v6 and cachix/install-nix-action@v31)
which must be pinned to immutable 40-character commit SHAs; update those two
occurrences (and any other actions in the same file) to their corresponding full
commit SHAs (e.g., actions/checkout@<40-char-sha>,
cachix/install-nix-action@<40-char-sha>) so the workflow references exact
commits for reproducibility and security.
There was a problem hiding this comment.
I will hold off on this and let dependabot handle it.
There was a problem hiding this comment.
@unle4rn, understood! Dependabot is a perfectly reasonable way to manage this — just make sure your Dependabot config covers the github-actions ecosystem so it picks up these actions automatically. No further action needed from me here.
(∪・ω・∪)
There was a problem hiding this comment.
Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!
There was a problem hiding this comment.
same argument can be used for any shared workflow we already have @ValwareIRC
Again, the only way is to copy the source and checksum to a usb stick and go to an offline machine in the woods at night to compile this.
There was a problem hiding this comment.
But yeah maybe pinning all to hashes isnt a bad idea
There was a problem hiding this comment.
out of scope for this PR anyway (dependabot needs to manage this)
The job verifies the Nix build and syncs npmDeps hash to main; it does not upload release assets like the other publish-* jobs.
The verify step can patch npmDeps in the working tree; discard that change before checkout so git switch to main does not fail on a dirty file.
Match publish-linux-arm job id style and drop a custom display name so the check list uses the same job-id format as the other publish workflow jobs.
Nobody runs Nix locally; verify-linux-nix on version tags syncs the hash to main. Keep nix run .#update-npm-deps-hash for optional manual use.
The job verifies the tagged Nix build and commits npmDeps hash fixes to main, not verify-only.
| - name: Verify tagged release builds | ||
| run: | | ||
| nix run .#update-npm-deps-hash | ||
| nix flake check && nix build .#obsidianirc --no-link --print-build-logs |
There was a problem hiding this comment.
do we need this step? the step bellow is doing it again
The commit-to-main step already prefetches the hash and runs nix build on main; building at the tag first duplicated that work (PR obbyworld#235 review).
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/publish.yaml (1)
114-120:⚠️ Potential issue | 🟠 Major | ⚡ Quick winBuild verification is skipped when the npmDeps hash hasn't changed.
The early exit at lines 114-117 prevents the Nix build verification at line 119 from running unless
nix/obsidianirc.nixwas modified. In a release workflow, the build should be verified on every release regardless of whether dependencies changed.Reorder the build verification before the hash change check to ensure every release-tag run confirms the build works:
Suggested fix
- if git diff --exit-code --quiet -- nix/obsidianirc.nix; then - echo "npmDeps hash on main is already up to date." - exit 0 - fi - - nix flake check && nix build .#obsidianirc --no-link --print-build-logs + nix flake check && nix build .#obsidianirc --no-link --print-build-logs + + if git diff --exit-code --quiet -- nix/obsidianirc.nix; then + echo "npmDeps hash on main is already up to date." + exit 0 + fi🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish.yaml around lines 114 - 120, The current early exit (the if git diff --exit-code --quiet -- nix/obsidianirc.nix; then echo ...; exit 0) skips the subsequent build verification; move the build verification command (nix flake check && nix build .#obsidianirc --no-link --print-build-logs) to run before that git-diff/hash check so the Nix build is always verified on release runs, then keep the git diff check afterwards to still allow an early exit when the npmDeps hash truly hasn't changed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/publish.yaml:
- Around line 114-120: The current early exit (the if git diff --exit-code
--quiet -- nix/obsidianirc.nix; then echo ...; exit 0) skips the subsequent
build verification; move the build verification command (nix flake check && nix
build .#obsidianirc --no-link --print-build-logs) to run before that
git-diff/hash check so the Nix build is always verified on release runs, then
keep the git diff check afterwards to still allow an early exit when the npmDeps
hash truly hasn't changed.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c652fa76-41f7-4a00-afd8-c5c72768840c
📒 Files selected for processing (3)
.github/workflows/publish.yamlAGENTS.mdBUILD.md
3 participants
Summary
nix run .#update-npm-deps-hashto recomputefetchNpmDepsfrompackage-lock.jsonand patchnix/obsidianirc.nixnix-linuxjob from daily CI — Dependabot PRs no longer need to pass a 60-minute Nix buildpublish-nixto the release workflow: on version tags, verify the Nix package builds and commit any hash fix back tomainMotivation
When
package-lock.jsonchanges (weekly Dependabot updates, new features, etc.), thenpmDepshash innix/obsidianirc.nixmust stay in sync or Nix builds fail. That was easy to miss and blocked CI.This follows the approach discussed with @mattf:
mainwith[skip ci]Changes
nix/update-npm-deps-hash.nixprefetch-npm-deps+sedflake.nixpackages.update-npm-deps-hashlefthook.ymlnpm-deps-hashcommand on stagedpackage-lock.jsonchanges.github/workflows/workflow.yamlnix-linuxjob.github/workflows/publish.yamlpublish-nixjob (if: github.ref_type == 'tag')AGENTS.md,BUILD.mdTest plan
nix flake checknix build .#obsidianirc(~3.4 min, passes)nix run .#update-npm-deps-hash(idempotent on current lockfile)npm-deps-hashwith stale hash → fixes, stages, aborts commitstatix/deadnix/nixfmton Nix filesactionlinton workflows (syntax clean)npm run format/fix:unsafe/test/buildpublish-nixand syncs hash tomainif neededNotes
nix run .#update-npm-deps-hash)publish-nixruns in parallel with Tauri release builds, not in the lint/test workflowSummary by CodeRabbit
Chores
Documentation