Add nix flake with automated vendorHash maintenance#74
Conversation
|
Thanks for adding this — we also have a nix flake in roborev that I've been maintaining. I laugh because the irony is that using Go to make static application binaries is supposed to make things easy for users to install and upgrade, but the whole Nix way of doing things just gets in the way and from what I can see it is simply making it harder for Nix users to engage with new projects. I've been watching Nix users struggle to deal with AI tools and their upgrade cycles (beads, claude, codex, roborev) and I can honestly say I have no interest in becoming a Nix user. |
|
That's understandable for sure. And FWIW I don't think Go is the limiting factor here. If it were pure go it would be statically linked and would Just Work™. It's the CGO bindings in go-sqlite3 and go-duckdb. What I personally like about it is being able to declaratively specify my entire system and being sure that it'll be the same everywhere. I just ported two VPSes from vultr to hetzner with a combination of terraform and a nix configuration that made it pretty painless, and I set up each new laptop of mine with the same software and settings and can be pretty sure it Just Works. You can always escape hatch out of nix land and get the same imperative experience as on any other system. But then it won't be declaratively specified in my setup (I'm hoping to set up msgvault on my server to be able to access it from everywhere so it'd be nice if it's setup correctly when I provision it). |
Since the sha depends on the go.mod file, it will break each time the dependencies change. CI builds nix to flag up when this happens (the error message should say what the new sha should be).
- Add scripts/update-nix-flake.sh: computes correct vendorHash by running nix build with a fake hash, updates flake.nix, verifies the build, and opens a PR. Supports optional version tag argument. - Hook into scripts/release.sh to offer nix flake update after tagging a release. - Change devShell from go_1_25 to go (tracks latest stable, no manual bumps needed). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
wesm
changed the title
- Restrict nix-build CI job to non-fork PRs to prevent arbitrary code execution via malicious flake.nix. Add contents: read permission. - Validate extracted vendorHash matches expected sha256 format (exactly 44 base64 chars) before inserting into flake.nix. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reject VERSION_TAG values that don't match semver X.Y.Z format to prevent sed metacharacter injection into flake.nix. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove wesm from trusted-contributors.json so the security review bot runs on all PRs, not just external contributors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The if: condition was blocking the job because this PR originated from a fork. The restriction is unnecessary — GitHub Actions already sandboxes fork PRs with read-only tokens and no secrets access, and nix build only compiles code without needing any secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The original SHA was incorrect (e50d5f73...1f848571), causing the action download to 404. Corrected to the actual v16 tag SHA. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Go 1.25.7 was released on Feb 4 but nixpkgs-unstable still has 1.25.5. Override go_1_25 with the 1.25.7 source hash from nixpkgs staging to match go.mod's requirement. This can be simplified back to plain pkgs.buildGoModule once nixpkgs-unstable catches up. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The vendor module hash changes with the Go version bump. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Security Review: 4 High/Medium Issues FoundClaude's automated security review identified potential security concerns. Please review each finding below. Note: 1 low severity issue(s) were omitted to reduce noise. 🚨 Repository owner removed from trusted contributors list (high)Location: The repository owner 'wesm' has been removed from the trusted contributors list, which means their PRs will now undergo automated security review. This change could allow an attacker who compromises this file to force security reviews on maintainer PRs while bypassing their own. This is suspicious and should be rejected unless there is a legitimate operational reason documented in the PR description. 🚨 Insufficient input validation allows command injection (high)Location: The VERSION variable is validated with a regex check, but then used directly in a sed command without proper escaping. While the regex blocks most injection attempts, sed's replacement string has special characters (& \ /) that could be exploited if the regex is bypassed or modified. Use a safer approach like printf '%s\n' to safely substitute the version string, or escape all sed metacharacters.
|
😆 I guess maybe I should move the security review onto Opus 4.6, I'll work on that |
2 participants
Summary
flake.nix: Nix build support withbuildGoModule, FTS5 build tag, dev shell with Go + golangci-lint + gcc. Targets all 4 platforms (x86_64/aarch64 linux/darwin).scripts/update-nix-flake.sh: Automates vendorHash updates — computes the correct hash vianix build, verifies the build, and opens a PR. Supports optional version tag for release bumps.scripts/release.sh: Prompts to update the nix flake after tagging a release.nix-buildjob to verify the flake builds on every push/PR.goinstead ofgo_1_25in devShell to avoid manual bumps on Go version upgrades.Test plan
nix buildproduces working binarynix developprovides Go + lint toolchain🤖 Generated with Claude Code