chore(nix): heal vendorHash on merge instead of on PR branch#187
Open
mmanciop wants to merge 1 commit into
Open
chore(nix): heal vendorHash on merge instead of on PR branch#187mmanciop wants to merge 1 commit into
mmanciop wants to merge 1 commit into
Conversation
A dependency bump changes go.mod/go.sum, which makes the buildGoModule vendorHash in nix/package.nix go stale and the Nix build fail. The old `Nix vendorHash` workflow recomputed and pushed the fix from the PR branch, which required a write-scoped PAT in a job that runs untrusted branch code — a poisoned dependency could exfiltrate that token. It was also broken for Dependabot (the PAT is not exposed to Dependabot runs, so checkout failed with "Input required and not supplied: token"). Retire that workflow. Instead: - skip the `nix` build on Dependabot PRs (github.actor guard) so a bump merges without a red check; - add an `update-vendor-hash` job to the Nix workflow that recomputes and commits the fix on push to main, where the code is trusted and the PAT is safe to use. Cost: main's nix build is briefly red between the merge and the fix commit. Releases are cut manually (workflow_dispatch -> tag), so that window cannot silently ship a broken package. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
A dependency bump changes
go.mod/go.sum, which makes thebuildGoModulevendorHashinnix/package.nixgo stale and the Nix build fail. TheNix vendorHashworkflow was meant to recompute and push the fix automatically, but:pull_request, checked out the untrusted PR branch, rannix build(executing dependency code from that branch), all in a job holdingREPOSITORY_FULL_ACCESS_GITHUB_TOKEN. A poisoned/compromised dependency in a bump could exfiltrate that write-scoped PAT.Input required and not supplied: token(see PR #186 checks).What
Retire
nix-vendor-hash.yml. Instead:nixbuild on Dependabot PRs via agithub.actor != 'dependabot[bot]'job guard. The hash is stale until the bump merges, so the check would only ever be red — a job-level skip reportsskipped, which branch protection treats as passing. Human dependency changes still get the full build.update-vendor-hashjob tonix.ymlthat runs on push tomain, recomputes the hash, and commits the fix. Onmainthe code is trusted, so holding the PAT is safe — the untrusted-code-plus-write-token combination is gone.Tradeoff
This is fix-forward:
main's nix build is briefly red between the merge and the follow-up fix commit. Releases here are cut manually (prepare-release.ymlworkflow_dispatch→ tag →release.yml), so that window cannot silently ship a broken package. The fix commit re-triggers the workflow, which then finds the hash correct and no-ops.Follow-ups (not in this PR)
sha256-4Yu3y5wMcQcgD+lUfcOHjHoWkQ5v+2PZOrqvFOoNdVM=); this automation only takes over once it's onmain.REPOSITORY_FULL_ACCESS_GITHUB_TOKENDependabot secret is no longer needed by this workflow and can be removed if nothing else uses it.🤖 Generated with Claude Code