Skip to content

chore(nix): heal vendorHash on merge instead of on PR branch#187

Open
mmanciop wants to merge 1 commit into
mainfrom
chore/nix-vendor-hash-on-merge
Open

chore(nix): heal vendorHash on merge instead of on PR branch#187
mmanciop wants to merge 1 commit into
mainfrom
chore/nix-vendor-hash-on-merge

Conversation

@mmanciop

@mmanciop mmanciop commented Jul 2, 2026

Copy link
Copy Markdown
Member

Why

A dependency bump changes go.mod/go.sum, which makes the buildGoModule vendorHash in nix/package.nix go stale and the Nix build fail. The Nix vendorHash workflow was meant to recompute and push the fix automatically, but:

  1. It's a security risk. It ran on pull_request, checked out the untrusted PR branch, ran nix build (executing dependency code from that branch), all in a job holding REPOSITORY_FULL_ACCESS_GITHUB_TOKEN. A poisoned/compromised dependency in a bump could exfiltrate that write-scoped PAT.
  2. It's broken for Dependabot anyway. GitHub withholds Actions secrets from Dependabot-triggered runs, so the PAT resolved empty and checkout failed with Input required and not supplied: token (see PR #186 checks).

What

Retire nix-vendor-hash.yml. Instead:

  • Skip the nix build on Dependabot PRs via a github.actor != 'dependabot[bot]' job guard. The hash is stale until the bump merges, so the check would only ever be red — a job-level skip reports skipped, which branch protection treats as passing. Human dependency changes still get the full build.
  • Add an update-vendor-hash job to nix.yml that runs on push to main, recomputes the hash, and commits the fix. On main the code is trusted, so holding the PAT is safe — the untrusted-code-plus-write-token combination is gone.

Tradeoff

This is fix-forward: main's nix build is briefly red between the merge and the follow-up fix commit. Releases here are cut manually (prepare-release.yml workflow_dispatch → tag → release.yml), so that window cannot silently ship a broken package. The fix commit re-triggers the workflow, which then finds the hash correct and no-ops.

Follow-ups (not in this PR)

  • Dependabot PR #186 still needs its one-line hash fix to merge (sha256-4Yu3y5wMcQcgD+lUfcOHjHoWkQ5v+2PZOrqvFOoNdVM=); this automation only takes over once it's on main.
  • The REPOSITORY_FULL_ACCESS_GITHUB_TOKEN Dependabot secret is no longer needed by this workflow and can be removed if nothing else uses it.

🤖 Generated with Claude Code

A dependency bump changes go.mod/go.sum, which makes the buildGoModule
vendorHash in nix/package.nix go stale and the Nix build fail. The old
`Nix vendorHash` workflow recomputed and pushed the fix from the PR
branch, which required a write-scoped PAT in a job that runs untrusted
branch code — a poisoned dependency could exfiltrate that token. It was
also broken for Dependabot (the PAT is not exposed to Dependabot runs,
so checkout failed with "Input required and not supplied: token").

Retire that workflow. Instead:
- skip the `nix` build on Dependabot PRs (github.actor guard) so a bump
  merges without a red check;
- add an `update-vendor-hash` job to the Nix workflow that recomputes
  and commits the fix on push to main, where the code is trusted and the
  PAT is safe to use.

Cost: main's nix build is briefly red between the merge and the fix
commit. Releases are cut manually (workflow_dispatch -> tag), so that
window cannot silently ship a broken package.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant