build: automate nix package upgrades. Fixes #11691

[isubasinghe]

Fixes #11691

Motivation

The nix hash is extremely out of date and needs manual updating.

Modifications

A nix-hash task was added to the makefile that patches the nix flake.

Verification

Tested it by mutating the hash and running the nix-hash command.

Caution

This PR will likely result in someone needing to run make codegen on dependabot PRs relating to golang dependencies.
I would be happy to do this.

[caelan-io]

Are we okay to merge this one?

[agilgur5]

I think this makes more sense inside of the lint job, rather than codegen. We already have deps linting there and this does not generate code.
The patch-nix-hash script also needs to be added to changed-files in CI

Also made some small improvements to the script

This PR will likely result in someone needing to run make codegen on dependabot PRs relating to golang dependencies.
I would be happy to do this.

We can automate this similarly to #12234 . Maybe inside of the lint CI job? not sure what the best place might be

[agilgur5]

Can optimize the script a bit as well to be more DRY and not repeat some commands / calculations

[agilgur5]

Suggested change

sed -i '195s/vendorHash = \"\([^\"]*\)\"/vendorHash = ""/g' ./dev/nix/flake.nix

we can just replace it in the next sed command; no need to run a similar command twice.

[isubasinghe]

So this ordering actually matters, this is because the error message for a non present nix hash can be different to the error message for an empty hash.

This means that we can't really get rid of this nor store the output as a variable.

[agilgur5]

But do we actually care to differentiate the error? If there's an error, it needs a manual fix.
I would think we can just do the replace, and if that fails, print a nicer error message that it needs a manual fix and exit 1

[isubasinghe]

Yeah we do actually care to differentiate the error, only a certain error msg contains the correct nix hash.
We force the correct error output via the first sed command.

[isubasinghe]

I've reduced the if check, and forced this ordering by always doing the first sed.

[agilgur5]

Yeah we do actually care to differentiate the error, only a certain error msg contains the correct nix hash.

We can just print a nicer error ourselves though rather than relying on sed's error, which is not as user-friendly / specific to the script. Unless I'm misunderstanding something?

The current version seems to also unconditionally print the change even if nothing was changed?

[isubasinghe]

Yeah we aren't relying on sed's error. Sed is used to force an ordering which gets the correct error output from the nix build command.

Yes the current version unconditionally changes the hash, this is the only way to reduce the number of "nix build" commands issued. We can't just store it unfortunately.

[agilgur5]

OH you mean you're intentionally making the nix build command fail in order to pull the vendorHash from its output??
Oh that is wacky I did not expect that.

Yes the current version unconditionally changes the hash

I actually didn't mean the hash, I meant the print / echo. It always says "Changed" even if it didn't change, which is a bit confusing.

Are you not able to:

1. grep current hash
2. nix build
3. grep new hash
4. Check if it changed, if so, echo

Or is there a reason you can't?

[agilgur5]

feat:

This probably makes more sense as a build: commit as well

[isubasinghe]

This PR will likely result in someone needing to run make codegen on dependabot PRs relating to golang dependencies.
I would be happy to do this.

We can automate this similarly to #12234 . Maybe inside of the lint CI job? not sure what the best place might be

haha god, that works I suppose, not a fan but defs better than manual effort I suppose.

[agilgur5]

mostly nits, although the "check if Nix is installed before running" comment below is pretty important

This is back to draft now, but the commit prefix change and the dependabot automation is also still needed.

[agilgur5]

mmm this changes if/how/when things get installed, I don't think it should be on during CI (especially if it's not the most common dev env).

In the Makefile you can just check if Nix exists before running ./hack/patch-nix-hash.sh. Like check if the nix command exists, e.g. command -v nix. Much simpler check 😅

[agilgur5]

Suggested change

	- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 #v25 -> nix 2.19.2
	- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25 -> nix 2.19.2

nit: Consistent space after #
(I'm also not sure how many different permutations of the comment dependabot handles)