flake.nix: update Nix to use tailscale/go 1.25.2 (#17500)

Update Nix flake to use go 1.25.2 Create the hash from the toolchain rev file automatically from update-flake.sh Updates tailscale/go#135 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
2025-10-29 15:21:47 +01:00 · 2025-10-08 14:37:47 -04:00 · 2025-10-08 14:37:47 -04:00 · 7edb5b7d43
commit 7edb5b7d43
parent b7fe1cea9f
5 changed files with 18 additions and 4 deletions
--- a/flake.nix
+++ b/flake.nix
@ -46,9 +46,9 @@
    systems,
    flake-compat,
  }: let
-    goVersion = "1.25.1";
+    goVersion = nixpkgs.lib.fileContents ./go.toolchain.version;
    toolChainRev = nixpkgs.lib.fileContents ./go.toolchain.rev;
-    gitHash = "sha256-1OCmJ7sZL6G/6wO2+lnW4uYPCIdbXhscD5qSTIPoxDk=";
+    gitHash = nixpkgs.lib.fileContents ./go.toolchain.rev.sri;
    eachSystem = f:
      nixpkgs.lib.genAttrs (import systems) (system:
        f (import nixpkgs {
@ -61,7 +61,7 @@
                  owner = "tailscale";
                  repo = "go";
                  rev = toolChainRev;
-                  hash = gitHash;
+                  sha256 = gitHash;
                };
              };
            })
--- a/go.toolchain.rev.sri
+++ b/go.toolchain.rev.sri
@ -0,0 +1 @@
+sha256-1OCmJ7sZL6G/6wO2+lnW4uYPCIdbXhscD5qSTIPoxDk=
--- a/go.toolchain.version
+++ b/go.toolchain.version
@ -0,0 +1 @@
+1.25.2
--- a/pull-toolchain.sh
+++ b/pull-toolchain.sh
@ -11,6 +11,10 @@ if [ "$upstream" != "$current" ]; then
 	echo "$upstream" >go.toolchain.rev
 fi

-if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev)" ]; then
+./tool/go version 2>/dev/null | awk '{print $3}' | sed 's/^go//' > go.toolchain.version
+
+./update-flake.sh
+
+if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev go.toolchain.rev.sri go.toolchain.version)" ]; then
    echo "pull-toolchain.sh: changes imported. Use git commit to make them permanent." >&2
 fi
--- a/update-flake.sh
+++ b/update-flake.sh
@ -10,6 +10,14 @@ rm -rf "$OUT"
 ./tool/go run tailscale.com/cmd/nardump --sri "$OUT" >go.mod.sri
 rm -rf "$OUT"

+GOOUT=$(mktemp -d -t gocross-XXXXXX)
+GOREV=$(xargs < ./go.toolchain.rev)
+TARBALL="$GOOUT/go-$GOREV.tar.gz"
+curl -Ls -o "$TARBALL" "https://github.com/tailscale/go/archive/$GOREV.tar.gz"
+tar -xzf "$TARBALL" -C "$GOOUT"
+./tool/go run tailscale.com/cmd/nardump --sri "$GOOUT/go-$GOREV" > go.toolchain.rev.sri
+rm -rf "$GOOUT"
+
 # nix-direnv only watches the top-level nix file for changes. As a
 # result, when we change a referenced SRI file, we have to cause some
 # change to shell.nix and flake.nix as well, so that nix-direnv
				`@ -0,0 +1 @@`
				`sha256-1OCmJ7sZL6G/6wO2+lnW4uYPCIdbXhscD5qSTIPoxDk=`