From 7edb5b7d4394e322298b7c6f86ce73215224b5bc Mon Sep 17 00:00:00 2001 From: Mike O'Driscoll Date: Wed, 8 Oct 2025 14:37:47 -0400 Subject: [PATCH] flake.nix: update Nix to use tailscale/go 1.25.2 (#17500) Update Nix flake to use go 1.25.2 Create the hash from the toolchain rev file automatically from update-flake.sh Updates tailscale/go#135 Signed-off-by: Mike O'Driscoll --- flake.nix | 6 +++--- go.toolchain.rev.sri | 1 + go.toolchain.version | 1 + pull-toolchain.sh | 6 +++++- update-flake.sh | 8 ++++++++ 5 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 go.toolchain.rev.sri create mode 100644 go.toolchain.version diff --git a/flake.nix b/flake.nix index 9481248f0..726757f7a 100644 --- a/flake.nix +++ b/flake.nix @@ -46,9 +46,9 @@ systems, flake-compat, }: let - goVersion = "1.25.1"; + goVersion = nixpkgs.lib.fileContents ./go.toolchain.version; toolChainRev = nixpkgs.lib.fileContents ./go.toolchain.rev; - gitHash = "sha256-1OCmJ7sZL6G/6wO2+lnW4uYPCIdbXhscD5qSTIPoxDk="; + gitHash = nixpkgs.lib.fileContents ./go.toolchain.rev.sri; eachSystem = f: nixpkgs.lib.genAttrs (import systems) (system: f (import nixpkgs { @@ -61,7 +61,7 @@ owner = "tailscale"; repo = "go"; rev = toolChainRev; - hash = gitHash; + sha256 = gitHash; }; }; }) diff --git a/go.toolchain.rev.sri b/go.toolchain.rev.sri new file mode 100644 index 000000000..9cbf36b93 --- /dev/null +++ b/go.toolchain.rev.sri @@ -0,0 +1 @@ +sha256-1OCmJ7sZL6G/6wO2+lnW4uYPCIdbXhscD5qSTIPoxDk= diff --git a/go.toolchain.version b/go.toolchain.version new file mode 100644 index 000000000..61b813d5e --- /dev/null +++ b/go.toolchain.version @@ -0,0 +1 @@ +1.25.2 diff --git a/pull-toolchain.sh b/pull-toolchain.sh index f5a19e7d7..eb8febf6b 100755 --- a/pull-toolchain.sh +++ b/pull-toolchain.sh @@ -11,6 +11,10 @@ if [ "$upstream" != "$current" ]; then echo "$upstream" >go.toolchain.rev fi -if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev)" ]; then +./tool/go version 2>/dev/null | awk '{print $3}' | sed 's/^go//' > go.toolchain.version + +./update-flake.sh + +if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev go.toolchain.rev.sri go.toolchain.version)" ]; then echo "pull-toolchain.sh: changes imported. Use git commit to make them permanent." >&2 fi diff --git a/update-flake.sh b/update-flake.sh index 4561183b8..c22572b86 100755 --- a/update-flake.sh +++ b/update-flake.sh @@ -10,6 +10,14 @@ rm -rf "$OUT" ./tool/go run tailscale.com/cmd/nardump --sri "$OUT" >go.mod.sri rm -rf "$OUT" +GOOUT=$(mktemp -d -t gocross-XXXXXX) +GOREV=$(xargs < ./go.toolchain.rev) +TARBALL="$GOOUT/go-$GOREV.tar.gz" +curl -Ls -o "$TARBALL" "https://github.com/tailscale/go/archive/$GOREV.tar.gz" +tar -xzf "$TARBALL" -C "$GOOUT" +./tool/go run tailscale.com/cmd/nardump --sri "$GOOUT/go-$GOREV" > go.toolchain.rev.sri +rm -rf "$GOOUT" + # nix-direnv only watches the top-level nix file for changes. As a # result, when we change a referenced SRI file, we have to cause some # change to shell.nix and flake.nix as well, so that nix-direnv