chore: pin bun.lock for opencode-antigravity-auth to prevent hash mismatches
This commit is contained in:
@@ -1,4 +1,4 @@
|
||||
{ stdenv, fetchurl, runCommand, bun, bun2nix }:
|
||||
{ stdenv, fetchurl, runCommand, bun2nix }:
|
||||
|
||||
# opencode-antigravity-auth ships only `dist/` in its npm tarball and relies on
|
||||
# runtime `dependencies` (@opencode-ai/plugin, @openauthjs/openauth, zod, ...).
|
||||
@@ -6,19 +6,9 @@
|
||||
# tarball-only approach fails at load time with "Cannot find module
|
||||
# '@opencode-ai/plugin'". We therefore vendor node_modules with bun2nix.
|
||||
#
|
||||
# bun.lock and bun.nix are generated on the fly rather than committed.
|
||||
#
|
||||
# The tarball ships no lockfile, so we synthesize one with `bun install
|
||||
# --lockfile-only`. Resolving npm version ranges (e.g. "^4.1.4") into exact
|
||||
# versions requires registry access, and Nix only permits network inside a
|
||||
# fixed-output derivation — hence `lockfileHash` below. This is the single
|
||||
# unavoidable hash for the dep graph: it pins the resolved lockfile, which in
|
||||
# turn (via bun2nix -> fetchBunDeps) pins every transitive dependency, each
|
||||
# fetched as its own hash-checked FOD. bun.nix itself stays uncommitted and
|
||||
# is derived deterministically from the pinned lockfile.
|
||||
#
|
||||
# Bump `version`, `hash`, and `lockfileHash` together. To refresh lockfileHash,
|
||||
# set it to lib.fakeHash, build, and copy the "got:" value from the error.
|
||||
# Since the NPM tarball doesn't ship a lockfile, we commit a generated bun.lock
|
||||
# into the NixOS configuration repository to ensure fully deterministic builds.
|
||||
# To update dependencies, run `bun install --lockfile-only` manually on the unpacked tarball.
|
||||
|
||||
let
|
||||
version = "1.6.0";
|
||||
@@ -28,26 +18,7 @@ let
|
||||
hash = "sha256-bLoDjJHuHczxKbslyZSm4zKg5FhdRLdUteKXFmqVlHQ=";
|
||||
};
|
||||
|
||||
# Fixed-output derivation: network-enabled, produces only the resolved
|
||||
# bun.lock. Determinism is enforced by lockfileHash.
|
||||
bunLock = stdenv.mkDerivation {
|
||||
name = "opencode-antigravity-auth-bun.lock";
|
||||
inherit src;
|
||||
sourceRoot = "package";
|
||||
nativeBuildInputs = [ bun ];
|
||||
|
||||
buildPhase = ''
|
||||
export HOME="$TMPDIR"
|
||||
bun install --lockfile-only --no-progress
|
||||
'';
|
||||
installPhase = "cp bun.lock $out";
|
||||
|
||||
outputHashMode = "flat";
|
||||
outputHashAlgo = "sha256";
|
||||
outputHash = "sha256-H+m181VozFyEEQVrOZTienj15Bgn1UXTG/G/B9gy1UE=";
|
||||
};
|
||||
|
||||
# Derive a source tree containing the resolved bun.lock and a bun.nix
|
||||
# Derive a source tree containing the committed bun.lock and a bun.nix
|
||||
# generated from it. Fully offline — no network needed here.
|
||||
srcWithBunNix = runCommand "opencode-antigravity-auth-src" {
|
||||
nativeBuildInputs = [ bun2nix ];
|
||||
@@ -57,7 +28,7 @@ let
|
||||
tar xzf ${src} --strip-components=1 -C $out
|
||||
chmod -R u+w $out
|
||||
|
||||
cp ${bunLock} $out/bun.lock
|
||||
cp ${./bun.lock} $out/bun.lock
|
||||
bun2nix --lock-file $out/bun.lock --output-file $out/bun.nix
|
||||
'';
|
||||
in
|
||||
|
||||
Reference in New Issue
Block a user