chromium: fix update.py script

This is needed as we very recently started re-compressing the upstream `tar.xz` to stay under the closure size limit of hydra.nixos.org.
2023-10-19 22:20:19 +02:00 · 2023-10-19 22:20:19 +02:00 · 5766d04f96
commit 5766d04f96
parent 8caf3dcf34
2 changed files with 51 additions and 28 deletions
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@ -148,36 +148,39 @@ let
      else throw "no chromium Rosetta Stone entry for os: ${platform.config}";
  };

+  recompressTarball = { version, sha256 ? "" }: fetchzip {
+    name = "chromium-${version}.tar.zstd";
+    url = "https://commondatastorage.googleapis.com/chromium-browser-official/chromium-${version}.tar.xz";
+    inherit sha256;
+
+    nativeBuildInputs = [ zstd ];
+
+    postFetch = ''
+      echo removing unused code from tarball to stay under hydra limit
+      rm -r $out/third_party/{rust-src,llvm}
+
+      echo moving remains out of \$out
+      mv $out source
+
+      echo recompressing final contents into new tarball
+      # try to make a deterministic tarball
+      tar \
+        --use-compress-program "zstd -T$NIX_BUILD_CORES" \
+        --sort name \
+        --mtime 1970-01-01 \
+        --owner=root --group=root \
+        --numeric-owner --mode=go=rX,u+rw,a-s \
+        -cf $out source
+    '';
+  };
+
+
  base = rec {
    pname = "${packageName}-unwrapped";
    inherit (upstream-info) version;
    inherit packageName buildType buildPath;

-    src = fetchzip {
-      name = "chromium-${version}.tar.zstd";
-      url = "https://commondatastorage.googleapis.com/chromium-browser-official/chromium-${version}.tar.xz";
-      inherit (upstream-info) sha256;
-
-      nativeBuildInputs = [ zstd ];
-
-      postFetch = ''
-        echo removing unused code from tarball to stay under hydra limit
-        rm -r $out/third_party/{rust-src,llvm}
-
-        echo moving remains out of \$out
-        mv $out source
-
-        echo recompressing final contents into new tarball
-        # try to make a deterministic tarball
-        tar \
-          --use-compress-program "zstd -T$NIX_BUILD_CORES" \
-          --sort name \
-          --mtime 1970-01-01 \
-          --owner=root --group=root \
-          --numeric-owner --mode=go=rX,u+rw,a-s \
-          -cf $out source
-      '';
-    };
+    src = recompressTarball { inherit version; inherit (upstream-info) sha256; };

    nativeBuildInputs = [
      ninja pkg-config
@ -486,6 +489,7 @@ let
      chromiumDeps = {
        gn = gnChromium;
      };
+      inherit recompressTarball;
    };
  }
  # overwrite `version` with the exact same `version` from the same source,
--- a/pkgs/applications/networking/browsers/chromium/update.py
+++ b/pkgs/applications/networking/browsers/chromium/update.py
@ -21,12 +21,11 @@ from urllib.request import urlopen

 RELEASES_URL = 'https://versionhistory.googleapis.com/v1/chrome/platforms/linux/channels/all/versions/all/releases'
 DEB_URL = 'https://dl.google.com/linux/chrome/deb/pool/main/g'
-BUCKET_URL = 'https://commondatastorage.googleapis.com/chromium-browser-official'

 PIN_PATH = dirname(abspath(__file__)) + '/upstream-info.nix'
 UNGOOGLED_FLAGS_PATH = dirname(abspath(__file__)) + '/ungoogled-flags.toml'
 COMMIT_MESSAGE_SCRIPT = dirname(abspath(__file__)) + '/get-commit-message.py'
-
+NIXPKGS_PATH = subprocess.check_output(["git", "rev-parse", "--show-toplevel"], cwd=dirname(PIN_PATH)).strip()

 def load_as_json(path):
    """Loads the given nix file as JSON."""
@ -41,6 +40,23 @@ def save_dict_as_nix(path, input):
    with open(path, 'w') as out:
        out.write(formatted.decode())

+def prefetch_src_sri_hash(attr_path, version):
+    """Prefetches the fixed-output-derivation source tarball and returns its SRI-Hash."""
+    print(f'nix-build (FOD prefetch) {attr_path} {version}')
+    out = subprocess.run(
+        ["nix-build", "--expr", f'(import ./. {{}}).{attr_path}.browser.passthru.recompressTarball {{ version = "{version}"; }}'],
+        cwd=NIXPKGS_PATH,
+        stderr=subprocess.PIPE
+    ).stderr.decode()
+
+    for line in iter(out.split("\n")):
+        match = re.match(r"\s+got:\s+(.+)$", line)
+        if match:
+            print(f'Hash: {match.group(1)}')
+            return match.group(1)
+    print(f'{out}\n\nError: Expected hash in nix-build stderr output.', file=sys.stderr)
+    sys.exit(1)
+
 def nix_prefetch_url(url, algo='sha256'):
    """Prefetches the content of the given URL."""
    print(f'nix-prefetch-url {url}')
@ -206,7 +222,10 @@ with urlopen(RELEASES_URL) as resp:
            google_chrome_suffix = channel_name

        try:
-            channel['sha256'] = nix_prefetch_url(f'{BUCKET_URL}/chromium-{release["version"]}.tar.xz')
+            channel['sha256'] = prefetch_src_sri_hash(
+                channel_name_to_attr_name(channel_name),
+                release["version"]
+            )
            channel['sha256bin64'] = nix_prefetch_url(
                f'{DEB_URL}/google-chrome-{google_chrome_suffix}/' +
                f'google-chrome-{google_chrome_suffix}_{release["version"]}-1_amd64.deb')