diff --git a/pkgs/build-support/node/fetch-yarn-deps/index.js b/pkgs/build-support/node/fetch-yarn-deps/index.js index 04f47362b10d..de2a09ee9041 100755 --- a/pkgs/build-support/node/fetch-yarn-deps/index.js +++ b/pkgs/build-support/node/fetch-yarn-deps/index.js @@ -37,7 +37,9 @@ const downloadFileHttps = (fileName, url, expectedHash, hashType = 'sha1') => { res.on('end', () => { file.close() const h = hash.read() - if (h != expectedHash) return reject(new Error(`hash mismatch, expected ${expectedHash}, got ${h}`)) + if (expectedHash === undefined){ + console.log(`Warning: lockfile url ${url} doesn't end in "#" to validate against. Downloaded file had hash ${h}.`); + } else if (h != expectedHash) return reject(new Error(`hash mismatch, expected ${expectedHash}, got ${h}`)) resolve() }) res.on('error', e => reject(e)) diff --git a/pkgs/servers/mastodon/default.nix b/pkgs/servers/mastodon/default.nix index 1547485a0378..d75e148bf1e3 100644 --- a/pkgs/servers/mastodon/default.nix +++ b/pkgs/servers/mastodon/default.nix @@ -7,7 +7,8 @@ , pname ? "mastodon" , version ? import ./version.nix , srcOverride ? null -, dependenciesDir ? ./. # Should contain gemset.nix, yarn.nix and package.json. +, dependenciesDir ? ./. # Expected to contain gemset.nix +, yarnHash ? import ./yarn-hash.nix }: stdenv.mkDerivation rec { @@ -43,7 +44,7 @@ stdenv.mkDerivation rec { yarnOfflineCache = fetchYarnDeps { yarnLock = "${src}/yarn.lock"; - sha256 = "sha256-e3rl/WuKXaUdeDEYvo1sSubuIwtBjkbguCYdAijwXOA="; + hash = yarnHash; }; nativeBuildInputs = [ fixup_yarn_lock nodejs-slim yarn mastodonGems mastodonGems.wrappedRuby brotli ]; diff --git a/pkgs/servers/mastodon/update.sh b/pkgs/servers/mastodon/update.sh index babc06204851..eafcdd958617 100755 --- a/pkgs/servers/mastodon/update.sh +++ b/pkgs/servers/mastodon/update.sh @@ -1,5 +1,5 @@ #!/usr/bin/env nix-shell -#! nix-shell -i bash -p yarn2nix bundix coreutils diffutils nix-prefetch-github gnused jq +#! nix-shell -i bash -p bundix coreutils diffutils nix-prefetch-github gnused jq prefetch-yarn-deps set -e OWNER=mastodon @@ -77,7 +77,8 @@ trap cleanup EXIT echo "Fetching source code $REVISION" JSON=$(nix-prefetch-github "$OWNER" "$REPO" --rev "$REVISION" 2> $WORK_DIR/nix-prefetch-git.out) -HASH=$(echo "$JSON" | jq -r .hash) +HASH="$(echo "$JSON" | jq -r .sha256)" +HASH="$(nix hash to-sri --type sha256 "$HASH")" echo "Creating version.nix" echo "\"$VERSION\"" | sed 's/^"v/"/' > version.nix @@ -101,3 +102,8 @@ SOURCE_DIR="$(nix-build --no-out-link -E '(import {}).callPackage ./so echo "Creating gemset.nix" bundix --lockfile="$SOURCE_DIR/Gemfile.lock" --gemfile="$SOURCE_DIR/Gemfile" echo "" >> gemset.nix # Create trailing newline to please EditorConfig checks + +echo "Creating yarn-hash.nix" +YARN_HASH="$(prefetch-yarn-deps "$SOURCE_DIR/yarn.lock")" +YARN_HASH="$(nix hash to-sri --type sha256 "$YARN_HASH")" +printf '"%s"\n' "$YARN_HASH" > yarn-hash.nix diff --git a/pkgs/servers/mastodon/yarn-hash.nix b/pkgs/servers/mastodon/yarn-hash.nix new file mode 100644 index 000000000000..f0e3e8a27af7 --- /dev/null +++ b/pkgs/servers/mastodon/yarn-hash.nix @@ -0,0 +1 @@ +"sha256-e3rl/WuKXaUdeDEYvo1sSubuIwtBjkbguCYdAijwXOA="