Skip to content

WIP: feat: hermetic build for enola #1730 (dumb build) #1795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dotdoom wants to merge 1 commit into
base: main
Choose a base branch
from
Open

WIP: feat: hermetic build for enola #1730 (dumb build) #1795

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
feat: hermetic build for enola #1730
  • Loading branch information
@dotdoom
dotdoom committed Sep 22, 2025
commit c57777510739767644ae40a57b217a26e9bd2877
3 changes: 1 addition & 2 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,7 @@ jobs:
steps:
- uses: actions/checkout@v5
- uses: cachix/install-nix-action@v31
# TODO Remove --no-sandbox after https://github.com/enola-dev/enola/issues/1713
- run: nix run --no-sandbox . -- help
- run: nix run . -- help

build:
# https://github.com/orgs/community/discussions/25722
Expand Down
10 changes: 9 additions & 1 deletion flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,12 @@
# NB: This doesn't actually use tools/version/version-out.bash (like the non-Nix build does)
gitRev = toString (self.shortRev or self.dirtyShortRev or self.lastModified or "DEVELOPMENT");

bazel-central-registry = pkgs.fetchFromGitHub {
owner = "bazelbuild";
repo = "bazel-central-registry";
rev = "4fcc47180cfe24915dae5705074c3994c60dc6b7";
hash = "sha256-Th7gamXEzJnoA65VKVfARCDnLup5URJT0R1g2Jw3S/0=";
};
Comment on lines +66 to +71
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

While using fetchFromGitHub works, a more idiomatic approach with Nix Flakes is to declare this dependency as a flake input. This improves clarity by centralizing external dependencies in the inputs section and leverages the flake.lock file for pinning.

You could achieve this by:

  1. Adding bazel-central-registry to your inputs in flake.nix: 
    inputs = {
  # ... other inputs
  bazel-central-registry.url = "github:bazelbuild/bazel-central-registry/4fcc47180cfe24915dae5705074c3994c60dc6b7";
};
  2. Passing bazel-central-registry as an argument to the outputs function.
  3. Removing this let binding and using the bazel-central-registry variable from the function arguments directly in your bazel build command.

This change would make your flake's dependency management more robust and easier to follow.

in
{
# TODO: for https://nix-bazel.build, replace with mkShellNoCC.
Expand Down Expand Up @@ -113,7 +119,7 @@
bash tools/protoc/protoc.bash

export HOME=$TMPDIR
bazel build //java/dev/enola/cli:enola_deploy.jar
bazel build --registry=file://${bazel-central-registry} //java/dev/enola/cli:enola_deploy.jar
'';

installPhase = ''
Expand All @@ -122,6 +128,8 @@
makeWrapper ${jdk'}/bin/java $out/bin/enola \
--add-flags "-jar $out/share/java/enola_deploy.jar"
'';

outputHash = "sha256-hHa+tqNDxe3+Tl190xPWiNiCq0HWU5qcc52rjo3Ncl0=";
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Using a fixed outputHash is a correct way to ensure a reproducible build for a derivation that has network access (like Bazel fetching dependencies). However, it can be a maintenance hurdle, as any change affecting the output requires manually updating this hash.

To improve maintainability for future contributors, it would be very helpful to add a comment explaining why this hash is necessary and how to update it. This will save others time when they encounter a hash mismatch error.

            # This is a fixed-output derivation. Bazel's dependency fetching is considered
            # an impurity by Nix, so we lock the output hash to ensure reproducibility.
            # If you change dependencies or source code and the build fails with a hash
            # mismatch, update this value to the 'got' hash from the Nix error message.
            outputHash = "sha256-hHa+tqNDxe3+Tl190xPWiNiCq0HWU5qcc52rjo3Ncl0=";

};
};

Expand Down
Loading