From ec11aa64eee9736675f640692da2ed56c72171a7 Mon Sep 17 00:00:00 2001 From: Brooklyn Nicholson Date: Tue, 28 Apr 2026 18:21:09 -0500 Subject: [PATCH 1/2] fix(nix): refresh web/ npm-deps hash to unblock main builds `web/package-lock.json` was updated by the design-system refactor (merged via #17007 + follow-ups: spinner / select / badges / buttons) without bumping `nix/web.nix::npmDeps.hash`, breaking nix builds on every PR + main since 2026-04-28T18:46. Hash sourced from the actual `Check flake` failure output: specified: sha256-AahWmJ9gDQ9pMPa1FYwUjYdO2mOi6JM9Mst27E0vp68= got: sha256-+B2+Fe4djPzHHcUXRx+m0cuyaopAhW0PcHsMgYfV5VE= Standalone single-file fix so it can land fast and clear nix on every other open PR. --- nix/web.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/web.nix b/nix/web.nix index fbde22af3c2..bff29983d60 100644 --- a/nix/web.nix +++ b/nix/web.nix @@ -4,7 +4,7 @@ let src = ../web; npmDeps = pkgs.fetchNpmDeps { inherit src; - hash = "sha256-AahWmJ9gDQ9pMPa1FYwUjYdO2mOi6JM9Mst27E0vp68="; + hash = "sha256-+B2+Fe4djPzHHcUXRx+m0cuyaopAhW0PcHsMgYfV5VE="; }; npm = hermesNpmLib.mkNpmPassthru { folder = "web"; attr = "web"; pname = "hermes-web"; }; From b2f936fd37dbb16989de6d5684ba7886d4c222f6 Mon Sep 17 00:00:00 2001 From: Brooklyn Nicholson Date: Tue, 28 Apr 2026 18:39:35 -0500 Subject: [PATCH 2/2] fix(nix): treat transient magic-cache throttling as skip in fix-lockfiles MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Round 1 of #17174 hit `nix-lockfile-check` failure. Root cause was NOT a stale hash — the primary `nix (ubuntu-latest)` and `nix (macos-latest)` builds passed. GitHub's Magic Nix Cache returned HTTP 418 (rate-limited / throttled) mid-run, so the rebuild bailed with `some outputs of '/nix/store/...-npm-deps.drv' are not valid, so checking is not possible` — no `got:` line for the script to extract. The script then incorrectly treated this as 'build failed with no hash mismatch' and exited 1, breaking the lint on every PR whenever the cache is throttled. Now we recognize the throttling/cache-disabled signature and skip that entry with a warning. A real stale hash still surfaces in the primary `.#$ATTR` build (separate CI job), so we don't lose coverage. --- nix/lib.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/nix/lib.nix b/nix/lib.nix index 226eb912da8..5a08a7a53f8 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -165,6 +165,17 @@ NEW_HASH=$(echo "$OUTPUT" | awk '/got:/ {print $2; exit}') if [ -z "$NEW_HASH" ]; then + # Magic-Nix-Cache occasionally returns HTTP 418 / cache-throttled + # mid-run; nix then prints "outputs … not valid, so checking is + # not possible" without a `got:` line. That's an infrastructure + # blip, not a stale lockfile — warn + skip rather than failing + # the lint. A real hash mismatch would still surface in the + # primary `.#$ATTR` build, which is a separate CI job. + if echo "$OUTPUT" | grep -qE "throttled|HTTP error 418|substituter .* is disabled|some outputs of .* are not valid"; then + echo " skipped (transient cache failure — see primary nix build for real status)" >&2 + echo "$OUTPUT" | tail -8 >&2 + continue + fi echo " build failed with no hash mismatch:" >&2 echo "$OUTPUT" | tail -40 >&2 exit 1