mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-12 08:51:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 14

fix(nix): cold npm builds + fix-lockfiles real-build verification + auto-fix workflow (#41867)

Browse source 
* fix(nix): fix-lockfiles real-build verification + point auto-fix at nix/lib.nix

Two related fixes to the npm lockfile-hash tooling that, together, let a
broken nix build slip onto main and stay there:

1. fix-lockfiles trusted prefetch-npm-deps. It computes the hash from the
   lockfile *contents* and early-exited "ok" whenever that matched the pin,
   never running the real fetchNpmDeps + npmConfigHook build. Those two can
   disagree (the --apply path already works around it), so `--check`
   reported "ok" while a cold build was actually broken (e.g. lockfile
   engines/os/cpu fields the pinned nixpkgs strips from the deps cache,
   tripping npmConfigHook's consistency diff). Now, when prefetch says the
   hash matches, confirm with `nix build .#<attr>` before believing it:
   adopt the real fetchNpmDeps hash if nix reports a 'got:' mismatch,
   surface non-hash failures honestly (exit 1) instead of claiming "ok",
   and keep the transient-cache-failure skip.

2. nix-lockfile-fix.yml's auto-fix-main (and the PR-fix job) whitelisted and
   staged nix/tui.nix + nix/web.nix, but the single npmDepsHash moved to
   nix/lib.nix. So fix-lockfiles --apply edited nix/lib.nix, the guard
   flagged it as an "unexpected modified file", and the job exited without
   committing — the auto-healer could never push a fix. Point the guard
   regex and both `git add` lines at nix/lib.nix.

* fix(nix): fix cold npm builds — adopt the deps-cache lockfile in patchPhase

hermes-tui/hermes-agent could not be built from source on the pinned nixpkgs:
prefetch-npm-deps strips advisory lockfile fields (engines/os/cpu/funding/
bin/…) that newer npm writes into package-lock.json, then npmConfigHook
byte-compares the source lockfile against the cache's stripped copy and fails
on the difference. CI only stayed green because it substitutes the prebuilt
hermes-tui from Cachix and never cold-builds it; anyone building cold (e.g. a
local path: input, or a cache miss) hit the failure.

mkNpmPassthru's patchPhase now copies the cache's own normalized
package-lock.json over the source before npmConfigHook runs, so the
consistency check is trivially satisfied. The resolved dependency set
(version/resolved/integrity/dependencies) is identical — fetchNpmDeps derived
the cache from this very lockfile — so `npm ci` installs the same tree; only
advisory metadata is dropped. Genuine drift is still caught by the
fixed-output npmDepsHash check, which runs before this phase.

Verified by cold-building .#tui and .#default (full hermes-agent) from scratch
on the pinned nixpkgs (6201e2) — both succeed where they previously failed at
npmConfigHook.
This commit is contained in:
Siddharth Balyan 2026-06-08 12:41:37 +05:30 committed by GitHub
parent e45b745835
commit d02a59b679
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 62 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

11
.github/workflows/nix-lockfile-fix.yml vendored
View file

@ -75,9 +75,10 @@ jobs:
run: |
set -euo pipefail
# Ensure only nix files were modified — prevents accidental
# self-triggering if fix-lockfiles ever touches package files.
unexpected="$(git diff --name-only | grep -Ev '^nix/(tui|web)\.nix$' || true)"
# Ensure only nix/lib.nix (home of the single npmDepsHash) was
# modified — prevents accidental self-triggering if fix-lockfiles
# ever touches package files.
unexpected="$(git diff --name-only | grep -Ev '^nix/lib\.nix$' || true)"
if [ -n "$unexpected" ]; then
echo "::error::Unexpected modified files: $unexpected"
exit 1
@ -89,7 +90,7 @@ jobs:
git config user.name 'github-actions[bot]'
git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
git add nix/tui.nix nix/web.nix
git add nix/lib.nix
git commit -m "fix(nix): auto-refresh npm lockfile hashes" \
-m "Source: $GITHUB_SHA" \
-m "Run: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
@ -216,7 +217,7 @@ jobs:
set -euo pipefail
git config user.name 'github-actions[bot]'
git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
git add nix/tui.nix nix/web.nix
git add nix/lib.nix
git commit -m "fix(nix): refresh npm lockfile hashes"
git push