mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-09 08:21:50 +00:00
d02a59b679
* fix(nix): fix-lockfiles real-build verification + point auto-fix at nix/lib.nix Two related fixes to the npm lockfile-hash tooling that, together, let a broken nix build slip onto main and stay there: 1. fix-lockfiles trusted prefetch-npm-deps. It computes the hash from the lockfile *contents* and early-exited "ok" whenever that matched the pin, never running the real fetchNpmDeps + npmConfigHook build. Those two can disagree (the --apply path already works around it), so `--check` reported "ok" while a cold build was actually broken (e.g. lockfile engines/os/cpu fields the pinned nixpkgs strips from the deps cache, tripping npmConfigHook's consistency diff). Now, when prefetch says the hash matches, confirm with `nix build .#<attr>` before believing it: adopt the real fetchNpmDeps hash if nix reports a 'got:' mismatch, surface non-hash failures honestly (exit 1) instead of claiming "ok", and keep the transient-cache-failure skip. 2. nix-lockfile-fix.yml's auto-fix-main (and the PR-fix job) whitelisted and staged nix/tui.nix + nix/web.nix, but the single npmDepsHash moved to nix/lib.nix. So fix-lockfiles --apply edited nix/lib.nix, the guard flagged it as an "unexpected modified file", and the job exited without committing — the auto-healer could never push a fix. Point the guard regex and both `git add` lines at nix/lib.nix. * fix(nix): fix cold npm builds — adopt the deps-cache lockfile in patchPhase hermes-tui/hermes-agent could not be built from source on the pinned nixpkgs: prefetch-npm-deps strips advisory lockfile fields (engines/os/cpu/funding/ bin/…) that newer npm writes into package-lock.json, then npmConfigHook byte-compares the source lockfile against the cache's stripped copy and fails on the difference. CI only stayed green because it substitutes the prebuilt hermes-tui from Cachix and never cold-builds it; anyone building cold (e.g. a local path: input, or a cache miss) hit the failure. mkNpmPassthru's patchPhase now copies the cache's own normalized package-lock.json over the source before npmConfigHook runs, so the consistency check is trivially satisfied. The resolved dependency set (version/resolved/integrity/dependencies) is identical — fetchNpmDeps derived the cache from this very lockfile — so `npm ci` installs the same tree; only advisory metadata is dropped. Genuine drift is still caught by the fixed-output npmDepsHash check, which runs before this phase. Verified by cold-building .#tui and .#default (full hermes-agent) from scratch on the pinned nixpkgs (6201e2) — both succeed where they previously failed at npmConfigHook. |
||
|---|---|---|
| .. | ||
| build-windows-installer.yml | ||
| contributor-check.yml | ||
| deploy-site.yml | ||
| docker-lint.yml | ||
| docker-publish.yml | ||
| docs-site-checks.yml | ||
| history-check.yml | ||
| lint.yml | ||
| nix-lockfile-fix.yml | ||
| nix.yml | ||
| osv-scanner.yml | ||
| skills-index-freshness.yml | ||
| skills-index.yml | ||
| supply-chain-audit.yml | ||
| tests.yml | ||
| upload_to_pypi.yml | ||
| uv-lockfile-check.yml | ||