search

andir / npins

Nix dependency pinning. Very similar to Niv but has a few features that I personally wanted.
European Union Public License 1.2
180 stars 14 forks source link

Support specifying release artifact to prehash #44

Open fufexan opened 1 year ago

fufexan commented 1 year ago

I use npins in my nix-gaming repo to automate updates. It's working great, but for some games I want to download a release artifact (compiled tarball/AppImage) instead of the source tarball. Since npins does not provide that functionality, I had to write update scripts for certain games (see this).

It would be great to have an option to specify the release artifact to get the hash for. Also, in case the artifact does not exist, the system could fallback to hashing the source tarball.

Another (maybe unrelated) feature request would be using SRI hashes, to be able to simply inherit (pins.some-pin) hash inside most fetchers.

piegamesde commented 1 year ago

A release may have multiple uploaded artifacts, do I understand correctly that the idea is to provide the artifact name? And how should this interact across versions when updating?

Also, in case the artifact does not exist, the system could fallback to hashing the source tarball.

That sounds weird to me. Usually, source and release have wildly different content, and simply swapping one for the other wouldn't help many people.

fufexan commented 1 year ago

Yes, the idea is that we provide an artifact name that would be fetched from this URL: https://github.com/<owner>/<repo>/releases/download/<version>/<artifactName>

That sounds weird to me. Usually, source and release have wildly different content, and simply swapping one for the other wouldn't help many people.

In hindsight, it does sound weird. Nevermind the idea.

piegamesde commented 1 year ago

What should happen on update if a release does not have a GitHub release, or the release does not have the desired artifact?

Maybe tangential, but it would be easy to create a pin type for fetching URLs, like a thin wrapper around fetchTarball. However, updating functionality would probably not exist.

fufexan commented 1 year ago

What should happen on update if a release does not have a GitHub release, or the release does not have the desired artifact?

I think erroring out is the best solution. If the artifact should exist but doesn't, then either upstream forgot about it, or there was a good reason to not include it anymore. Either way, it's the user's business from then on.

However, updating functionality would probably not exist.

Why not? Currently, we can use the version provided by npins and use it for other fetchers. It's not exactly efficient when you don't need the source, but it does work.

piegamesde commented 1 year ago

I fear that this may require adding support for artifact names which reference the current version to be useful, which does not sound like fun implementing :/