Make it possible to pin to a specific Hex version during initial install

[jeffwidman]

As best I can tell from the docs, the hex must be installed initially using mix local.hex. And this install can't be pinned to a specific version.

To pin to a version, we then later have to re-install by calling mix hex.install "$HEX_VERSION".

Here's how I did it over in Dependabot: https://github.com/dependabot/dependabot-core/blob/8a70b5e719eb465e134d0167c5bf6513bd9ee77a/hex/helpers/build#L13-L21

I am not a hex/mix/elixir expert, so had some questions:

1. This feels brittle... if for some reason the latest Hex version is broken, is there no workaround?
2. This feels like extra work is being done since we have to double-install Hex: https://github.com/dependabot/dependabot-core/actions/runs/3388321608/jobs/5630170173#step:6:6577
3. We also have a call to mix archive.install hex ... A quick stackoverflow skim says archive.install is a global install rather than a local install... so does that mean it's installing hex a third time somehow?

Given all this, how can we optimize our Hex install script so that it does a single install that's pinned to a deterministic version that we can set?

[ericmj]

mix local.hex accepts a version since Elixir 1.14.0.

Both mix local.hex and mix archive.install are global installs. mix local.hex does an archive installation. Why are you installing nerves_bootstrap though?

[ericmj]

Closing this. Let us know if you have any further questions.

[jeffwidman]

Thanks again for the quick answer, I applied it in https://github.com/dependabot/dependabot-core/pull/6252.