Nix pre-commit and ci checks

stackabletech / stackable-cockpit

Home of stackable-cockpit, stackablectl and stackable-cockpitd

https://docs.stackable.tech/management/stable/

Other

6 stars 3 forks source link

Nix pre-commit and ci checks #298

Open NickLarsenNZ opened 1 month ago

NickLarsenNZ commented 1 month ago

Currently, the nix lock files (for crate2nix and for the packages via niv) are only updated when one of the Nix users runs:

make regenerate-nix, and
niv update

This means that dependencies in Cargo.lock and Cargo.nix might be at different versions.

To resolve this, we can:

Add the update commands to the pre-commit hooks, and/or
Run the commands in CI and check for changes

Optionally, perhaps make regenerate-nix could also do the niv update so there is one command.

nightkr commented 1 month ago

make regenerate-nix and niv update are fundamentally different commands.

make regenerate-nix converts the existing Cargo/etc lockfiles into Nix. It's idempotent, and exists to bring them back into sync. It will not update anything by itself. This is fine to do automatically.

niv update is like cargo update, it brings in whatever the latest version is of each (Niv) dependency. It should only be done with explicit user permission.

NickLarsenNZ commented 1 month ago

Yeah I understand that, but want to find a way to lower the burden on the developers.

We currently sometimes do cargo update, but much less frequently do we run niv update. Not necessarily a bad thing if the currently pinned niv packages work, but if we update more frequently we would likely pull in security updates (or, y'know, zero-days :upside_down_face:).

I think at minimum, I'd like to have CI (and pre-commit hooks) check that Cargo.nix is in line with Cargo.lock. We can work out the niv update process separately (I agree it should be intentional, but just done a bit more regularly).

What do you think?