Skip to content

fix: update release tags with corrected flake hash #277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: update release tags with corrected flake hash #277

wants to merge 2 commits into from

Conversation

jordangarrison
Copy link

Problem

Users experience hash mismatch errors when trying to run WinBoat from release tags:

nix run github:TibixDev/winboat/v0.8.7

Error:

error: hash mismatch in fixed-output derivation '/nix/store/...-winboat-0.8.7-x64.tar.gz.drv':
         specified: sha256-I7SoX0dcQoFucj/GRvORZvgdKTIc+7+F9COZS33nFuk=
            got:    sha256-4NV9nyFLYJt9tz3ikDTb1oSpJGAKr1I49D0VHqpty3I=

Root Cause

The update-flake-hash workflow has a timing issue:

  1. Release tag is created with an outdated hash from flake.nix
  2. Release artifacts are built and published
  3. Workflow calculates the correct hash and updates main branch
  4. Tag is never updated, so it still contains the wrong hash

When users reference a tag (e.g., v0.8.7), Nix uses the flake.nix from that tag, which has the incorrect hash.

Evidence

  • Tag v0.8.7 (commit a641ec8) has hash: 1s8nwxylp693yj2vzyqw68livy36j7rldiizf9p82hjw8xgsid13 (wrong - this is for v0.8.6)
  • Main branch has hash: 0wnbdnm1w59xyhw55bqac0jak16nvcs91qixnxyrnq2b46gpvmg0 (correct for v0.8.7)

Solution

This PR modifies .github/workflows/update-flake-hash.yml to force-update the release tag after calculating and committing the correct hash. This ensures the tag points to a commit with the accurate hash matching the release artifacts.

Changes

  • Added logic to force-update the release tag with the corrected flake.nix
  • Tag now points to the commit with the matching hash for the release artifacts

Testing

Locally tested:

  • ✅ Hash calculation matches the published v0.8.7 artifacts
  • ✅ Sed replacement logic works correctly
  • ✅ Tag force-update logic verified (creates and moves tags successfully)
  • ✅ Built successfully from local clone with correct hash

Impact

  • Fixes hash mismatch errors for all future releases
  • Users can reliably use nix run github:TibixDev/winboat/vX.Y.Z
  • Existing tags (v0.8.6, v0.8.7) will need manual correction or the workflow can be triggered manually to fix them

Fixes #164

@jordangarrison
fix: update release tags with corrected flake hash
55a970c 
Previously, when a release was published, the update-flake-hash workflow
would calculate the correct hash and update the main branch, but the
release tag would still point to a commit with the old/incorrect hash.

This caused hash mismatch errors when users tried to run:
  nix run github:TibixDev/winboat/v0.8.7

The workflow now force-updates the release tag to point to the commit
with the corrected hash, ensuring consistency between tags and the
actual release artifacts.

Fixes TibixDev#164
@jordangarrison
Copy link
Author

Note: This PR also relates to #177, which reports that the update-flake-hash workflow isn't triggering on releases.

While this PR fixes the tag update logic (ensuring tags point to commits with correct hashes), there may be a separate issue with the workflow trigger itself. If the workflow isn't running at all, then this fix won't help until that's resolved.

The workflow trigger is currently:

on:
  release:
    types: [published]

If the workflow isn't triggering, we may also need to investigate:

  1. Whether releases are being published (vs created as drafts)
  2. Repository permissions for GitHub Actions
  3. Whether the workflow file exists on the default branch when releases are created

Both issues should be addressed for a complete fix.

@Rexcrazy804 Rexcrazy804 mentioned this pull request Oct 9, 2025
Open
1 task
@jordangarrison
fix: use workflow_run to trigger flake hash update after release
c91017d 
The workflow was not triggering on release events because releases
created by GITHUB_TOKEN don't trigger other workflows. This is a known
GitHub Actions limitation to prevent infinite loops.

Changes:
- Replace 'release: published' trigger with 'workflow_run' that triggers
  after the 'Build WinBoat' workflow completes
- Only run on successful workflows triggered by tags
- Extract version from workflow_run.head_branch instead of release event
- Add retry loop with curl to verify release asset availability before
  attempting to fetch (replaces sleep with proper polling)
- Keep workflow_dispatch for manual triggering

This ensures the workflow runs automatically after each release and
can update both the flake.nix on main and force-update the release tag.

Fixes TibixDev#164
Fixes TibixDev#177
@jordangarrison
Copy link
Author

Update: Now also fixes #177

I've updated this PR to comprehensively address both issues:

Root Cause Analysis

The workflow wasn't triggering automatically because:

  1. Releases created by GITHUB_TOKEN don't trigger release: published events (GitHub Actions limitation to prevent infinite loops)
  2. Tags had incorrect hashes because the workflow only updated main, never the tags

Complete Solution

Changed trigger mechanism:

  • ✅ Replaced release: published with workflow_run
  • ✅ Triggers after "Build WinBoat" workflow completes
  • ✅ Only runs on successful workflows triggered by tags
  • ✅ Extracts version from workflow_run.head_branch

Improved reliability:

  • ✅ Replaces sleep with proper retry loop using curl to verify asset availability
  • ✅ Polls up to 30 times (5 minutes) with clear error messages
  • ✅ Keeps workflow_dispatch for manual triggers

Tag update (original fix):

  • ✅ Force-updates release tags to point to commits with correct hashes

Testing

All workflow logic has been validated:

  • ✓ Version extraction from tag refs
  • ✓ URL format correctness
  • ✓ Retry loop logic
  • ✓ Workflow trigger conditions
  • ✓ Asset availability checking

Impact

This fix ensures:

  • Workflow runs automatically after each tagged release
  • No more manual workflow_dispatch triggers needed
  • Release tags always have correct flake hashes
  • nix run github:TibixDev/winboat/vX.Y.Z works reliably

Fixes #164 and #177

@Levev Levev linked an issue Oct 11, 2025 that may be closed by this pull request
[Bug] Workflow "update-flake-hash" not triggering on releases #177
Open
1 task
@Levev Levev added the CI/CD Anything regarding the CI/CD pipeline label Oct 11, 2025
@Simon-Weij
Copy link
Contributor

Looks good to me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CI/CD Anything regarding the CI/CD pipeline

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] Workflow "update-flake-hash" not triggering on releases [Bug] Nix build isn't working

3 participants

@jordangarrison @Simon-Weij @Levev