| 13 Feb 2024 |
 @qbit:tapenet.org | anthr76: is this all go deps? | 18:58:36 |
 anthr76 | Yes it is | 18:58:44 |
| @qbit:tapenet.org | buildGoModule does vendoring of any deps and what not | 18:58:52 |
| @qbit:tapenet.org | vendorHash | 18:59:02 |
| @qbit:tapenet.org | grep -r buildGoModule in nixpkgs and you will find plenty of examples | 19:00:40 |
| anthr76 | { lib, buildGoModule }:
buildGoModule rec {
pname = "foo";
version = "1.13.0";
GOPRIVATE = "github.com/foo/*";
src = builtins.fetchGit {
url = "git@github.com:foo/bar.git";
ref = "refs/tags/v${version}";
rev = "f993f922c88345604fdea284b624a97b9a1ee604";
};
vendorHash = "sha256-/lx2D2sdfeyRMK/097M4SQKRlmqtPTvbFo1dwbThJ5Fs=";
ldflags = [
"-s"
"-w"
"-X"
"github.com/foo/bar/cmd.version=${version}"
];
}
I have this but it doesn't seem to vendor? The vendor has is incorrect as I was hopping to get it out during the build but instead it fails because it can't access the repos
| 19:00:54 |
| anthr76 | let me take another look | 19:01:03 |
| @qbit:tapenet.org | unset the vendorHash and run the build | 19:01:24 |
| @qbit:tapenet.org | it should print the hash for the derivation of the go-modules it generates | 19:01:38 |
| anthr76 | It just bailed out
error: buildGoModule: vendorHash is missing
| 19:02:12 |
| anthr76 | let me try lib.fakeSha256 | 19:02:52 |
| @qbit:tapenet.org | oh, make it empty | 19:03:07 |
| anthr76 | Got it, that did it | 19:04:23 |
| anthr76 | So it then failed
> fatal: could not read Username for 'https://github.com': terminal prompts disabled
> Confirm the import path was entered correctly.
> If this is a private repositor
| 19:04:43 |
| @qbit:tapenet.org | so now put your .netrc and set HOME and see if it works? | 19:05:19 |
| @qbit:tapenet.org | adding your credentials to a .netrc is not ideal though :D | 19:05:32 |
| anthr76 | I'm new to nix package but been doing it in fedora land for a while so really what would be best is if I can vendor in the source phase since these repos don't vendor
~/.netrc is present and works
| 19:05:49 |
| @qbit:tapenet.org | relative to the build? | 19:06:11 |
| @qbit:tapenet.org | or in your own home dir? | 19:06:15 |
| anthr76 | In my own home-dir | 19:06:26 |
| anthr76 | it seems like nix uses access-token to pull the source tarbal but I've tried to pull git https on my shell (which uses netrc) and that does work should it be relative to the build? | 19:07:13 |
| @qbit:tapenet.org | nix builds are isolated from all that (to prevent other dependencies from leaking in) | 19:07:15 |
| anthr76 | yeah that makes sense | 19:07:28 |
| anthr76 | i guess I'm looking for the right hole to punch to solve a problem like this | 19:07:42 |
| anthr76 | to me having nix run go mod vendor while it has access to my token seems to make the most sense and repeatable for CI | 19:08:03 |
| @qbit:tapenet.org | so, it's basically running go mod vendor and storing that as a separate derivation in the nix store | 19:09:11 |
| @qbit:tapenet.org | the vendorHash is the hash of that derivation | 19:09:19 |
| anthr76 | So is it possibly a bug? | 19:09:37 |
| @qbit:tapenet.org | it just doesn't have the ability to pull down the deps since they are private | 19:09:38 |
| anthr76 | Because nix can access the private repo in src | 19:09:47 |
