winboat icon indicating copy to clipboard operation
winboat copied to clipboard
verified publisher icon TibixDev

fix: update release tags with corrected flake hash

Open jordangarrison opened this issue 2 months ago • 4 comments

Problem

Users experience hash mismatch errors when trying to run WinBoat from release tags:

nix run github:TibixDev/winboat/v0.8.7

Error:

error: hash mismatch in fixed-output derivation '/nix/store/...-winboat-0.8.7-x64.tar.gz.drv':
         specified: sha256-I7SoX0dcQoFucj/GRvORZvgdKTIc+7+F9COZS33nFuk=
            got:    sha256-4NV9nyFLYJt9tz3ikDTb1oSpJGAKr1I49D0VHqpty3I=

Root Cause

The update-flake-hash workflow has a timing issue:

  1. Release tag is created with an outdated hash from flake.nix
  2. Release artifacts are built and published
  3. Workflow calculates the correct hash and updates main branch
  4. Tag is never updated, so it still contains the wrong hash

When users reference a tag (e.g., v0.8.7), Nix uses the flake.nix from that tag, which has the incorrect hash.

Evidence

  • Tag v0.8.7 (commit a641ec8) has hash: 1s8nwxylp693yj2vzyqw68livy36j7rldiizf9p82hjw8xgsid13 (wrong - this is for v0.8.6)
  • Main branch has hash: 0wnbdnm1w59xyhw55bqac0jak16nvcs91qixnxyrnq2b46gpvmg0 (correct for v0.8.7)

Solution

This PR modifies .github/workflows/update-flake-hash.yml to force-update the release tag after calculating and committing the correct hash. This ensures the tag points to a commit with the accurate hash matching the release artifacts.

Changes

  • Added logic to force-update the release tag with the corrected flake.nix
  • Tag now points to the commit with the matching hash for the release artifacts

Testing

Locally tested:

  • ✅ Hash calculation matches the published v0.8.7 artifacts
  • ✅ Sed replacement logic works correctly
  • ✅ Tag force-update logic verified (creates and moves tags successfully)
  • ✅ Built successfully from local clone with correct hash

Impact

  • Fixes hash mismatch errors for all future releases
  • Users can reliably use nix run github:TibixDev/winboat/vX.Y.Z
  • Existing tags (v0.8.6, v0.8.7) will need manual correction or the workflow can be triggered manually to fix them

Fixes #164

jordangarrison avatar Oct 09 '25 21:10 jordangarrison

Note: This PR also relates to #177, which reports that the update-flake-hash workflow isn't triggering on releases.

While this PR fixes the tag update logic (ensuring tags point to commits with correct hashes), there may be a separate issue with the workflow trigger itself. If the workflow isn't running at all, then this fix won't help until that's resolved.

The workflow trigger is currently:

on:
  release:
    types: [published]

If the workflow isn't triggering, we may also need to investigate:

  1. Whether releases are being published (vs created as drafts)
  2. Repository permissions for GitHub Actions
  3. Whether the workflow file exists on the default branch when releases are created

Both issues should be addressed for a complete fix.

jordangarrison avatar Oct 09 '25 21:10 jordangarrison

Update: Now also fixes #177

I've updated this PR to comprehensively address both issues:

Root Cause Analysis

The workflow wasn't triggering automatically because:

  1. Releases created by GITHUB_TOKEN don't trigger release: published events (GitHub Actions limitation to prevent infinite loops)
  2. Tags had incorrect hashes because the workflow only updated main, never the tags

Complete Solution

Changed trigger mechanism:

  • ✅ Replaced release: published with workflow_run
  • ✅ Triggers after "Build WinBoat" workflow completes
  • ✅ Only runs on successful workflows triggered by tags
  • ✅ Extracts version from workflow_run.head_branch

Improved reliability:

  • ✅ Replaces sleep with proper retry loop using curl to verify asset availability
  • ✅ Polls up to 30 times (5 minutes) with clear error messages
  • ✅ Keeps workflow_dispatch for manual triggers

Tag update (original fix):

  • ✅ Force-updates release tags to point to commits with correct hashes

Testing

All workflow logic has been validated:

  • ✓ Version extraction from tag refs
  • ✓ URL format correctness
  • ✓ Retry loop logic
  • ✓ Workflow trigger conditions
  • ✓ Asset availability checking

Impact

This fix ensures:

  • Workflow runs automatically after each tagged release
  • No more manual workflow_dispatch triggers needed
  • Release tags always have correct flake hashes
  • nix run github:TibixDev/winboat/vX.Y.Z works reliably

Fixes #164 and #177

jordangarrison avatar Oct 09 '25 22:10 jordangarrison

Looks good to me

Simon-Weij avatar Oct 13 '25 16:10 Simon-Weij

Looking at this one (Simon tells me it's still needed, I'm sorry for the delay) - can you please catch up to latest/resolve conflicts and I'll add it to the queue to be looked at for merging - thanks!

waffles-dev avatar Oct 25 '25 15:10 waffles-dev

flake removed in #434

waffles-dev avatar Oct 31 '25 16:10 waffles-dev