feat(ci): auto-update nix hashes on release (#25)

2026-05-21 08:49:27 +00:00 · 2026-05-20 15:25:40 +02:00 · 2026-05-20 15:25:40 +02:00 · f6258dda7f
commit f6258dda7f
parent 104acb8f47
5 changed files with 153 additions and 15 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -167,6 +167,8 @@ jobs:
    needs:
      - setup
      - generate-proving-keys
+    outputs:
+      hash: ${{ steps.hash.outputs.value }}
    env:
      VERSION: ${{ needs.setup.outputs.version }}
      OS: linux
@ -392,6 +394,12 @@ jobs:
          # Create tarball
          tar -czf "${BUNDLE_NAME}.tar.gz" "${BUNDLE_NAME}"

+      - name: Compute SRI Hash
+        id: hash
+        run: |
+          TARBALL="logos-blockchain-circuits-${{ env.VERSION }}-${{ env.OS }}-${{ env.ARCH }}.tar.gz"
+          echo "value=sha256-$(openssl dgst -sha256 -binary "$TARBALL" | base64)" >> "$GITHUB_OUTPUT"
+
      - name: Upload Unified Release Bundle
        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
        with:
@ -404,6 +412,8 @@ jobs:
    needs:
      - setup
      - generate-proving-keys
+    outputs:
+      hash: ${{ steps.hash.outputs.value }}
    env:
      VERSION: ${{ needs.setup.outputs.version }}
      OS: linux
@ -631,6 +641,12 @@ jobs:
          # Create tarball
          tar -czf "${BUNDLE_NAME}.tar.gz" "${BUNDLE_NAME}"

+      - name: Compute SRI Hash
+        id: hash
+        run: |
+          TARBALL="logos-blockchain-circuits-${{ env.VERSION }}-${{ env.OS }}-${{ env.ARCH }}.tar.gz"
+          echo "value=sha256-$(openssl dgst -sha256 -binary "$TARBALL" | base64)" >> "$GITHUB_OUTPUT"
+
      - name: Upload Unified Release Bundle
        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
        with:
@ -643,6 +659,8 @@ jobs:
    needs:
      - setup
      - generate-proving-keys
+    outputs:
+      hash: ${{ steps.hash.outputs.value }}
    env:
      VERSION: ${{ needs.setup.outputs.version }}
      OS: windows
@ -907,6 +925,13 @@ jobs:
          # Create tarball
          tar -czf "${BUNDLE_NAME}.tar.gz" "${BUNDLE_NAME}"

+      - name: Compute SRI Hash
+        id: hash
+        shell: bash
+        run: |
+          TARBALL="logos-blockchain-circuits-${{ env.VERSION }}-${{ env.OS }}-${{ env.ARCH }}.tar.gz"
+          echo "value=sha256-$(openssl dgst -sha256 -binary "$TARBALL" | base64)" >> "$GITHUB_OUTPUT"
+
      - name: Upload Unified Release Bundle
        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
        with:
@ -919,6 +944,8 @@ jobs:
    needs:
      - setup
      - generate-proving-keys
+    outputs:
+      hash: ${{ steps.hash.outputs.value }}
    env:
      VERSION: ${{ needs.setup.outputs.version }}
      ARCH: aarch64
@ -1140,6 +1167,12 @@ jobs:
          # Create tarball
          tar -czf "${BUNDLE_NAME}.tar.gz" "${BUNDLE_NAME}"

+      - name: Compute SRI Hash
+        id: hash
+        run: |
+          TARBALL="logos-blockchain-circuits-${{ env.VERSION }}-${{ env.OS }}-${{ env.ARCH }}.tar.gz"
+          echo "value=sha256-$(openssl dgst -sha256 -binary "$TARBALL" | base64)" >> "$GITHUB_OUTPUT"
+
      - name: Upload Unified Release Bundle
        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
        with:
@ -1298,7 +1331,6 @@ jobs:
            - [ ] Description is complete
            - [ ] Changelog is correct
            - [ ] Assets for all platforms exist
-            - [ ] `flake.nix`'s `circuitsVersion` points to the latest version 
            - [ ] Pre-release is checked if necessary
            - [ ] Remove this checklist before publishing the release.
          draft: true
@ -1342,3 +1374,46 @@ jobs:
          asset_path: ${{ env.ARTIFACT_NAME }}
          asset_name: ${{ env.ARTIFACT_NAME }}
          asset_content_type: application/octet-stream
+
+  update-nix-hashes:
+    name: Update Nix Hashes
+    runs-on: ubuntu-latest
+    if: github.ref_type == 'tag' || github.event_name == 'workflow_dispatch'
+    needs:
+      - setup
+      - build-linux
+      - build-linux-aarch64
+      - build-windows
+      - build-macos
+      - upload-artifacts
+    permissions:
+      contents: write
+    env:
+      VERSION: ${{ needs.setup.outputs.version }}
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+        with:
+          ref: main
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update versions.nix
+        env:
+          CIRCUITS_NIX_HASHES_FILE: circuits-nix-hashes.json
+          CIRCUIT_HASH_LINUX_X86_64: ${{ needs.build-linux.outputs.hash }}
+          CIRCUIT_HASH_LINUX_AARCH64: ${{ needs.build-linux-aarch64.outputs.hash }}
+          CIRCUIT_HASH_WINDOWS_X86_64: ${{ needs.build-windows.outputs.hash }}
+          CIRCUIT_HASH_DARWIN_AARCH64: ${{ needs.build-macos.outputs.hash }}
+        run: python3 scripts/update-nix-hashes.py
+
+      - name: Commit and Push
+        env:
+          GIT_USER_NAME: ${{ github.actor }}
+          GIT_USER_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com
+        run: |
+          git config user.name "$GIT_USER_NAME"
+          git config user.email "$GIT_USER_EMAIL"
+          git add circuits-nix-hashes.json
+          git diff --cached --quiet && exit 0
+          git commit -m "chore(ci): auto-update Nix hashes for ${{ env.VERSION }}"
+          git push origin main
--- a/circuits-nix-hashes.json
+++ b/circuits-nix-hashes.json
@ -0,0 +1,19 @@
+{
+    "0.3.2": {
+        "aarch64-darwin": "sha256-FbLgrHaa8djFEaA69WpZMB3uozkLT/abQiCWKrkzcsk=",
+        "x86_64-linux": "sha256-80+GrB3kBhwLHvNemme5Vig6tPDRRZC7xHps0DNonzM=",
+        "x86_64-windows": "sha256-VOBUXlXNHTY0l91G+B1vybDfES0Y0HXhUytJIfFEiBA="
+    },
+    "0.4.1": {
+        "aarch64-darwin": "sha256-E+yMjJPMy08jbiHLlDmDvlKnGJ4UiIRKB9GGZ0JGBB8=",
+        "aarch64-linux": "sha256-8lsgqflHXPP6mnxILpUCNhetpVeDNOXiQlWKoZLHa7I=",
+        "x86_64-linux": "sha256-Oi3xhqm5Sd4PaCSHWMvsJm2YPtSlm11BBG99xG30tiM=",
+        "x86_64-windows": "sha256-8qceJxNt+OGF5cRNwNG146Op5xcqbShQEtmVJ6iDvmQ="
+    },
+    "0.5.0": {
+        "aarch64-darwin": "sha256-Nl07Xi2q+KyztbGwt2gBgGbe7h8u0ktomLxpeZ+GQu8=",
+        "aarch64-linux": "sha256-dqRCEAXUam3kUPN2jetuwCbXP6LWtM0Kpf2Yn09aDnA=",
+        "x86_64-linux": "sha256-2UkRxtZ3eWVhI2seFJSl5ate2LnUdWhwIk6pc1dDn8A=",
+        "x86_64-windows": "sha256-guAi5Kz/jUdoNYA7lrz7HerMa3zoflQtg8krR7PcT1Y="
+    }
+}
--- a/flake.nix
+++ b/flake.nix
@ -21,7 +21,7 @@

      cargoToml = builtins.fromTOML (builtins.readFile ./rust/Cargo.toml);
      circuitsVersion = cargoToml.workspace.package.version;
-      versions = import ./versions.nix;
+      versions = builtins.fromJSON (builtins.readFile ./circuits-nix-hashes.json);
      circuitsHashes = versions.${circuitsVersion};

      githubBase = "https://github.com/logos-blockchain/logos-blockchain-circuits/releases/download";
--- a/scripts/update-nix-hashes.py
+++ b/scripts/update-nix-hashes.py
@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+# Updates circuits-nix-hashes.json with new platform hashes, overwriting any existing entry for the version.
+
+import os, json
+from packaging.version import Version
+
+PLATFORM_X86_64_LINUX = "x86_64-linux"
+PLATFORM_AARCH64_LINUX = "aarch64-linux"
+PLATFORM_AARCH64_DARWIN = "aarch64-darwin"
+PLATFORM_X86_64_WINDOWS = "x86_64-windows"
+
+ENV_VAR_VERSION = "VERSION"
+ENV_VAR_CIRCUITS_NIX_HASHES_FILE = "CIRCUITS_NIX_HASHES_FILE"
+ENV_VAR_CIRCUIT_HASH_LINUX_X86_64 = "CIRCUIT_HASH_LINUX_X86_64"
+ENV_VAR_CIRCUIT_HASH_LINUX_AARCH64 = "CIRCUIT_HASH_LINUX_AARCH64"
+ENV_VAR_CIRCUIT_HASH_DARWIN_AARCH64 = "CIRCUIT_HASH_DARWIN_AARCH64"
+ENV_VAR_CIRCUIT_HASH_WINDOWS_X86_64 = "CIRCUIT_HASH_WINDOWS_X86_64"
+
+REQUIRED_ENV_VARS_KEYS = [
+    ENV_VAR_VERSION,
+    ENV_VAR_CIRCUITS_NIX_HASHES_FILE,
+    ENV_VAR_CIRCUIT_HASH_LINUX_X86_64,
+    ENV_VAR_CIRCUIT_HASH_LINUX_AARCH64,
+    ENV_VAR_CIRCUIT_HASH_DARWIN_AARCH64,
+    ENV_VAR_CIRCUIT_HASH_WINDOWS_X86_64,
+]
+
+REQUIRED_ENV_VARS = {var: os.getenv(var) for var in REQUIRED_ENV_VARS_KEYS}
+
+missing_env_vars = [f"  - {key}" for key, value in REQUIRED_ENV_VARS.items() if value is None]
+if missing_env_vars:
+    missing_env_vars_message = "\n".join(missing_env_vars)
+    error_message = f"Missing required env vars:\n{missing_env_vars_message}"
+    raise SystemExit(error_message)
+
+filepath = REQUIRED_ENV_VARS[ENV_VAR_CIRCUITS_NIX_HASHES_FILE]
+version = REQUIRED_ENV_VARS[ENV_VAR_VERSION].lstrip("v")
+x86_64_linux = REQUIRED_ENV_VARS[ENV_VAR_CIRCUIT_HASH_LINUX_X86_64]
+aarch64_linux = REQUIRED_ENV_VARS[ENV_VAR_CIRCUIT_HASH_LINUX_AARCH64]
+aarch64_darwin = REQUIRED_ENV_VARS[ENV_VAR_CIRCUIT_HASH_DARWIN_AARCH64]
+x86_64_windows = REQUIRED_ENV_VARS[ENV_VAR_CIRCUIT_HASH_WINDOWS_X86_64]
+
+with open(filepath) as file:
+    data = json.load(file)
+
+data[version] = {
+    PLATFORM_X86_64_LINUX: x86_64_linux,
+    PLATFORM_AARCH64_LINUX: aarch64_linux,
+    PLATFORM_AARCH64_DARWIN: aarch64_darwin,
+    PLATFORM_X86_64_WINDOWS: x86_64_windows,
+}
+
+with open(filepath, "w") as file:
+    json.dump(dict(sorted(data.items(), key=lambda x: Version(x[0]))), file, indent=4, sort_keys=True)
+    file.write("\n")
+
+print(f"Updated {filepath} with version {version}.")
--- a/versions.nix
+++ b/versions.nix
@ -1,13 +0,0 @@
-{
-  "0.3.2" = {
-    x86_64-linux   = "sha256-80+GrB3kBhwLHvNemme5Vig6tPDRRZC7xHps0DNonzM=";
-    aarch64-darwin = "sha256-FbLgrHaa8djFEaA69WpZMB3uozkLT/abQiCWKrkzcsk=";
-    x86_64-windows = "sha256-VOBUXlXNHTY0l91G+B1vybDfES0Y0HXhUytJIfFEiBA=";
-  };
-  "0.4.1" = {
-    x86_64-linux   = "sha256-Oi3xhqm5Sd4PaCSHWMvsJm2YPtSlm11BBG99xG30tiM=";
-    aarch64-linux  = "sha256-8lsgqflHXPP6mnxILpUCNhetpVeDNOXiQlWKoZLHa7I=";
-    aarch64-darwin = "sha256-E+yMjJPMy08jbiHLlDmDvlKnGJ4UiIRKB9GGZ0JGBB8=";
-    x86_64-windows = "sha256-8qceJxNt+OGF5cRNwNG146Op5xcqbShQEtmVJ6iDvmQ=";
-  };
-}