From f6258dda7fcb17d7fb2c4f11bde58786515a766d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex?= Date: Wed, 20 May 2026 15:25:40 +0200 Subject: [PATCH] feat(ci): auto-update nix hashes on release (#25) --- .github/workflows/ci.yml | 77 +++++++++++++++++++++++++++++++++++- circuits-nix-hashes.json | 19 +++++++++ flake.nix | 2 +- scripts/update-nix-hashes.py | 57 ++++++++++++++++++++++++++ versions.nix | 13 ------ 5 files changed, 153 insertions(+), 15 deletions(-) create mode 100644 circuits-nix-hashes.json create mode 100644 scripts/update-nix-hashes.py delete mode 100644 versions.nix diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eb99f99..a8fed4b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -167,6 +167,8 @@ jobs: needs: - setup - generate-proving-keys + outputs: + hash: ${{ steps.hash.outputs.value }} env: VERSION: ${{ needs.setup.outputs.version }} OS: linux @@ -392,6 +394,12 @@ jobs: # Create tarball tar -czf "${BUNDLE_NAME}.tar.gz" "${BUNDLE_NAME}" + - name: Compute SRI Hash + id: hash + run: | + TARBALL="logos-blockchain-circuits-${{ env.VERSION }}-${{ env.OS }}-${{ env.ARCH }}.tar.gz" + echo "value=sha256-$(openssl dgst -sha256 -binary "$TARBALL" | base64)" >> "$GITHUB_OUTPUT" + - name: Upload Unified Release Bundle uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8 with: @@ -404,6 +412,8 @@ jobs: needs: - setup - generate-proving-keys + outputs: + hash: ${{ steps.hash.outputs.value }} env: VERSION: ${{ needs.setup.outputs.version }} OS: linux @@ -631,6 +641,12 @@ jobs: # Create tarball tar -czf "${BUNDLE_NAME}.tar.gz" "${BUNDLE_NAME}" + - name: Compute SRI Hash + id: hash + run: | + TARBALL="logos-blockchain-circuits-${{ env.VERSION }}-${{ env.OS }}-${{ env.ARCH }}.tar.gz" + echo "value=sha256-$(openssl dgst -sha256 -binary "$TARBALL" | base64)" >> "$GITHUB_OUTPUT" + - name: Upload Unified Release Bundle uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8 with: @@ -643,6 +659,8 @@ jobs: needs: - setup - generate-proving-keys + outputs: + hash: ${{ steps.hash.outputs.value }} env: VERSION: ${{ needs.setup.outputs.version }} OS: windows @@ -907,6 +925,13 @@ jobs: # Create tarball tar -czf "${BUNDLE_NAME}.tar.gz" "${BUNDLE_NAME}" + - name: Compute SRI Hash + id: hash + shell: bash + run: | + TARBALL="logos-blockchain-circuits-${{ env.VERSION }}-${{ env.OS }}-${{ env.ARCH }}.tar.gz" + echo "value=sha256-$(openssl dgst -sha256 -binary "$TARBALL" | base64)" >> "$GITHUB_OUTPUT" + - name: Upload Unified Release Bundle uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8 with: @@ -919,6 +944,8 @@ jobs: needs: - setup - generate-proving-keys + outputs: + hash: ${{ steps.hash.outputs.value }} env: VERSION: ${{ needs.setup.outputs.version }} ARCH: aarch64 @@ -1140,6 +1167,12 @@ jobs: # Create tarball tar -czf "${BUNDLE_NAME}.tar.gz" "${BUNDLE_NAME}" + - name: Compute SRI Hash + id: hash + run: | + TARBALL="logos-blockchain-circuits-${{ env.VERSION }}-${{ env.OS }}-${{ env.ARCH }}.tar.gz" + echo "value=sha256-$(openssl dgst -sha256 -binary "$TARBALL" | base64)" >> "$GITHUB_OUTPUT" + - name: Upload Unified Release Bundle uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8 with: @@ -1298,7 +1331,6 @@ jobs: - [ ] Description is complete - [ ] Changelog is correct - [ ] Assets for all platforms exist - - [ ] `flake.nix`'s `circuitsVersion` points to the latest version - [ ] Pre-release is checked if necessary - [ ] Remove this checklist before publishing the release. draft: true @@ -1342,3 +1374,46 @@ jobs: asset_path: ${{ env.ARTIFACT_NAME }} asset_name: ${{ env.ARTIFACT_NAME }} asset_content_type: application/octet-stream + + update-nix-hashes: + name: Update Nix Hashes + runs-on: ubuntu-latest + if: github.ref_type == 'tag' || github.event_name == 'workflow_dispatch' + needs: + - setup + - build-linux + - build-linux-aarch64 + - build-windows + - build-macos + - upload-artifacts + permissions: + contents: write + env: + VERSION: ${{ needs.setup.outputs.version }} + steps: + - name: Checkout main + uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709 + with: + ref: main + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Update versions.nix + env: + CIRCUITS_NIX_HASHES_FILE: circuits-nix-hashes.json + CIRCUIT_HASH_LINUX_X86_64: ${{ needs.build-linux.outputs.hash }} + CIRCUIT_HASH_LINUX_AARCH64: ${{ needs.build-linux-aarch64.outputs.hash }} + CIRCUIT_HASH_WINDOWS_X86_64: ${{ needs.build-windows.outputs.hash }} + CIRCUIT_HASH_DARWIN_AARCH64: ${{ needs.build-macos.outputs.hash }} + run: python3 scripts/update-nix-hashes.py + + - name: Commit and Push + env: + GIT_USER_NAME: ${{ github.actor }} + GIT_USER_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com + run: | + git config user.name "$GIT_USER_NAME" + git config user.email "$GIT_USER_EMAIL" + git add circuits-nix-hashes.json + git diff --cached --quiet && exit 0 + git commit -m "chore(ci): auto-update Nix hashes for ${{ env.VERSION }}" + git push origin main diff --git a/circuits-nix-hashes.json b/circuits-nix-hashes.json new file mode 100644 index 0000000..5bb8cfa --- /dev/null +++ b/circuits-nix-hashes.json @@ -0,0 +1,19 @@ +{ + "0.3.2": { + "aarch64-darwin": "sha256-FbLgrHaa8djFEaA69WpZMB3uozkLT/abQiCWKrkzcsk=", + "x86_64-linux": "sha256-80+GrB3kBhwLHvNemme5Vig6tPDRRZC7xHps0DNonzM=", + "x86_64-windows": "sha256-VOBUXlXNHTY0l91G+B1vybDfES0Y0HXhUytJIfFEiBA=" + }, + "0.4.1": { + "aarch64-darwin": "sha256-E+yMjJPMy08jbiHLlDmDvlKnGJ4UiIRKB9GGZ0JGBB8=", + "aarch64-linux": "sha256-8lsgqflHXPP6mnxILpUCNhetpVeDNOXiQlWKoZLHa7I=", + "x86_64-linux": "sha256-Oi3xhqm5Sd4PaCSHWMvsJm2YPtSlm11BBG99xG30tiM=", + "x86_64-windows": "sha256-8qceJxNt+OGF5cRNwNG146Op5xcqbShQEtmVJ6iDvmQ=" + }, + "0.5.0": { + "aarch64-darwin": "sha256-Nl07Xi2q+KyztbGwt2gBgGbe7h8u0ktomLxpeZ+GQu8=", + "aarch64-linux": "sha256-dqRCEAXUam3kUPN2jetuwCbXP6LWtM0Kpf2Yn09aDnA=", + "x86_64-linux": "sha256-2UkRxtZ3eWVhI2seFJSl5ate2LnUdWhwIk6pc1dDn8A=", + "x86_64-windows": "sha256-guAi5Kz/jUdoNYA7lrz7HerMa3zoflQtg8krR7PcT1Y=" + } +} diff --git a/flake.nix b/flake.nix index 341b91e..b9da96c 100644 --- a/flake.nix +++ b/flake.nix @@ -21,7 +21,7 @@ cargoToml = builtins.fromTOML (builtins.readFile ./rust/Cargo.toml); circuitsVersion = cargoToml.workspace.package.version; - versions = import ./versions.nix; + versions = builtins.fromJSON (builtins.readFile ./circuits-nix-hashes.json); circuitsHashes = versions.${circuitsVersion}; githubBase = "https://github.com/logos-blockchain/logos-blockchain-circuits/releases/download"; diff --git a/scripts/update-nix-hashes.py b/scripts/update-nix-hashes.py new file mode 100644 index 0000000..cd357a8 --- /dev/null +++ b/scripts/update-nix-hashes.py @@ -0,0 +1,57 @@ +#!/usr/bin/env python3 +# Updates circuits-nix-hashes.json with new platform hashes, overwriting any existing entry for the version. + +import os, json +from packaging.version import Version + +PLATFORM_X86_64_LINUX = "x86_64-linux" +PLATFORM_AARCH64_LINUX = "aarch64-linux" +PLATFORM_AARCH64_DARWIN = "aarch64-darwin" +PLATFORM_X86_64_WINDOWS = "x86_64-windows" + +ENV_VAR_VERSION = "VERSION" +ENV_VAR_CIRCUITS_NIX_HASHES_FILE = "CIRCUITS_NIX_HASHES_FILE" +ENV_VAR_CIRCUIT_HASH_LINUX_X86_64 = "CIRCUIT_HASH_LINUX_X86_64" +ENV_VAR_CIRCUIT_HASH_LINUX_AARCH64 = "CIRCUIT_HASH_LINUX_AARCH64" +ENV_VAR_CIRCUIT_HASH_DARWIN_AARCH64 = "CIRCUIT_HASH_DARWIN_AARCH64" +ENV_VAR_CIRCUIT_HASH_WINDOWS_X86_64 = "CIRCUIT_HASH_WINDOWS_X86_64" + +REQUIRED_ENV_VARS_KEYS = [ + ENV_VAR_VERSION, + ENV_VAR_CIRCUITS_NIX_HASHES_FILE, + ENV_VAR_CIRCUIT_HASH_LINUX_X86_64, + ENV_VAR_CIRCUIT_HASH_LINUX_AARCH64, + ENV_VAR_CIRCUIT_HASH_DARWIN_AARCH64, + ENV_VAR_CIRCUIT_HASH_WINDOWS_X86_64, +] + +REQUIRED_ENV_VARS = {var: os.getenv(var) for var in REQUIRED_ENV_VARS_KEYS} + +missing_env_vars = [f" - {key}" for key, value in REQUIRED_ENV_VARS.items() if value is None] +if missing_env_vars: + missing_env_vars_message = "\n".join(missing_env_vars) + error_message = f"Missing required env vars:\n{missing_env_vars_message}" + raise SystemExit(error_message) + +filepath = REQUIRED_ENV_VARS[ENV_VAR_CIRCUITS_NIX_HASHES_FILE] +version = REQUIRED_ENV_VARS[ENV_VAR_VERSION].lstrip("v") +x86_64_linux = REQUIRED_ENV_VARS[ENV_VAR_CIRCUIT_HASH_LINUX_X86_64] +aarch64_linux = REQUIRED_ENV_VARS[ENV_VAR_CIRCUIT_HASH_LINUX_AARCH64] +aarch64_darwin = REQUIRED_ENV_VARS[ENV_VAR_CIRCUIT_HASH_DARWIN_AARCH64] +x86_64_windows = REQUIRED_ENV_VARS[ENV_VAR_CIRCUIT_HASH_WINDOWS_X86_64] + +with open(filepath) as file: + data = json.load(file) + +data[version] = { + PLATFORM_X86_64_LINUX: x86_64_linux, + PLATFORM_AARCH64_LINUX: aarch64_linux, + PLATFORM_AARCH64_DARWIN: aarch64_darwin, + PLATFORM_X86_64_WINDOWS: x86_64_windows, +} + +with open(filepath, "w") as file: + json.dump(dict(sorted(data.items(), key=lambda x: Version(x[0]))), file, indent=4, sort_keys=True) + file.write("\n") + +print(f"Updated {filepath} with version {version}.") diff --git a/versions.nix b/versions.nix deleted file mode 100644 index 3a8ce43..0000000 --- a/versions.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - "0.3.2" = { - x86_64-linux = "sha256-80+GrB3kBhwLHvNemme5Vig6tPDRRZC7xHps0DNonzM="; - aarch64-darwin = "sha256-FbLgrHaa8djFEaA69WpZMB3uozkLT/abQiCWKrkzcsk="; - x86_64-windows = "sha256-VOBUXlXNHTY0l91G+B1vybDfES0Y0HXhUytJIfFEiBA="; - }; - "0.4.1" = { - x86_64-linux = "sha256-Oi3xhqm5Sd4PaCSHWMvsJm2YPtSlm11BBG99xG30tiM="; - aarch64-linux = "sha256-8lsgqflHXPP6mnxILpUCNhetpVeDNOXiQlWKoZLHa7I="; - aarch64-darwin = "sha256-E+yMjJPMy08jbiHLlDmDvlKnGJ4UiIRKB9GGZ0JGBB8="; - x86_64-windows = "sha256-8qceJxNt+OGF5cRNwNG146Op5xcqbShQEtmVJ6iDvmQ="; - }; -}