From 6a2018cb3022d1deb8fdbce78af863a0b23996be Mon Sep 17 00:00:00 2001
From: Janez Podhostnik <janez.podhostnik@ourplace.is>
Date: Thu, 2 Apr 2026 16:12:41 +0200
Subject: [PATCH] update vendor hash and add workflow to automate this

---
 .github/workflows/update-vendor-hash.yml | 53 ++++++++++++++++++++++++
 flake.nix                                |  2 +-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/update-vendor-hash.yml

diff --git a/.github/workflows/update-vendor-hash.yml b/.github/workflows/update-vendor-hash.yml
new file mode 100644
index 000000000..6dfc82774
--- /dev/null
+++ b/.github/workflows/update-vendor-hash.yml
@@ -0,0 +1,53 @@
+# Nix builds require a pre-computed hash (vendorHash) of all Go dependencies.
+# This hash lives in flake.nix and must match the actual dependencies exactly —
+# if go.mod/go.sum change but vendorHash isn't updated, the Nix build breaks.
+#
+# This workflow automatically recalculates the hash whenever Go dependencies
+# change, so contributors don't need Nix installed locally to keep it in sync.
+#
+# Similar workflows in other repos:
+#   https://github.com/open-component-model/ocm/blob/main/.github/workflows/flake_vendorhash.yaml
+#   https://github.com/Tarow/dockdns/blob/main/.github/workflows/go_vendorhash.yaml
+#   https://github.com/Mic92/sops-nix/blob/master/.github/workflows/update-vendor-hash.yml
+name: Update Nix vendorHash
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - go.mod
+      - go.sum
+  pull_request:
+    branches:
+      - master
+    paths:
+      - go.mod
+      - go.sum
+
+jobs:
+  update-vendor-hash:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.head_ref || github.ref_name }}
+
+      - uses: DeterminateSystems/nix-installer-action@main
+
+      # nix-update recalculates vendorHash by building the Go module fetcher,
+      # comparing the expected vs actual hash, and patching flake.nix in-place.
+      # --version=skip tells it to only update hashes, not the package version.
+      - name: Update vendorHash
+        run: nix run nixpkgs#nix-update -- --flake --version=skip flow-cli
+
+      - name: Commit updated vendorHash
+        run: |
+          git diff --quiet flake.nix && exit 0
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add flake.nix
+          git commit -m "flake: update vendorHash"
+          git push
diff --git a/flake.nix b/flake.nix
index 743d5ba1c..e7e5a4981 100644
--- a/flake.nix
+++ b/flake.nix
@@ -38,7 +38,7 @@
             version = version;
             src = ./.;
 
-            vendorHash = "sha256-EYQfXvHiRftod45Rvi7dUHF+3G5PyDtdM+HmJsE5r4I=";
+            vendorHash = "sha256-y0oj00qSyHvILYbtgWQT1fUdlhrQgXVtwtowvR7Cg0Q=";
             proxyVendor = true;
 
             subPackages = [ "cmd/flow" ];