fix: add nix-update-hash as required status check to prevent stale flake.nix on main #129
Description
Problem
I still occasionally get nix hash errors even though we have a nice workflow set up.
error: hash mismatch in fixed-output derivation '/nix/store/bv8n89sh111wawdz6kg695l50daylmjn-datumctl-dev-go-modules.drv':
specified: sha256-gHeXQVHEEWCAVizX4WgOMn5sEGOvYXvzSuFcMJ1jZ8k=
got: sha256-XMUZHe7aU/erW1IgDpeyeSYHuTejIYpscC7BoEfDQ1w=
error: 1 dependencies of derivation '/nix/store/9q16alspb97yd7avlin2ba7r2c609x9q-datumctl-dev.drv' failed to build
make: *** [Makefile:7: home] Error 1
The nix-update-hash workflow was designed to update flake.nix with the correct vendorHash before a PR merges with any go dep change. However, Renovate is consistently merging dependency update PRs before the workflow finishes, causing flake.nix on main to fall behind.
Evidence from recent runs:
| PR | Branch run finished | Merge triggered |
|---|---|---|
| #123 (activity) | 11:37:21 | 11:37:12 — 9s early |
| #121 (milo) | 10:48:59 | 10:48:24 — 35s early |
| #126 (controller-runtime) | 10:22:42 | 10:21:54 — 48s early |
| #125 (kubernetes-monorepo) | 10:21:14 | 10:19:20 — ~2m early |
After each merge, the workflow re-runs on main, successfully computes the new hash, but then fails to push because branch protection requires changes to go through a PR:
remote: - Changes must be made through a pull request.
! [remote rejected] main -> main (push declined due to repository rule violations)
Root cause: the main ruleset (id 2955683) has no required_status_checks rule, so Renovate's auto-merge does not wait for nix-update-hash to complete.
Proposed Fix
Add a required_status_checks rule to the existing main ruleset requiring the update-hash job to pass before merge is allowed.
The check context name was verified against the live API: update-hash (GitHub Actions, integration_id 15368).
gh api --method PATCH repos/datum-cloud/datumctl/rulesets/2955683 \
--input - <<'EOF'
{
"rules": [
{"type": "deletion"},
{"type": "non_fast_forward"},
{
"type": "pull_request",
"parameters": {
"required_approving_review_count": 1,
"dismiss_stale_reviews_on_push": true,
"required_reviewers": [],
"require_code_owner_review": true,
"require_last_push_approval": true,
"required_review_thread_resolution": false,
"allowed_merge_methods": ["merge", "squash", "rebase"]
}
},
{
"type": "required_status_checks",
"parameters": {
"strict_required_status_checks_policy": false,
"do_not_enforce_on_create": false,
"required_status_checks": [
{
"context": "update-hash",
"integration_id": 15368
}
]
}
}
]
}
EOFExpected Behaviour After Fix
- Renovate pushes
go.mod/go.sumchanges → triggersnix-update-hash - Workflow pushes
flake.nixupdate back to the branch → triggers a secondnix-update-hashrun on the new HEAD - Second run finds no changes → exits cleanly, required check passes
- Renovate auto-merge proceeds with a correctly hashed
flake.nix