From 14283f62e050eac8f11a9c0943a22afe80fc5971 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Wed, 10 Jun 2026 10:43:54 +0200
Subject: [PATCH] fix(nix): pin pnpm_10 and set CI=true for downstream
 consumers

Two issues found when calling lib.mkWebapp from an external nixpkgs
(server-deploy's scenario):

- pnpm 10 in the sandbox aborts with
  ERR_PNPM_ABORTED_REMOVE_MODULES_DIR_NO_TTY when it sees a
  modules-purge prompt without a TTY. CI=true is pnpm's documented
  bypass; harmless on builds that don't need it.

- Pinning pkgs.pnpm leaves it floating with the consumer's nixpkgs
  (flake's nixos-unstable has pnpm 11.5.1, system nixpkgs has 10.33,
  etc.). pnpmDeps hash is per-pnpm-version so a floating pnpm means
  consumers hit hash mismatches. Pinning pkgs.pnpm_10 locks to the
  same major series that produced the lockfile (package.json's
  packageManager: pnpm@10.33.0) while still allowing minor drift
  inside major-10.

New pnpmDeps hash reflects pnpm_10's snapshot format.

Verified end-to-end: `nix build --impure --expr '...lib.mkWebapp {
brandDir = /tmp/fixture; app = "events"; }'` with an external pkgs
produces a Sortir-branded dist-events (manifest name "Sortir", theme
#dc2626, bg #fff5f5, HTML title "Sortir").

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 flake.nix | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/flake.nix b/flake.nix
index 97afeed..b937be4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -21,15 +21,22 @@
 
           src = ./.;
 
+          # Pin pnpm major version (10.x) regardless of consumer's nixpkgs
+          # so the pnpmDeps hash stays stable for downstream callers that
+          # bring their own pkgs. package.json's packageManager field
+          # declares pnpm@10.33.0; pnpm_10 satisfies that.
+          pnpm = pkgs.pnpm_10;
+
           pnpmDeps = pkgs.fetchPnpmDeps {
             inherit (finalAttrs) pname version src;
+            inherit (finalAttrs) pnpm;
             fetcherVersion = 3;
-            hash = "sha256-GZuH5ndka9PEHjC00g+kUJW515Zj/+xW6DZQAaK8G4k=";
+            hash = "sha256-FUN2lMHsaBTkk1tljDysYZAoQD+5MIBIEvGnRUWiF4s=";
           };
 
           nativeBuildInputs = [
             pkgs.nodejs
-            pkgs.pnpm
+            finalAttrs.pnpm
             pkgs.pnpmConfigHook
             pkgs.autoPatchelfHook
           ];
@@ -47,6 +54,9 @@
           env = {
             BRAND_DIR = "${brandDir}";
             BRAND_APP = if app == "main" then "" else app;
+            # Avoid pnpm 10's interactive modules-purge prompt in the
+            # sandbox (ERR_PNPM_ABORTED_REMOVE_MODULES_DIR_NO_TTY).
+            CI = "true";
           };
 
           buildPhase = ''