CI: auto-compute npmDepsHash on push to main #24

New issue

Open

opened 2026-04-25 11:59:59 +00:00 by padreug · 1 comment

padreug commented

2026-04-25 11:59:59 +00:00

Owner

Problem

Every time package.json or package-lock.json changes, the npmDepsHash in the deploy flake (server-deploy) must be manually updated. Forgetting this causes deploy failures with a hash mismatch error that requires finding and replacing hashes in multiple files.

Proposed Solution

Add a Forgejo Actions workflow that:

Triggers on push to main when package-lock.json changes
Runs nix run nixpkgs#prefetch-npm-deps -- package-lock.json
Writes the result to npm-deps-hash.txt in the repo root
Commits and pushes if the hash changed

Then update the NixOS webapp module (webapp-module) to read the hash from the source:

npmDepsHash = lib.mkDefault (
  builtins.readFile "${cfg.src}/npm-deps-hash.txt"
);

This eliminates the manual step — deploy flake hosts no longer need npmDepsHash overrides.

Files affected

webapp repo: Add .forgejo/workflows/npm-hash.yml + npm-deps-hash.txt
webapp-module repo: Read hash from source instead of requiring manual option
server-deploy: Remove all npmDepsHash overrides from host configs and webapp-standalone.nix

Current locations of manual hashes

server-deploy/modules/profiles/castle.nix
server-deploy/modules/services/webapp-standalone.nix
server-deploy/hosts/demo/default.nix
server-deploy/hosts/atio/default.nix

## Problem Every time `package.json` or `package-lock.json` changes, the `npmDepsHash` in the deploy flake (`server-deploy`) must be manually updated. Forgetting this causes deploy failures with a hash mismatch error that requires finding and replacing hashes in multiple files. ## Proposed Solution Add a Forgejo Actions workflow that: 1. Triggers on push to `main` when `package-lock.json` changes 2. Runs `nix run nixpkgs#prefetch-npm-deps -- package-lock.json` 3. Writes the result to `npm-deps-hash.txt` in the repo root 4. Commits and pushes if the hash changed Then update the NixOS webapp module (`webapp-module`) to read the hash from the source: ```nix npmDepsHash = lib.mkDefault ( builtins.readFile "${cfg.src}/npm-deps-hash.txt" ); ``` This eliminates the manual step — deploy flake hosts no longer need `npmDepsHash` overrides. ## Files affected - **webapp repo**: Add `.forgejo/workflows/npm-hash.yml` + `npm-deps-hash.txt` - **webapp-module repo**: Read hash from source instead of requiring manual option - **server-deploy**: Remove all `npmDepsHash` overrides from host configs and `webapp-standalone.nix` ## Current locations of manual hashes - `server-deploy/modules/profiles/castle.nix` - `server-deploy/modules/services/webapp-standalone.nix` - `server-deploy/hosts/demo/default.nix` - `server-deploy/hosts/atio/default.nix`

padreug commented

2026-04-25 12:00:26 +00:00

Author

Owner

Manual workaround (until CI is implemented)

After changing npm dependencies in the webapp repo, run:

nix run nixpkgs#prefetch-npm-deps -- ~/dev/webapp/package-lock.json

Then update the hash in all of these files in server-deploy:

# Find all current hashes
grep -rn "npmDepsHash" modules/profiles/castle.nix modules/services/webapp-standalone.nix hosts/*/default.nix

Replace with the new hash and commit/push before deploying.

## Manual workaround (until CI is implemented) After changing npm dependencies in the webapp repo, run: ```bash nix run nixpkgs#prefetch-npm-deps -- ~/dev/webapp/package-lock.json ``` Then update the hash in **all** of these files in `server-deploy`: ```bash # Find all current hashes grep -rn "npmDepsHash" modules/profiles/castle.nix modules/services/webapp-standalone.nix hosts/*/default.nix ``` Replace with the new hash and commit/push before deploying.

padreug added the

app:webapp

enhancement

labels

2026-05-17 21:24:16 +00:00