Skip to content
Update Vendor Hash

chore(deps): update module github.com/nyaruka/phonenumbers to v1.7.2 #92

Sign in to view logs

chore(deps): update module github.com/nyaruka/phonenumbers to v1.7.2

chore(deps): update module github.com/nyaruka/phonenumbers to v1.7.2 #92

Workflow file for this run

.github/workflows/update-vendor-hash.yml at 54bc614
# Copyright 2026 Phillip Cloud
# Licensed under the Apache License, Version 2.0
name: Update Vendor Hash
on:
pull_request:
branches: [main]
paths:
- go.mod
- go.sum
permissions:
contents: read
jobs:
check:
name: Check
if: github.actor == 'renovate[bot]'
runs-on: blacksmith-2vcpu-ubuntu-2404
outputs:
needed: ${{ steps.check.outputs.needed }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
deploy-on-self-hosted-vm: true
egress-policy: block
disable-telemetry: true
allowed-endpoints: >
github.com:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ github.head_ref }}
fetch-depth: 0
persist-credentials: false
- name: Determine if update is needed
id: check
run: |
# Skip if nix/package.nix was already modified in this PR
if git diff --name-only origin/main..HEAD | grep -q '^nix/package.nix$'; then
echo "needed=false" >> "$GITHUB_OUTPUT"
exit 0
fi
# Skip if HEAD is already a vendor hash commit (prevent infinite loop)
if git log -1 --format='%s' | grep -q '^chore: update vendorHash'; then
echo "needed=false" >> "$GITHUB_OUTPUT"
exit 0
fi
echo "needed=true" >> "$GITHUB_OUTPUT"
update-vendor-hash:
name: Update Vendor Hash
needs: check
if: needs.check.outputs.needed == 'true'
runs-on: blacksmith-4vcpu-ubuntu-2404
permissions:
contents: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
deploy-on-self-hosted-vm: true
egress-policy: block
disable-telemetry: true
allowed-endpoints: >
api.github.com:443
cache.nixos.org:443
github.com:443
proxy.golang.org:443
release-assets.githubusercontent.com:443
releases.nixos.org:443
storage.googleapis.com:443
sum.golang.org:443
- name: Generate app token
id: app-token
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
with:
client-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ github.head_ref }}
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
- uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5
- name: Tidy go modules
run: nix develop -c go mod tidy
- name: Compute new vendorHash
id: compute
run: |
old_hash=$(grep -oP 'vendorHash = "\Ksha256-[^"]+' nix/package.nix)
fake_hash="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
sed -i "s|vendorHash = \"sha256-[^\"]*\";|vendorHash = \"$fake_hash\";|" nix/package.nix
output=$(nix build '.#micasa' 2>&1 || true)
new_hash=$(echo "$output" | grep -oP 'got:\s+\Ksha256-[A-Za-z0-9+/=]+' | head -n1 || true)
if [ -z "$new_hash" ]; then
echo "::error::Failed to extract vendorHash from nix build output"
echo "$output"
exit 1
fi
# Restore a real hash before any early-return so the fake hash can
# never reach a commit. If old_hash == new_hash this substitutes the
# original value back in place of the fake.
sed -i "s|vendorHash = \"$fake_hash\";|vendorHash = \"$new_hash\";|" nix/package.nix
if [ "$old_hash" = "$new_hash" ]; then
echo "vendorHash unchanged ($old_hash), nothing to do"
echo "changed=false" >> "$GITHUB_OUTPUT"
exit 0
fi
echo "changed=true" >> "$GITHUB_OUTPUT"
- name: Verify build
if: steps.compute.outputs.changed == 'true'
run: nix build '.#micasa' --no-link -L
- name: Commit and push
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add go.mod go.sum nix/package.nix
if git diff --cached --quiet; then
echo "No changes to commit"
exit 0
fi
git commit -m "chore: update vendorHash for Go dependency changes"
git push