update-flake.sh: tooling to keep Nix SRI hashes in sync.

Also fixes the Go toolchain SRI hash from a7f05c6bb0fed3f060435f0828625f705839d56d,
it turns out I initialized the file with an SRI hash for an older
toolchain version, and because of the unique way fixed-output derivations
work in nix, nix didn't tell me about the mismatch because it just
cache-hit on the older toolchain and moved on. Sigh.

Updates #6845.

Signed-off-by: David Anderson <[email protected]>

flake.nix

@@ -141,14 +141,17 @@
       };
       devShell = pkgs.mkShell {
         packages = with upstreamPkgs; [
-          pkgs.tailscale_go
+          curl
           git
-          gotools
           gopls
+          gotools
           graphviz
+          perl
+          pkgs.tailscale_go
         ];
       };
     };
   in
     flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
+# nix-direnv cache busting line: sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI= sha256-+5icFKDHXt3JMbUjLQGes4R+GeUi48xRgGd0yPKVrw0=

go.toolchain.sri

@@ -1 +1 @@
-sha256-BvwZ/90izw0Ip3lh8eNkJvU46LKnOOhEXF0axkBi/Es=
+sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI=

pull-toolchain.sh

@@ -9,8 +9,9 @@ upstream=$(git ls-remote https://github.com/tailscale/go "$go_branch" | awk '{pr
 current=$(cat go.toolchain.rev)
 if [ "$upstream" != "$current" ]; then
 	echo "$upstream" >go.toolchain.rev
+	./update-flake.sh
 fi
 
-if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev)" ]; then
+if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev go.toolchain.sri go.mod.sri)" ]; then
     echo "pull-toolchain.sh: changes imported. Use git commit to make them permanent." >&2
 fi

shell.nix

@@ -7,7 +7,6 @@
 # Also look into direnv: https://direnv.net/, this can make it so that you can
 # automatically get your environment set up when you change folders into the
 # project.
-
 (import (
   let
     lock = builtins.fromJSON (builtins.readFile ./flake.lock);
@@ -17,3 +16,4 @@
 ) {
   src =  ./.;
 }).shellNix
+# nix-direnv cache busting line: sha256-imidcDJGVor43PqdTX7Js4/tjQ0JA2E1GdjuyLiPDHI= sha256-+5icFKDHXt3JMbUjLQGes4R+GeUi48xRgGd0yPKVrw0=

update-flake.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+# Updates SRI hashes for flake.nix.
+
+set -eu
+
+REV=$(cat go.toolchain.rev)
+
+OUT=$(mktemp -d -t nar-hash-XXXXXX)
+rm -rf $OUT
+
+mkdir $OUT
+curl --silent -L https://github.com/tailscale/go/archive/refs/tags/build-$REV.tar.gz | tar -zx -C $OUT --strip-components 1
+go run tailscale.com/cmd/nardump --sri $OUT >go.toolchain.sri
+rm -rf $OUT
+
+go mod vendor -o $OUT
+go run tailscale.com/cmd/nardump --sri $OUT >go.mod.sri
+rm -rf $OUT
+
+# nix-direnv only watches the top-level nix file for changes. As a
+# result, when we change a referenced SRI file, we have to cause some
+# change to shell.nix and flake.nix as well, so that nix-direnv
+# notices and reevaluates everything. Sigh.
+perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," shell.nix
+perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," flake.nix