commit 5a622e45e3b85282c9d0c8de42c0c4f3887c0a6b Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Sat Dec 28 22:37:19 2024 +0000 Deploy to GitHub pages diff --git a/CNAME b/CNAME new file mode 100644 index 0000000..4f7e6a8 --- /dev/null +++ b/CNAME @@ -0,0 +1 @@ +blog.youwen.dev diff --git a/a-haskellian-blog.html b/a-haskellian-blog.html new file mode 100644 index 0000000..6722cf4 --- /dev/null +++ b/a-haskellian-blog.html @@ -0,0 +1,269 @@ + + + + a haskellian blog | conditional finality + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+

+ Conditional Finality. +

+
+
+

+ a web-log about computers, math, hacks, and all the rest. +

+ by Youwen Wu + | + + | + +
+
+
+

+ a haskellian blog +

+

+ a purely functional...blog? +

+
2024-05-25
+
+ (last updated: 2024-05-25T12:00:00Z) +
+
+

Welcome! This is the first post on conditional finality and also one that tests all +of the features.

+

conditional finality

+
+

A monad is just a monoid in the category of endofunctors, what’s the problem?

+
+

haskell?

+

This entire blog is generated with hakyll. It’s +a library for generating static sites for Haskell, a purely functional +programming language. It’s a library because it doesn’t come with as many +batteries included as tools like Hugo or Astro. You set up most of the site +yourself by calling the library from Haskell.

+

Here’s a brief excerpt:

+
main :: IO ()
+main = hakyllWith config $ do
+    forM_
+        [ "CNAME"
+        , "favicon.ico"
+        , "robots.txt"
+        , "_config.yml"
+        , "images/*"
+        , "out/*"
+        , "fonts/*"
+        ]
+        $ \f -> match f $ do
+            route idRoute
+            compile copyFileCompiler
+

The code highlighting is also generated by hakyll.

+
+

why?

+

Haskell is a purely functional language with no mutable state. Its syntax +actually makes it pretty elegant for declaring routes and “rendering” pipelines.

+
    +
  1. Haskell is cool.
    2. +
  2. It comes with enough features that I don’t feel like I have to build +everything from scratch.
    3. +
  3. It comes with Pandoc, a Haskell library for converting between markdown +formats. It’s probably more powerful than anything you could do in nodejs. +It renders all of the markdown to HTML as well as the math. +
      +
    1. It supports KaTeX as well as MathML. I’m a little disappointed with the +KaTeX though. It doesn’t directly render it, but simply injects the KaTeX +files and renders it client-side.
      2. +
    4. +
+

speaking of math

+

We can have math inline, like so: +ex2dx=π\int_{-\infty}^\infty \, e^{-x^2}\,dx = \sqrt{\pi}. This site ships semantic +MathML math with its HTML, and the MathJax script to the client.

+

It’d be nice if MathML could just be used and supported across all browsers, but +unfortunately we still aren’t quite there yet. Firefox is the only one where +everything looks 80% of the way to LaTeX. On Safari and Chrome, even simple +equations like π\sqrt{\pi} render improperly.

+

Pros of MathML:

+ +

Cons:

+ +

This site has MathJax render all of the math so it looks nice and standardized +across browsers, but the math still displays regardless (like say if MathJax +couldn’t load due to slow network) because of MathML. Best of both worlds.

+

Let’s try it now. Here’s a simple theorem:

+

an+bncn{a,b,c}n3 +a^n + b^n \ne c^n \, \forall\,\left\{ a,\,b,\,c \right\} \in \mathbb{Z} \land n \ge 3 +

+

The proof is trivial and will be left as an exercise to the reader.

+

seems a little overengineered

+

Probably is. Not as much as the old one, though.

+
+ + + + + diff --git a/atom.xml b/atom.xml new file mode 100644 index 0000000..39628e0 --- /dev/null +++ b/atom.xml @@ -0,0 +1,383 @@ + + + conditional finality + + + https://blog.youwen.dev/atom.xml + + Youwen Wu + youwenw@gmail.com + + 2024-12-28T00:00:00Z + + Nix automatic hash updates made easy + + https://blog.youwen.dev/nix-automatic-hash-updates-made-easy.html + 2024-12-28T00:00:00Z + 2024-12-28T00:00:00Z + +
+

+ Nix automatic hash updates made easy +

+

+ keep your flakes up to date +

+
2024-12-28
+
+ +
+
+

Nix users often create flakes to package software out of tree, like this Zen +Browser flake I’ve been +maintaining. Keeping them up to date is a hassle though, since you have to +update the Subresource Integrity (SRI) hashes that Nix uses to ensure +reproducibility.

+

Here’s a neat method I’ve been using to cleanly handle automatic hash updates. +I use Nushell to easily work with data, prefetch +some hashes, and put it all in a JSON file that can be read by Nix at build +time.

+

First, let’s create a file called update.nu. At the top, place this shebang:

+
#!/usr/bin/env -S nix shell nixpkgs#nushell --command nu
+

This will execute the script in a Nushell environment, which is fetched by Nix.

+

Get the up to date URLs

+

We need to obtain the latest version of whatever software we want to update. +In this case, I’ll use GitHub releases as my source of truth.

+

You can use the GitHub API to fetch metadata about all the releases of a repository.

+
https://api.github.com/repos/($repo)/releases
+

Roughly speaking, the raw JSON returned by the GitHub releases API looks something like:

+
[
+   {tag_name: "foo", prerelease: false, ...},
+   {tag_name: "bar", prerelease: true, ...},
+   {tag_name: "foobar", prerelease: false, ...},
+]
+
+

Note that the ordering of the objects in the array is chronological.

+
+

Even if you aren’t using GitHub releases, as long as there is a reliable way to +programmatically fetch the latest download URLs of whatever software you’re +packaging, you can adapt this approach for your specific case.

+
+

We use Nushell’s http get to make a network request. Nushell will +automatically detect and parse the JSON reponse into a Nushell table.

+

In my case, Zen Browser frequently publishes prerelease “twilight” builds which +we don’t want to update to. So, we ignore any releases tagged “twilight” or +marked “prerelease” by filtering them out with the where selector.

+

Finally, we retrieve the tag name of the item at the first index, which would +be the latest release (since the JSON array was chronologically sorted).

+
#!/usr/bin/env -S nix shell nixpkgs#nushell --command nu
+
+# get the latest tag of the latest release that isn't a prerelease
+def get_latest_release [repo: string] {
+  try {
+	http get $"https://api.github.com/repos/($repo)/releases"
+	  | where prerelease == false
+	  | where tag_name != "twilight"
+	  | get tag_name
+	  | get 0
+  } catch { |err| $"Failed to fetch latest release, aborting: ($err.msg)" }
+}
+

Prefetching SRI hashes

+

Now that we have the latest tags, we can easily obtain the latest download URLs, which are of the form:

+
https://github.com/zen-browser/desktop/releases/download/$tag/zen.linux-x86_64.tar.bz2
+https://github.com/zen-browser/desktop/releases/download/$tag/zen.aarch64-x86_64.tar.bz2
+

However, we still need the corresponding SRI hashes to pass to Nix.

+
src = fetchurl {
+   url = "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-x86_64.tar.bz2";
+   hash = "sha256-00000000000000000000000000000000000000000000";
+};
+

The easiest way to obtain these new hashes is to update the URL and then set +the hash property to an empty string (""). Nix will spit out an hash mismatch +error with the correct hash. However, this is inconvenient for automated +command line scripting.

+

The Nix documentation mentions +nix-prefetch-url +as a way to obtain these hashes, but as usual, it doesn’t work quite right and +has also been replaced by a more powerful but underdocumented experimental +feature instead.

+

The nix store +prefetch-file +command does what nix-prefetch-url is supposed to do, but handles the caveats +that lead to the wrong hash being produced automatically.

+

Let’s write a Nushell function that outputs the SRI hash of the given URL. We +tell prefetch-file to output structured JSON that we can parse.

+

Since Nushell is a shell, we can directly invoke shell commands like usual, +and then process their output with pipes.

+
def get_nix_hash [url: string] {
+  nix store prefetch-file --hash-type sha256 --json $url | from json | get hash
+}
+

Cool! Now get_nix_hash can give us SRI hashes that look like this:

+
sha256-K3zTCLdvg/VYQNsfeohw65Ghk8FAjhOl8hXU6REO4/s=
+

Putting it all together

+

Now that we’re able to fetch the latest release, obtain the download URLs, and +compute their SRI hashes, we have all the information we need to make an +automated update. However, these URLs are typically hardcoded in our Nix +expressions. The question remains as to how to update these values.

+

A common way I’ve seen updates performed is using something like sed to +modify the Nix expressions in place. However, there’s actually a more +maintainable and easy to understand approach.

+

Let’s have our Nushell script generate the URLs and hashes and place them in a +JSON file! Then, we’ll be able to read the JSON file from Nix and obtain the +URL and hash.

+
def generate_sources [] {
+  let tag = get_latest_release "zen-browser/desktop"
+  let prev_sources = open ./sources.json
+
+  if $tag == $prev_sources.version {
+	# everything up to date
+	return $tag
+  }
+
+  # generate the download URLs with the new tag
+  let x86_64_url = $"https://github.com/zen-browser/desktop/releases/download/($tag)/zen.linux-x86_64.tar.bz2"
+  let aarch64_url = $"https://github.com/zen-browser/desktop/releases/download/($tag)/zen.linux-aarch64.tar.bz2"
+
+  # create a Nushell record that maps cleanly to JSON
+  let sources = {
+    # add a version field as well for convenience
+	version: $tag
+
+	x86_64-linux: {
+	  url:  $x86_64_url
+	  hash: (get_nix_hash $x86_64_url)
+	}
+	aarch64-linux: {
+	  url: $aarch64_url
+	  hash: (get_nix_hash $aarch64_url)
+	}
+  }
+
+  echo $sources | save --force "sources.json"
+
+  return $tag
+}
+

Running this script with

+
chmod +x ./update.nu
+./update.nu
+

gives us the file sources.json:

+
{
+  "version": "1.0.2-b.5",
+  "x86_64-linux": {
+    "url": "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-x86_64.tar.bz2",
+    "hash": "sha256-K3zTCLdvg/VYQNsfeohw65Ghk8FAjhOl8hXU6REO4/s="
+  },
+  "aarch64-linux": {
+    "url": "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-aarch64.tar.bz2",
+    "hash": "sha256-NwIYylGal2QoWhWKtMhMkAAJQ6iNHfQOBZaxTXgvxAk="
+  }
+}
+

Now, let’s read this from Nix. My file organization looks like the following:

+
./
+| flake.nix
+| zen-browser-unwrapped.nix
+| ...other files...
+

zen-browser-unwrapped.nix contains the derivation for Zen Browser. Let’s add +version, url, and hash to its inputs:

+
{
+  stdenv,
+  fetchurl,
+  # add these below
+  version,
+  url,
+  hash,
+  ...
+}:
+stdenv.mkDerivation {
+   # inherit version from inputs
+  inherit version;
+  pname = "zen-browser-unwrapped";
+
+  src = fetchurl {
+    # inherit the URL and hash we obtain from the inputs
+    inherit url hash;
+  };
+}
+

Then in flake.nix, let’s provide the derivation with the data from sources.json:

+
let
+   supportedSystems = [
+     "x86_64-linux"
+     "aarch64-linux"
+   ];
+   forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
+in
+{
+   # rest of file omitted for simplicity
+   packages = forAllSystems (
+     system:
+     let
+       pkgs = import nixpkgs { inherit system; };
+       # parse sources.json into a Nix attrset
+       sources = builtins.fromJSON (builtins.readFile ./sources.json);
+     in
+     rec {
+       zen-browser-unwrapped = pkgs.callPackage ./zen-browser-unwrapped.nix {
+         inherit (sources.${system}) hash url;
+         inherit (sources) version;
+
+         # if the above is difficult to understand, it is equivalent to the following:
+         hash = sources.${system}.hash;
+         url = sources.${system}.url;
+         version = sources.version;
+       };
+}
+

Now, running nix build .#zen-browser-unwrapped will be able to use the hashes +and URLs from sources.json to build the package!

+

Automating it in CI

+

We now have a script that can automatically fetch releases and generate hashes +and URLs, as well as a way for Nix to use the outputted JSON to build +derivations. All that’s left is to fully automate it using CI!

+

We are going to use GitHub actions for this, as it’s free and easy and you’re +probably already hosting on GitHub.

+

Ensure you’ve set up actions for your repo and given it sufficient permissions.

+

We’re gonna run it on a cron timer that checks for updates at 8 PM PST every day.

+

We use DeterminateSystems’ actions to help set up Nix. Then, we simply run our +update script. Since we made the script return the tag it fetched, we can store +it in a variable and then use it in our commit message.

+
name: Update to latest version, and update flake inputs
+
+on:
+  schedule:
+    - cron: "0 4 * * *"
+  workflow_dispatch:
+
+jobs:
+  update:
+    name: Update flake inputs and browser
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Check flake inputs
+        uses: DeterminateSystems/flake-checker-action@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Set up magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Check for update and perform update
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          chmod +x ./update.nu
+          export ZEN_LATEST_VER="$(./update.nu)"
+
+          git add -A
+          git commit -m "github-actions: update to $ZEN_LATEST_VER" || echo "Latest version is $ZEN_LATEST_VER, no updates found"
+
+          nix flake update --commit-lock-file
+
+          git push
+

Now, our repository will automatically check for and perform updates every day!

+ +]]> + + + a haskellian blog + + https://blog.youwen.dev/a-haskellian-blog.html + 2024-05-25T00:00:00Z + 2024-05-25T12:00:00Z + +
+

+ a haskellian blog +

+

+ a purely functional...blog? +

+
2024-05-25
+
+ (last updated: 2024-05-25T12:00:00Z) +
+
+

Welcome! This is the first post on conditional finality and also one that tests all +of the features.

+

conditional finality

+
+

A monad is just a monoid in the category of endofunctors, what’s the problem?

+
+

haskell?

+

This entire blog is generated with hakyll. It’s +a library for generating static sites for Haskell, a purely functional +programming language. It’s a library because it doesn’t come with as many +batteries included as tools like Hugo or Astro. You set up most of the site +yourself by calling the library from Haskell.

+

Here’s a brief excerpt:

+
main :: IO ()
+main = hakyllWith config $ do
+    forM_
+        [ "CNAME"
+        , "favicon.ico"
+        , "robots.txt"
+        , "_config.yml"
+        , "images/*"
+        , "out/*"
+        , "fonts/*"
+        ]
+        $ \f -> match f $ do
+            route idRoute
+            compile copyFileCompiler
+

The code highlighting is also generated by hakyll.

+
+

why?

+

Haskell is a purely functional language with no mutable state. Its syntax +actually makes it pretty elegant for declaring routes and “rendering” pipelines.

+
    +
  1. Haskell is cool.
    2. +
  2. It comes with enough features that I don’t feel like I have to build +everything from scratch.
    3. +
  3. It comes with Pandoc, a Haskell library for converting between markdown +formats. It’s probably more powerful than anything you could do in nodejs. +It renders all of the markdown to HTML as well as the math. +
      +
    1. It supports KaTeX as well as MathML. I’m a little disappointed with the +KaTeX though. It doesn’t directly render it, but simply injects the KaTeX +files and renders it client-side.
      2. +
    4. +
+

speaking of math

+

We can have math inline, like so: +ex2dx=π\int_{-\infty}^\infty \, e^{-x^2}\,dx = \sqrt{\pi}. This site ships semantic +MathML math with its HTML, and the MathJax script to the client.

+

It’d be nice if MathML could just be used and supported across all browsers, but +unfortunately we still aren’t quite there yet. Firefox is the only one where +everything looks 80% of the way to LaTeX. On Safari and Chrome, even simple +equations like π\sqrt{\pi} render improperly.

+

Pros of MathML:

+
    +
  • A little more accessible
    • +
  • Can be rendered without additional stylesheets. I just installed the Latin +Modern font, but this isn’t even really necessary
    • +
  • Built-in to most browsers (#UseThePlatform)
    • +
+

Cons:

+
    +
  • Isn’t fully standardized. Might look different on different browsers
    • +
  • Rendering quality isn’t as good as KaTeX
    • +
+

This site has MathJax render all of the math so it looks nice and standardized +across browsers, but the math still displays regardless (like say if MathJax +couldn’t load due to slow network) because of MathML. Best of both worlds.

+

Let’s try it now. Here’s a simple theorem:

+

an+bncn{a,b,c}n3 +a^n + b^n \ne c^n \, \forall\,\left\{ a,\,b,\,c \right\} \in \mathbb{Z} \land n \ge 3 +

+

The proof is trivial and will be left as an exercise to the reader.

+

seems a little overengineered

+

Probably is. Not as much as the old one, though.

+ +]]> + + + diff --git a/css/code.css b/css/code.css new file mode 100644 index 0000000..9745de8 --- /dev/null +++ b/css/code.css @@ -0,0 +1 @@ +pre>code.sourceCode{white-space:pre;position:relative}pre>code.sourceCode>span{line-height:1.25}pre>code.sourceCode>span:empty{height:1.2em}.sourceCode{overflow:visible}code.sourceCode>span{color:inherit;text-decoration:inherit}div.sourceCode{margin:1em 0}pre.sourceCode{margin:0}@media screen{div.sourceCode{overflow:auto}}@media print{pre>code.sourceCode{white-space:pre-wrap}pre>code.sourceCode>span{text-indent:-5em;padding-left:5em}}pre.numberSource code{counter-reset:source-line 0}pre.numberSource code>span{position:relative;left:-4em;counter-increment:source-line}pre.numberSource code>span>a:first-child::before{content:counter(source-line);position:relative;left:-1em;text-align:right;vertical-align:baseline;border:none;display:inline-block;-webkit-touch-callout:none;-webkit-user-select:none;-khtml-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;padding:0 4px;width:4em;background-color:#232629;color:#7a7c7d}pre.numberSource{margin-left:3em;border-left:1px solid #7a7c7d;padding-left:4px}div.sourceCode{color:#cfcfc2;background-color:#232629}@media screen{pre>code.sourceCode>span>a:first-child::before{text-decoration:underline}}code span{color:#cfcfc2}code span.al{color:#95da4c;background-color:#4d1f24;font-weight:bold}code span.an{color:#3f8058}code span.at{color:#2980b9}code span.bn{color:#f67400}code span.bu{color:#7f8c8d}code span.cf{color:#fdbc4b;font-weight:bold}code span.ch{color:#3daee9}code span.cn{color:#27aeae;font-weight:bold}code span.co{color:#7a7c7d}code span.cv{color:#7f8c8d}code span.do{color:#a43340}code span.dt{color:#2980b9}code span.dv{color:#f67400}code span.er{color:#da4453;text-decoration:underline}code span.ex{color:#0099ff;font-weight:bold}code span.fl{color:#f67400}code span.fu{color:#8e44ad}code span.im{color:#27ae60}code span.in{color:#c45b00}code span.kw{color:#cfcfc2;font-weight:bold}code span.op{color:#cfcfc2}code span.ot{color:#27ae60}code span.pp{color:#27ae60}code span.re{color:#2980b9;background-color:#153042}code span.sc{color:#3daee9}code span.ss{color:#da4453}code span.st{color:#f44f4f}code span.va{color:#27aeae}code span.vs{color:#da4453}code span.wa{color:#da4453} \ No newline at end of file diff --git a/favicon.ico b/favicon.ico new file mode 100644 index 0000000..2096d33 Binary files /dev/null and b/favicon.ico differ diff --git a/images/conditional-finality.png b/images/conditional-finality.png new file mode 100644 index 0000000..6673b58 Binary files /dev/null and b/images/conditional-finality.png differ diff --git a/index.html b/index.html new file mode 100644 index 0000000..6b62e46 --- /dev/null +++ b/index.html @@ -0,0 +1,220 @@ + + + + youwen wu | conditional finality + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+

+ Conditional Finality. +

+
+
+

+ a web-log about computers, math, hacks, and all the rest. +

+ by Youwen Wu + | + + | + +
+
+
+

Latest

+
+ +
+
+ + + + + diff --git a/nix-automatic-hash-updates-made-easy.html b/nix-automatic-hash-updates-made-easy.html new file mode 100644 index 0000000..bb241be --- /dev/null +++ b/nix-automatic-hash-updates-made-easy.html @@ -0,0 +1,435 @@ + + + + Nix automatic hash updates made easy | conditional finality + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+

+ Conditional Finality. +

+
+
+

+ a web-log about computers, math, hacks, and all the rest. +

+ by Youwen Wu + | + + | + +
+
+
+

+ Nix automatic hash updates made easy +

+

+ keep your flakes up to date +

+
2024-12-28
+
+ +
+
+

Nix users often create flakes to package software out of tree, like this Zen +Browser flake I’ve been +maintaining. Keeping them up to date is a hassle though, since you have to +update the Subresource Integrity (SRI) hashes that Nix uses to ensure +reproducibility.

+

Here’s a neat method I’ve been using to cleanly handle automatic hash updates. +I use Nushell to easily work with data, prefetch +some hashes, and put it all in a JSON file that can be read by Nix at build +time.

+

First, let’s create a file called update.nu. At the top, place this shebang:

+
#!/usr/bin/env -S nix shell nixpkgs#nushell --command nu
+

This will execute the script in a Nushell environment, which is fetched by Nix.

+

Get the up to date URLs

+

We need to obtain the latest version of whatever software we want to update. +In this case, I’ll use GitHub releases as my source of truth.

+

You can use the GitHub API to fetch metadata about all the releases of a repository.

+
https://api.github.com/repos/($repo)/releases
+

Roughly speaking, the raw JSON returned by the GitHub releases API looks something like:

+
[
+   {tag_name: "foo", prerelease: false, ...},
+   {tag_name: "bar", prerelease: true, ...},
+   {tag_name: "foobar", prerelease: false, ...},
+]
+
+

Note that the ordering of the objects in the array is chronological.

+
+

Even if you aren’t using GitHub releases, as long as there is a reliable way to +programmatically fetch the latest download URLs of whatever software you’re +packaging, you can adapt this approach for your specific case.

+
+

We use Nushell’s http get to make a network request. Nushell will +automatically detect and parse the JSON reponse into a Nushell table.

+

In my case, Zen Browser frequently publishes prerelease “twilight” builds which +we don’t want to update to. So, we ignore any releases tagged “twilight” or +marked “prerelease” by filtering them out with the where selector.

+

Finally, we retrieve the tag name of the item at the first index, which would +be the latest release (since the JSON array was chronologically sorted).

+
#!/usr/bin/env -S nix shell nixpkgs#nushell --command nu
+
+# get the latest tag of the latest release that isn't a prerelease
+def get_latest_release [repo: string] {
+  try {
+	http get $"https://api.github.com/repos/($repo)/releases"
+	  | where prerelease == false
+	  | where tag_name != "twilight"
+	  | get tag_name
+	  | get 0
+  } catch { |err| $"Failed to fetch latest release, aborting: ($err.msg)" }
+}
+

Prefetching SRI hashes

+

Now that we have the latest tags, we can easily obtain the latest download URLs, which are of the form:

+
https://github.com/zen-browser/desktop/releases/download/$tag/zen.linux-x86_64.tar.bz2
+https://github.com/zen-browser/desktop/releases/download/$tag/zen.aarch64-x86_64.tar.bz2
+

However, we still need the corresponding SRI hashes to pass to Nix.

+
src = fetchurl {
+   url = "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-x86_64.tar.bz2";
+   hash = "sha256-00000000000000000000000000000000000000000000";
+};
+

The easiest way to obtain these new hashes is to update the URL and then set +the hash property to an empty string (""). Nix will spit out an hash mismatch +error with the correct hash. However, this is inconvenient for automated +command line scripting.

+

The Nix documentation mentions +nix-prefetch-url +as a way to obtain these hashes, but as usual, it doesn’t work quite right and +has also been replaced by a more powerful but underdocumented experimental +feature instead.

+

The nix store +prefetch-file +command does what nix-prefetch-url is supposed to do, but handles the caveats +that lead to the wrong hash being produced automatically.

+

Let’s write a Nushell function that outputs the SRI hash of the given URL. We +tell prefetch-file to output structured JSON that we can parse.

+

Since Nushell is a shell, we can directly invoke shell commands like usual, +and then process their output with pipes.

+
def get_nix_hash [url: string] {
+  nix store prefetch-file --hash-type sha256 --json $url | from json | get hash
+}
+

Cool! Now get_nix_hash can give us SRI hashes that look like this:

+
sha256-K3zTCLdvg/VYQNsfeohw65Ghk8FAjhOl8hXU6REO4/s=
+

Putting it all together

+

Now that we’re able to fetch the latest release, obtain the download URLs, and +compute their SRI hashes, we have all the information we need to make an +automated update. However, these URLs are typically hardcoded in our Nix +expressions. The question remains as to how to update these values.

+

A common way I’ve seen updates performed is using something like sed to +modify the Nix expressions in place. However, there’s actually a more +maintainable and easy to understand approach.

+

Let’s have our Nushell script generate the URLs and hashes and place them in a +JSON file! Then, we’ll be able to read the JSON file from Nix and obtain the +URL and hash.

+
def generate_sources [] {
+  let tag = get_latest_release "zen-browser/desktop"
+  let prev_sources = open ./sources.json
+
+  if $tag == $prev_sources.version {
+	# everything up to date
+	return $tag
+  }
+
+  # generate the download URLs with the new tag
+  let x86_64_url = $"https://github.com/zen-browser/desktop/releases/download/($tag)/zen.linux-x86_64.tar.bz2"
+  let aarch64_url = $"https://github.com/zen-browser/desktop/releases/download/($tag)/zen.linux-aarch64.tar.bz2"
+
+  # create a Nushell record that maps cleanly to JSON
+  let sources = {
+    # add a version field as well for convenience
+	version: $tag
+
+	x86_64-linux: {
+	  url:  $x86_64_url
+	  hash: (get_nix_hash $x86_64_url)
+	}
+	aarch64-linux: {
+	  url: $aarch64_url
+	  hash: (get_nix_hash $aarch64_url)
+	}
+  }
+
+  echo $sources | save --force "sources.json"
+
+  return $tag
+}
+

Running this script with

+
chmod +x ./update.nu
+./update.nu
+

gives us the file sources.json:

+
{
+  "version": "1.0.2-b.5",
+  "x86_64-linux": {
+    "url": "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-x86_64.tar.bz2",
+    "hash": "sha256-K3zTCLdvg/VYQNsfeohw65Ghk8FAjhOl8hXU6REO4/s="
+  },
+  "aarch64-linux": {
+    "url": "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-aarch64.tar.bz2",
+    "hash": "sha256-NwIYylGal2QoWhWKtMhMkAAJQ6iNHfQOBZaxTXgvxAk="
+  }
+}
+

Now, let’s read this from Nix. My file organization looks like the following:

+
./
+| flake.nix
+| zen-browser-unwrapped.nix
+| ...other files...
+

zen-browser-unwrapped.nix contains the derivation for Zen Browser. Let’s add +version, url, and hash to its inputs:

+
{
+  stdenv,
+  fetchurl,
+  # add these below
+  version,
+  url,
+  hash,
+  ...
+}:
+stdenv.mkDerivation {
+   # inherit version from inputs
+  inherit version;
+  pname = "zen-browser-unwrapped";
+
+  src = fetchurl {
+    # inherit the URL and hash we obtain from the inputs
+    inherit url hash;
+  };
+}
+

Then in flake.nix, let’s provide the derivation with the data from sources.json:

+
let
+   supportedSystems = [
+     "x86_64-linux"
+     "aarch64-linux"
+   ];
+   forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
+in
+{
+   # rest of file omitted for simplicity
+   packages = forAllSystems (
+     system:
+     let
+       pkgs = import nixpkgs { inherit system; };
+       # parse sources.json into a Nix attrset
+       sources = builtins.fromJSON (builtins.readFile ./sources.json);
+     in
+     rec {
+       zen-browser-unwrapped = pkgs.callPackage ./zen-browser-unwrapped.nix {
+         inherit (sources.${system}) hash url;
+         inherit (sources) version;
+
+         # if the above is difficult to understand, it is equivalent to the following:
+         hash = sources.${system}.hash;
+         url = sources.${system}.url;
+         version = sources.version;
+       };
+}
+

Now, running nix build .#zen-browser-unwrapped will be able to use the hashes +and URLs from sources.json to build the package!

+

Automating it in CI

+

We now have a script that can automatically fetch releases and generate hashes +and URLs, as well as a way for Nix to use the outputted JSON to build +derivations. All that’s left is to fully automate it using CI!

+

We are going to use GitHub actions for this, as it’s free and easy and you’re +probably already hosting on GitHub.

+

Ensure you’ve set up actions for your repo and given it sufficient permissions.

+

We’re gonna run it on a cron timer that checks for updates at 8 PM PST every day.

+

We use DeterminateSystems’ actions to help set up Nix. Then, we simply run our +update script. Since we made the script return the tag it fetched, we can store +it in a variable and then use it in our commit message.

+
name: Update to latest version, and update flake inputs
+
+on:
+  schedule:
+    - cron: "0 4 * * *"
+  workflow_dispatch:
+
+jobs:
+  update:
+    name: Update flake inputs and browser
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Check flake inputs
+        uses: DeterminateSystems/flake-checker-action@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Set up magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Check for update and perform update
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          chmod +x ./update.nu
+          export ZEN_LATEST_VER="$(./update.nu)"
+
+          git add -A
+          git commit -m "github-actions: update to $ZEN_LATEST_VER" || echo "Latest version is $ZEN_LATEST_VER, no updates found"
+
+          nix flake update --commit-lock-file
+
+          git push
+

Now, our repository will automatically check for and perform updates every day!

+
+ + + + + diff --git a/out/bundle.css b/out/bundle.css new file mode 100644 index 0000000..816def2 --- /dev/null +++ b/out/bundle.css @@ -0,0 +1 @@ +@import url("https://fonts.googleapis.com/css2?family=Merriweather:ital,wght@0,300;0,400;0,700;0,900;1,300;1,400;1,700;1,900&display=swap");@import url("https://fonts.googleapis.com/css2?family=Open+Sans:ital,wght@0,300..800;1,300..800&display=swap");*,::before,::after{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x:;--tw-pan-y:;--tw-pinch-zoom:;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position:;--tw-gradient-via-position:;--tw-gradient-to-position:;--tw-ordinal:;--tw-slashed-zero:;--tw-numeric-figure:;--tw-numeric-spacing:;--tw-numeric-fraction:;--tw-ring-inset:;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgb(59 130 246/0.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur:;--tw-brightness:;--tw-contrast:;--tw-grayscale:;--tw-hue-rotate:;--tw-invert:;--tw-saturate:;--tw-sepia:;--tw-drop-shadow:;--tw-backdrop-blur:;--tw-backdrop-brightness:;--tw-backdrop-contrast:;--tw-backdrop-grayscale:;--tw-backdrop-hue-rotate:;--tw-backdrop-invert:;--tw-backdrop-opacity:;--tw-backdrop-saturate:;--tw-backdrop-sepia:;--tw-contain-size:;--tw-contain-layout:;--tw-contain-paint:;--tw-contain-style:}::backdrop{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x:;--tw-pan-y:;--tw-pinch-zoom:;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position:;--tw-gradient-via-position:;--tw-gradient-to-position:;--tw-ordinal:;--tw-slashed-zero:;--tw-numeric-figure:;--tw-numeric-spacing:;--tw-numeric-fraction:;--tw-ring-inset:;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgb(59 130 246/0.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur:;--tw-brightness:;--tw-contrast:;--tw-grayscale:;--tw-hue-rotate:;--tw-invert:;--tw-saturate:;--tw-sepia:;--tw-drop-shadow:;--tw-backdrop-blur:;--tw-backdrop-brightness:;--tw-backdrop-contrast:;--tw-backdrop-grayscale:;--tw-backdrop-hue-rotate:;--tw-backdrop-invert:;--tw-backdrop-opacity:;--tw-backdrop-saturate:;--tw-backdrop-sepia:;--tw-contain-size:;--tw-contain-layout:;--tw-contain-paint:;--tw-contain-style:}/* ! tailwindcss v3.4.14 | MIT License | https://tailwindcss.com */*,::before,::after{box-sizing:border-box;border-width:0;border-style:solid;border-color:#e5e7eb}::before,::after{--tw-content:''}html,:host{line-height:1.5;-webkit-text-size-adjust:100%;-moz-tab-size:4;-o-tab-size:4;tab-size:4;font-family:Open Sans,sans-serif;font-feature-settings:normal;font-variation-settings:normal;-webkit-tap-highlight-color:transparent}body{margin:0;line-height:inherit}hr{height:0;color:inherit;border-top-width:1px}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,samp,pre{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;font-feature-settings:normal;font-variation-settings:normal;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}table{text-indent:0;border-color:inherit;border-collapse:collapse}button,input,optgroup,select,textarea{font-family:inherit;font-feature-settings:inherit;font-variation-settings:inherit;font-size:100%;font-weight:inherit;line-height:inherit;letter-spacing:inherit;color:inherit;margin:0;padding:0}button,select{text-transform:none}button,input:where([type='button']),input:where([type='reset']),input:where([type='submit']){-webkit-appearance:button;background-color:transparent;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:baseline}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type='search']{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dl,dd,h1,h2,h3,h4,h5,h6,hr,figure,p,pre{margin:0}fieldset{margin:0;padding:0}legend{padding:0}ol,ul,menu{list-style:none;margin:0;padding:0}dialog{padding:0}textarea{resize:vertical}input::-moz-placeholder, textarea::-moz-placeholder{opacity:1;color:#9ca3af}input::placeholder,textarea::placeholder{opacity:1;color:#9ca3af}button,[role="button"]{cursor:pointer}:disabled{cursor:default}img,svg,video,canvas,audio,iframe,embed,object{display:block;vertical-align:middle}img,video{max-width:100%;height:auto}[hidden]:where(:not([hidden="until-found"])){display:none}body{--tw-bg-opacity:1;background-color:rgb(250 244 237/var(--tw-bg-opacity));font-family:Merriweather,serif;--tw-text-opacity:1;color:rgb(68 64 60/var(--tw-text-opacity))}body:where(.dark,.dark *){--tw-bg-opacity:1;background-color:rgb(25 23 36/var(--tw-bg-opacity));--tw-text-opacity:1;color:rgb(224 222 244/var(--tw-text-opacity))}.container{width:100%}@media (min-width:640px){.container{max-width:640px}}@media (min-width:768px){.container{max-width:768px}}@media (min-width:1024px){.container{max-width:1024px}}@media (min-width:1280px){.container{max-width:1280px}}@media (min-width:1536px){.container{max-width:1536px}}.mx-4{margin-left:1rem;margin-right:1rem}.mx-auto{margin-left:auto;margin-right:auto}.my-1{margin-top:0.25rem;margin-bottom:0.25rem}.mb-1{margin-bottom:0.25rem}.mb-14{margin-bottom:3.5rem}.mb-3{margin-bottom:0.75rem}.mb-4{margin-bottom:1rem}.ml-2{margin-left:0.5rem}.mt-1{margin-top:0.25rem}.mt-14{margin-top:3.5rem}.mt-2{margin-top:0.5rem}.mt-4{margin-top:1rem}.mt-6{margin-top:1.5rem}.mt-8{margin-top:2rem}.inline-flex{display:inline-flex}.h-0\.5{height:0.125rem}.h-1{height:0.25rem}.w-fit{width:-moz-fit-content;width:fit-content}.w-full{width:100%}.max-w-2xl{max-width:42rem}.max-w-\[200px\]{max-width:200px}.max-w-sm{max-width:24rem}.flex-shrink{flex-shrink:1}.flex-grow{flex-grow:1}.items-center{align-items:center}.space-y-4>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(1rem * calc(1 - var(--tw-space-y-reverse)));margin-bottom:calc(1rem * var(--tw-space-y-reverse))}.text-nowrap{text-wrap:nowrap}.rounded-lg{border-radius:0.5rem}.rounded-md{border-radius:0.375rem}.rounded-xl{border-radius:0.75rem}.border-0{border-width:0px}.bg-accent-light{--tw-bg-opacity:1;background-color:rgb(121 117 147/var(--tw-bg-opacity))}.bg-muted-light{--tw-bg-opacity:1;background-color:rgb(152 147 165/var(--tw-bg-opacity))}.p-2{padding:0.5rem}.px-1{padding-left:0.25rem;padding-right:0.25rem}.px-2{padding-left:0.5rem;padding-right:0.5rem}.px-4{padding-left:1rem;padding-right:1rem}.pb-12{padding-bottom:3rem}.font-sans{font-family:Open Sans,sans-serif}.font-serif{font-family:Merriweather,serif}.text-2xl{font-size:1.5rem;line-height:2rem}.text-3xl{font-size:1.875rem;line-height:2.25rem}.text-4xl{font-size:2.25rem;line-height:2.5rem}.text-lg{font-size:1.125rem;line-height:1.75rem}.text-sm{font-size:0.875rem;line-height:1.25rem}.font-light{font-weight:300}.font-medium{font-weight:500}.italic{font-style:italic}.leading-relaxed{line-height:1.625}.tracking-wide{letter-spacing:0.025em}.text-accent-light{--tw-text-opacity:1;color:rgb(121 117 147/var(--tw-text-opacity))}.text-iris-light{--tw-text-opacity:1;color:rgb(144 122 169/var(--tw-text-opacity))}.transition-all{transition-property:all;transition-timing-function:cubic-bezier(0.4,0,0.2,1);transition-duration:150ms}.transition-colors{transition-property:color,background-color,border-color,text-decoration-color,fill,stroke;transition-timing-function:cubic-bezier(0.4,0,0.2,1);transition-duration:150ms}.duration-500{transition-duration:500ms}.duration-\[2s\]{transition-duration:2s}.external-link-muted{text-decoration-line:underline;text-decoration-color:#797593;text-decoration-color:#908caa;text-decoration-style:solid;text-decoration-thickness:2px;text-underline-offset:2px}.external-link-muted:hover{--tw-text-opacity:1;color:rgb(180 99 122/var(--tw-text-opacity))}.external-link-muted:hover:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(235 111 146/var(--tw-text-opacity))}.post{h1{font-size:1.5rem;line-height:2rem}h1{font-weight:700}h2{position:relative}h2{margin-top:2rem}h2{width:-moz-fit-content;width:fit-content}h2{font-size:1.5rem;line-height:2rem}h2{font-weight:500}h2::after{position:absolute}h2::after{left:0px}h2::after{margin-top:0.5rem}h2::after{display:block}h2::after{height:0.25rem}h2::after{width:3rem}h2::after{border-radius:0.125rem}h2::after{--tw-bg-opacity:1;background-color:rgb(152 147 165/var(--tw-bg-opacity))}h2:where(.dark,.dark *)::after{--tw-bg-opacity:1;background-color:rgb(110 106 134/var(--tw-bg-opacity))}h2::after{content:""}h3,h4,h5,h6{margin-top:2rem}h3,h4,h5,h6{font-size:1.25rem;line-height:1.75rem}h3,h4,h5,h6{font-weight:500}h3,h4,h5,h6{--tw-text-opacity:1;color:rgb(121 117 147/var(--tw-text-opacity))}h3:where(.dark,.dark *),h4:where(.dark,.dark *),h5:where(.dark,.dark *),h6:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(144 140 170/var(--tw-text-opacity))}p{margin-top:1rem;margin-bottom:1rem}p{overflow-x:auto}p{font-weight:300}p{line-height:2}@media (min-width:640px){p{font-size:1.125rem;line-height:1.75rem}}@media (min-width:640px){p{line-height:2}}img{margin-left:auto;margin-right:auto}img{margin-top:1.5rem;margin-bottom:1.5rem}img{border-radius:0.5rem}div.sourceCode{border-radius:0.5rem}div.sourceCode{padding:1rem}ol,ul{list-style-position:inside}ol,ul{font-weight:300}ol,ul{line-height:2}@media (min-width:640px){ol,ul{font-size:1.125rem;line-height:1.75rem}}@media (min-width:640px){ol,ul{line-height:2}}ul{list-style-type:disc}ol{list-style-type:decimal}ol ol{margin-left:1rem}ol ol{list-style-type:disc}ol ol ol{margin-left:1rem}ol ol ol{list-style-type:"-"}li{margin-top:0.25rem;margin-bottom:0.25rem}hr{margin-top:2.5rem;margin-bottom:2.5rem}hr{margin-left:auto;margin-right:auto}hr{height:0.5rem}hr{max-width:3rem}hr{border-radius:0.75rem}hr{border-width:0px}hr{--tw-bg-opacity:1;background-color:rgb(152 147 165/var(--tw-bg-opacity))}hr:where(.dark,.dark *){--tw-bg-opacity:1;background-color:rgb(110 106 134/var(--tw-bg-opacity))}blockquote{margin-top:1rem;margin-bottom:1rem}blockquote{height:-moz-fit-content;height:fit-content}blockquote{border-left-width:4px}blockquote{--tw-border-opacity:1;border-color:rgb(121 117 147/var(--tw-border-opacity))}blockquote{padding-left:1rem;padding-right:1rem}blockquote{padding-top:0.125rem;padding-bottom:0.125rem}blockquote{font-style:italic}blockquote{--tw-text-opacity:1;color:rgb(121 117 147/var(--tw-text-opacity))}blockquote:where(.dark,.dark *){--tw-border-opacity:1;border-color:rgb(144 140 170/var(--tw-border-opacity))}blockquote:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(144 140 170/var(--tw-text-opacity))}blockquote>p{margin:0px}a:not(code a){text-decoration-line:underline}a:not(code a){text-decoration-color:#b4637a}a:not(code a){text-decoration-color:#eb6f92}a:not(code a){text-decoration-style:solid}a:not(code a){text-decoration-thickness:2px}a:not(code a){text-underline-offset:2px}a:not(code a):hover{--tw-text-opacity:1;color:rgb(180 99 122/var(--tw-text-opacity))}a:not(code a):hover:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(235 111 146/var(--tw-text-opacity))}figure{margin-top:0.5rem;margin-bottom:0.5rem}figure{display:inline-block}figure img{margin-bottom:0.5rem}figure img{vertical-align:top}figure figcaption{text-align:center}details{margin-top:1rem;margin-bottom:1rem}details{overflow-x:auto}details{font-weight:300}details{line-height:2}@media (min-width:640px){details{font-size:1.125rem;line-height:1.75rem}}@media (min-width:640px){details{line-height:2}}details summary{margin-bottom:0.25rem}details summary{cursor:pointer}}.hover\:text-accent-light:hover{--tw-text-opacity:1;color:rgb(121 117 147/var(--tw-text-opacity))}.hover\:text-love-light:hover{--tw-text-opacity:1;color:rgb(180 99 122/var(--tw-text-opacity))}.hover\:text-muted-light:hover{--tw-text-opacity:1;color:rgb(152 147 165/var(--tw-text-opacity))}.group:hover .group-hover\:max-w-\[250px\]{max-width:250px}.group:hover .group-hover\:bg-iris-light{--tw-bg-opacity:1;background-color:rgb(144 122 169/var(--tw-bg-opacity))}.group:hover .group-hover\:text-iris-light{--tw-text-opacity:1;color:rgb(144 122 169/var(--tw-text-opacity))}.group:hover .group-hover\:text-muted-light{--tw-text-opacity:1;color:rgb(152 147 165/var(--tw-text-opacity))}@media (min-width:640px){.sm\:mr-2{margin-right:0.5rem}}@media (min-width:768px){.md\:mt-24{margin-top:6rem}.md\:space-y-8>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(2rem * calc(1 - var(--tw-space-y-reverse)));margin-bottom:calc(2rem * var(--tw-space-y-reverse))}.md\:text-5xl{font-size:3rem;line-height:1}}.dark\:bg-accent-dark:where(.dark,.dark *){--tw-bg-opacity:1;background-color:rgb(144 140 170/var(--tw-bg-opacity))}.dark\:bg-muted-dark:where(.dark,.dark *){--tw-bg-opacity:1;background-color:rgb(110 106 134/var(--tw-bg-opacity))}.dark\:text-accent-dark:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(144 140 170/var(--tw-text-opacity))}.dark\:text-iris-dark:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(196 167 231/var(--tw-text-opacity))}.dark\:hover\:text-love-dark:hover:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(235 111 146/var(--tw-text-opacity))}.dark\:hover\:text-muted-dark:hover:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(110 106 134/var(--tw-text-opacity))}.group:hover .dark\:group-hover\:bg-iris-dark:where(.dark,.dark *){--tw-bg-opacity:1;background-color:rgb(196 167 231/var(--tw-bg-opacity))}.group:hover .dark\:group-hover\:text-iris-dark:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(196 167 231/var(--tw-text-opacity))}.group:hover .group-hover\:dark\:text-muted-dark:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(110 106 134/var(--tw-text-opacity))} diff --git a/out/bundle.js b/out/bundle.js new file mode 100644 index 0000000..4602406 --- /dev/null +++ b/out/bundle.js @@ -0,0 +1 @@ +const e=window.matchMedia("(prefers-color-scheme: dark)").matches,t=()=>{document.documentElement.classList.remove("dark")},s=()=>{document.documentElement.classList.add("dark")};let o="dark"===localStorage.getItem("theme")?2:"light"===localStorage.getItem("theme")?1:0;const a=document.getElementById("theme-toggle");a.addEventListener("click",(()=>{switch(o=(o+1)%3,o){case 0:localStorage.removeItem("theme"),e?document.documentElement.classList.add("dark"):document.documentElement.classList.remove("dark"),a.innerText="theme: system";break;case 1:e?(localStorage.setItem("theme","light"),t(),a.innerText="theme: light"):(localStorage.setItem("theme","dark"),s(),a.innerText="theme: dark");break;case 2:e?(localStorage.setItem("theme","dark"),s(),a.innerText="theme: dark"):(localStorage.setItem("theme","light"),t(),a.innerText="theme: light")}}));const n=()=>{document.body.classList.remove("font-sans"),document.body.classList.remove("font-serif")},m=e=>{e&&"serif"===e&&(n(),document.body.classList.add("font-serif")),e&&"sans"===e&&(n(),document.body.classList.add("font-sans")),e||n()};let c=localStorage.getItem("font");m();const l=document.getElementById("font-toggle");l.addEventListener("click",(()=>{c=localStorage.getItem("font"),"sans"===c?(c="serif",l.innerText="serif",localStorage.setItem("font","serif")):(c="sans",l.innerText="sans",localStorage.setItem("font","sans")),m(c)})); diff --git a/robots.txt b/robots.txt new file mode 100644 index 0000000..eb05362 --- /dev/null +++ b/robots.txt @@ -0,0 +1,2 @@ +User-agent: * +Disallow: diff --git a/rss.xml b/rss.xml new file mode 100644 index 0000000..7d86d0a --- /dev/null +++ b/rss.xml @@ -0,0 +1,383 @@ + + + + conditional finality + https://blog.youwen.dev + + + Sat, 28 Dec 2024 00:00:00 UT + + Nix automatic hash updates made easy + https://blog.youwen.dev/nix-automatic-hash-updates-made-easy.html + +
+

+ Nix automatic hash updates made easy +

+

+ keep your flakes up to date +

+
2024-12-28
+
+ +
+
+

Nix users often create flakes to package software out of tree, like this Zen +Browser flake I’ve been +maintaining. Keeping them up to date is a hassle though, since you have to +update the Subresource Integrity (SRI) hashes that Nix uses to ensure +reproducibility.

+

Here’s a neat method I’ve been using to cleanly handle automatic hash updates. +I use Nushell to easily work with data, prefetch +some hashes, and put it all in a JSON file that can be read by Nix at build +time.

+

First, let’s create a file called update.nu. At the top, place this shebang:

+
#!/usr/bin/env -S nix shell nixpkgs#nushell --command nu
+

This will execute the script in a Nushell environment, which is fetched by Nix.

+

Get the up to date URLs

+

We need to obtain the latest version of whatever software we want to update. +In this case, I’ll use GitHub releases as my source of truth.

+

You can use the GitHub API to fetch metadata about all the releases of a repository.

+
https://api.github.com/repos/($repo)/releases
+

Roughly speaking, the raw JSON returned by the GitHub releases API looks something like:

+
[
+   {tag_name: "foo", prerelease: false, ...},
+   {tag_name: "bar", prerelease: true, ...},
+   {tag_name: "foobar", prerelease: false, ...},
+]
+
+

Note that the ordering of the objects in the array is chronological.

+
+

Even if you aren’t using GitHub releases, as long as there is a reliable way to +programmatically fetch the latest download URLs of whatever software you’re +packaging, you can adapt this approach for your specific case.

+
+

We use Nushell’s http get to make a network request. Nushell will +automatically detect and parse the JSON reponse into a Nushell table.

+

In my case, Zen Browser frequently publishes prerelease “twilight” builds which +we don’t want to update to. So, we ignore any releases tagged “twilight” or +marked “prerelease” by filtering them out with the where selector.

+

Finally, we retrieve the tag name of the item at the first index, which would +be the latest release (since the JSON array was chronologically sorted).

+
#!/usr/bin/env -S nix shell nixpkgs#nushell --command nu
+
+# get the latest tag of the latest release that isn't a prerelease
+def get_latest_release [repo: string] {
+  try {
+	http get $"https://api.github.com/repos/($repo)/releases"
+	  | where prerelease == false
+	  | where tag_name != "twilight"
+	  | get tag_name
+	  | get 0
+  } catch { |err| $"Failed to fetch latest release, aborting: ($err.msg)" }
+}
+

Prefetching SRI hashes

+

Now that we have the latest tags, we can easily obtain the latest download URLs, which are of the form:

+
https://github.com/zen-browser/desktop/releases/download/$tag/zen.linux-x86_64.tar.bz2
+https://github.com/zen-browser/desktop/releases/download/$tag/zen.aarch64-x86_64.tar.bz2
+

However, we still need the corresponding SRI hashes to pass to Nix.

+
src = fetchurl {
+   url = "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-x86_64.tar.bz2";
+   hash = "sha256-00000000000000000000000000000000000000000000";
+};
+

The easiest way to obtain these new hashes is to update the URL and then set +the hash property to an empty string (""). Nix will spit out an hash mismatch +error with the correct hash. However, this is inconvenient for automated +command line scripting.

+

The Nix documentation mentions +nix-prefetch-url +as a way to obtain these hashes, but as usual, it doesn’t work quite right and +has also been replaced by a more powerful but underdocumented experimental +feature instead.

+

The nix store +prefetch-file +command does what nix-prefetch-url is supposed to do, but handles the caveats +that lead to the wrong hash being produced automatically.

+

Let’s write a Nushell function that outputs the SRI hash of the given URL. We +tell prefetch-file to output structured JSON that we can parse.

+

Since Nushell is a shell, we can directly invoke shell commands like usual, +and then process their output with pipes.

+
def get_nix_hash [url: string] {
+  nix store prefetch-file --hash-type sha256 --json $url | from json | get hash
+}
+

Cool! Now get_nix_hash can give us SRI hashes that look like this:

+
sha256-K3zTCLdvg/VYQNsfeohw65Ghk8FAjhOl8hXU6REO4/s=
+

Putting it all together

+

Now that we’re able to fetch the latest release, obtain the download URLs, and +compute their SRI hashes, we have all the information we need to make an +automated update. However, these URLs are typically hardcoded in our Nix +expressions. The question remains as to how to update these values.

+

A common way I’ve seen updates performed is using something like sed to +modify the Nix expressions in place. However, there’s actually a more +maintainable and easy to understand approach.

+

Let’s have our Nushell script generate the URLs and hashes and place them in a +JSON file! Then, we’ll be able to read the JSON file from Nix and obtain the +URL and hash.

+
def generate_sources [] {
+  let tag = get_latest_release "zen-browser/desktop"
+  let prev_sources = open ./sources.json
+
+  if $tag == $prev_sources.version {
+	# everything up to date
+	return $tag
+  }
+
+  # generate the download URLs with the new tag
+  let x86_64_url = $"https://github.com/zen-browser/desktop/releases/download/($tag)/zen.linux-x86_64.tar.bz2"
+  let aarch64_url = $"https://github.com/zen-browser/desktop/releases/download/($tag)/zen.linux-aarch64.tar.bz2"
+
+  # create a Nushell record that maps cleanly to JSON
+  let sources = {
+    # add a version field as well for convenience
+	version: $tag
+
+	x86_64-linux: {
+	  url:  $x86_64_url
+	  hash: (get_nix_hash $x86_64_url)
+	}
+	aarch64-linux: {
+	  url: $aarch64_url
+	  hash: (get_nix_hash $aarch64_url)
+	}
+  }
+
+  echo $sources | save --force "sources.json"
+
+  return $tag
+}
+

Running this script with

+
chmod +x ./update.nu
+./update.nu
+

gives us the file sources.json:

+
{
+  "version": "1.0.2-b.5",
+  "x86_64-linux": {
+    "url": "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-x86_64.tar.bz2",
+    "hash": "sha256-K3zTCLdvg/VYQNsfeohw65Ghk8FAjhOl8hXU6REO4/s="
+  },
+  "aarch64-linux": {
+    "url": "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-aarch64.tar.bz2",
+    "hash": "sha256-NwIYylGal2QoWhWKtMhMkAAJQ6iNHfQOBZaxTXgvxAk="
+  }
+}
+

Now, let’s read this from Nix. My file organization looks like the following:

+
./
+| flake.nix
+| zen-browser-unwrapped.nix
+| ...other files...
+

zen-browser-unwrapped.nix contains the derivation for Zen Browser. Let’s add +version, url, and hash to its inputs:

+
{
+  stdenv,
+  fetchurl,
+  # add these below
+  version,
+  url,
+  hash,
+  ...
+}:
+stdenv.mkDerivation {
+   # inherit version from inputs
+  inherit version;
+  pname = "zen-browser-unwrapped";
+
+  src = fetchurl {
+    # inherit the URL and hash we obtain from the inputs
+    inherit url hash;
+  };
+}
+

Then in flake.nix, let’s provide the derivation with the data from sources.json:

+
let
+   supportedSystems = [
+     "x86_64-linux"
+     "aarch64-linux"
+   ];
+   forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
+in
+{
+   # rest of file omitted for simplicity
+   packages = forAllSystems (
+     system:
+     let
+       pkgs = import nixpkgs { inherit system; };
+       # parse sources.json into a Nix attrset
+       sources = builtins.fromJSON (builtins.readFile ./sources.json);
+     in
+     rec {
+       zen-browser-unwrapped = pkgs.callPackage ./zen-browser-unwrapped.nix {
+         inherit (sources.${system}) hash url;
+         inherit (sources) version;
+
+         # if the above is difficult to understand, it is equivalent to the following:
+         hash = sources.${system}.hash;
+         url = sources.${system}.url;
+         version = sources.version;
+       };
+}
+

Now, running nix build .#zen-browser-unwrapped will be able to use the hashes +and URLs from sources.json to build the package!

+

Automating it in CI

+

We now have a script that can automatically fetch releases and generate hashes +and URLs, as well as a way for Nix to use the outputted JSON to build +derivations. All that’s left is to fully automate it using CI!

+

We are going to use GitHub actions for this, as it’s free and easy and you’re +probably already hosting on GitHub.

+

Ensure you’ve set up actions for your repo and given it sufficient permissions.

+

We’re gonna run it on a cron timer that checks for updates at 8 PM PST every day.

+

We use DeterminateSystems’ actions to help set up Nix. Then, we simply run our +update script. Since we made the script return the tag it fetched, we can store +it in a variable and then use it in our commit message.

+
name: Update to latest version, and update flake inputs
+
+on:
+  schedule:
+    - cron: "0 4 * * *"
+  workflow_dispatch:
+
+jobs:
+  update:
+    name: Update flake inputs and browser
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Check flake inputs
+        uses: DeterminateSystems/flake-checker-action@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Set up magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Check for update and perform update
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          chmod +x ./update.nu
+          export ZEN_LATEST_VER="$(./update.nu)"
+
+          git add -A
+          git commit -m "github-actions: update to $ZEN_LATEST_VER" || echo "Latest version is $ZEN_LATEST_VER, no updates found"
+
+          nix flake update --commit-lock-file
+
+          git push
+

Now, our repository will automatically check for and perform updates every day!

+ +]]> + Sat, 28 Dec 2024 00:00:00 UT + https://blog.youwen.dev/nix-automatic-hash-updates-made-easy.html + Youwen Wu + + + a haskellian blog + https://blog.youwen.dev/a-haskellian-blog.html + +
+

+ a haskellian blog +

+

+ a purely functional...blog? +

+
2024-05-25
+
+ (last updated: 2024-05-25T12:00:00Z) +
+
+

Welcome! This is the first post on conditional finality and also one that tests all +of the features.

+

conditional finality

+
+

A monad is just a monoid in the category of endofunctors, what’s the problem?

+
+

haskell?

+

This entire blog is generated with hakyll. It’s +a library for generating static sites for Haskell, a purely functional +programming language. It’s a library because it doesn’t come with as many +batteries included as tools like Hugo or Astro. You set up most of the site +yourself by calling the library from Haskell.

+

Here’s a brief excerpt:

+
main :: IO ()
+main = hakyllWith config $ do
+    forM_
+        [ "CNAME"
+        , "favicon.ico"
+        , "robots.txt"
+        , "_config.yml"
+        , "images/*"
+        , "out/*"
+        , "fonts/*"
+        ]
+        $ \f -> match f $ do
+            route idRoute
+            compile copyFileCompiler
+

The code highlighting is also generated by hakyll.

+
+

why?

+

Haskell is a purely functional language with no mutable state. Its syntax +actually makes it pretty elegant for declaring routes and “rendering” pipelines.

+
    +
  1. Haskell is cool.
    2. +
  2. It comes with enough features that I don’t feel like I have to build +everything from scratch.
    3. +
  3. It comes with Pandoc, a Haskell library for converting between markdown +formats. It’s probably more powerful than anything you could do in nodejs. +It renders all of the markdown to HTML as well as the math. +
      +
    1. It supports KaTeX as well as MathML. I’m a little disappointed with the +KaTeX though. It doesn’t directly render it, but simply injects the KaTeX +files and renders it client-side.
      2. +
    4. +
+

speaking of math

+

We can have math inline, like so: +ex2dx=π\int_{-\infty}^\infty \, e^{-x^2}\,dx = \sqrt{\pi}. This site ships semantic +MathML math with its HTML, and the MathJax script to the client.

+

It’d be nice if MathML could just be used and supported across all browsers, but +unfortunately we still aren’t quite there yet. Firefox is the only one where +everything looks 80% of the way to LaTeX. On Safari and Chrome, even simple +equations like π\sqrt{\pi} render improperly.

+

Pros of MathML:

+
    +
  • A little more accessible
    • +
  • Can be rendered without additional stylesheets. I just installed the Latin +Modern font, but this isn’t even really necessary
    • +
  • Built-in to most browsers (#UseThePlatform)
    • +
+

Cons:

+
    +
  • Isn’t fully standardized. Might look different on different browsers
    • +
  • Rendering quality isn’t as good as KaTeX
    • +
+

This site has MathJax render all of the math so it looks nice and standardized +across browsers, but the math still displays regardless (like say if MathJax +couldn’t load due to slow network) because of MathML. Best of both worlds.

+

Let’s try it now. Here’s a simple theorem:

+

an+bncn{a,b,c}n3 +a^n + b^n \ne c^n \, \forall\,\left\{ a,\,b,\,c \right\} \in \mathbb{Z} \land n \ge 3 +

+

The proof is trivial and will be left as an exercise to the reader.

+

seems a little overengineered

+

Probably is. Not as much as the old one, though.

+ +]]> + Sat, 25 May 2024 00:00:00 UT + https://blog.youwen.dev/a-haskellian-blog.html + Youwen Wu + + + + diff --git a/sitemap.xml b/sitemap.xml new file mode 100644 index 0000000..c159164 --- /dev/null +++ b/sitemap.xml @@ -0,0 +1,23 @@ + + + + https://blog.youwen.dev + daily + 1.0 + + + + https://blog.youwen.dev/nix-automatic-hash-updates-made-easy.html + 2024-12-28 + weekly + 0.8 + + + + https://blog.youwen.dev/a-haskellian-blog.html + 2024-05-25T12:00:00Z + weekly + 0.8 + + +