From 24931d87649ca62787eae0dcdee4e0d95e0a45a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 14 May 2026 10:10:51 +0200 Subject: [PATCH 1/7] test a workaround for DNS issues on nixos --- nix/package.nix | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/nix/package.nix b/nix/package.nix index d6dd9a69..afc60e3a 100644 --- a/nix/package.nix +++ b/nix/package.nix @@ -90,7 +90,7 @@ in ; fetcherVersion = 2; - hash = "sha256-vDLgpFaO+48s+tj1/2m2fgNJpCfnNkFJpQkC4Xah59E="; + hash = "sha256-rAP30CyXVVEfkkg+ddEsXHuJMf4cl9vxGmjBV7GmPCE="; }; buildPhase = '' @@ -138,13 +138,19 @@ in lib.makeBinPath [ # `defguard-service` needs `ip` to manage WireGuard pkgs.iproute2 - # `defguard-service` needs `resolvconf` to manage DNS - pkgs.openresolv # `defguard-client` needs `update-desktop-database` and `lsb_release` pkgs.desktop-file-utils pkgs.lsb-release ] } + # `defguard-service` needs `resolvconf` to manage DNS. openresolv is + # added as a suffix so the system PATH is checked first - on systems + # with services.resolved enabled, NixOS puts systemd's resolvconf compat + # there, which correctly integrates with systemd-resolved. openresolv + # serves as a fallback for systems that don't use systemd-resolved. + # Same approach used to fix the identical wg-quick issue in nixpkgs: + # https://github.com/NixOS/nixpkgs/issues/139526 + --suffix PATH : ${lib.makeBinPath [pkgs.openresolv]} --prefix LD_LIBRARY_PATH : ${ lib.makeLibraryPath [ pkgs.libayatana-appindicator From 2427cdd8c139c4c3b08e2c00c58d6983060b0be3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 14 May 2026 13:00:41 +0200 Subject: [PATCH 2/7] try out a workflow to automatically update pnpm hash in nix package --- .github/workflows/update-pnpm-hash.yaml | 115 ++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 .github/workflows/update-pnpm-hash.yaml diff --git a/.github/workflows/update-pnpm-hash.yaml b/.github/workflows/update-pnpm-hash.yaml new file mode 100644 index 00000000..b1525975 --- /dev/null +++ b/.github/workflows/update-pnpm-hash.yaml @@ -0,0 +1,115 @@ +name: Update pnpm deps Nix hash + +on: + pull_request: + paths: + - pnpm-lock.yaml + +concurrency: + group: pnpm-hash-${{ github.event.pull_request.number }} + cancel-in-progress: true + +permissions: + contents: write + +jobs: + update-pnpm-hash: + runs-on: + - codebuild-defguard-client-runner-${{ github.run_id }}-${{ github.run_attempt }} + + steps: + - uses: actions/checkout@v5 + with: + # Check out the exact PR head commit so the sha we pass to the API + # matches what we read from disk - avoids a race if the branch is + # updated while this job is in flight. + ref: ${{ github.event.pull_request.head.sha }} + + - uses: DeterminateSystems/nix-installer-action@v14 + + - name: Compute correct pnpm deps hash + id: hash + run: | + set -euo pipefail + + # A valid-format but always-wrong sha256 hash. + # Identical to lib.fakeHash in nixpkgs. + FAKE="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" + + # Extract the current pnpm hash. + # Pattern targets the bare `hash = "..."` key inside pnpmDeps. + # This is distinct from the cargo outputHashes entries, which use + # string keys like `"boringtun-0.6.0" = "sha256-..."`. + CURRENT=$(grep -oP '^\s+hash = "\Ksha256-[^"]+' nix/package.nix) + echo "current=${CURRENT}" >> "$GITHUB_OUTPUT" + + # Swap in the fake hash so Nix will fail and report the real one. + sed -i "s|hash = \"${CURRENT}\"|hash = \"${FAKE}\"|" nix/package.nix + + # Build only the pnpmDeps fixed-output derivation. + # Targeting .pnpmDeps in isolation avoids pulling down all Cargo + # crates unnecessarily - stdenv.mkDerivation exposes its input + # attributes on the resulting derivation, so this is valid. + SYSTEM=$(nix eval --impure --raw --expr 'builtins.currentSystem') + BUILD_LOG=$(nix build --no-link --no-write-lock-file \ + ".#packages.${SYSTEM}.default.pnpmDeps" 2>&1 || true) + + # Nix prints "got: sha256-..." in the hash mismatch error. + NEW=$(printf '%s' "$BUILD_LOG" | grep -oP 'got:\s+\Ksha256-\S+') + if [ -z "$NEW" ]; then + echo "::error::Could not extract the correct hash from nix output." + echo "Full build log:" + printf '%s\n' "$BUILD_LOG" + exit 1 + fi + + echo "new=${NEW}" >> "$GITHUB_OUTPUT" + + # Write the correct hash back into the file. + sed -i "s|hash = \"${FAKE}\"|hash = \"${NEW}\"|" nix/package.nix + + # Only commit when the hash actually changed; skip if it was already correct. + - name: Commit updated hash + if: steps.hash.outputs.current != steps.hash.outputs.new + uses: actions/github-script@v7 + env: + OLD_HASH: ${{ steps.hash.outputs.current }} + NEW_HASH: ${{ steps.hash.outputs.new }} + with: + script: | + const fs = require('fs'); + const content = fs.readFileSync('nix/package.nix', 'utf8'); + const encoded = Buffer.from(content).toString('base64'); + + // Fetch the current blob SHA so createOrUpdateFileContents can + // do a safe update (will 409 if the branch moved under us). + const { data: file } = await github.rest.repos.getContent({ + owner: context.repo.owner, + repo: context.repo.repo, + path: 'nix/package.nix', + ref: context.payload.pull_request.head.sha, + }); + + // Creating the commit via the REST API means GitHub signs it + // automatically - the commit will carry the Verified badge. + await github.rest.repos.createOrUpdateFileContents({ + owner: context.repo.owner, + repo: context.repo.repo, + path: 'nix/package.nix', + message: 'chore(nix): update pnpm deps hash', + content: encoded, + sha: file.sha, + branch: context.payload.pull_request.head.ref, + committer: { + name: 'github-actions[bot]', + email: '41898282+github-actions[bot]@users.noreply.github.com', + }, + author: { + name: 'github-actions[bot]', + email: '41898282+github-actions[bot]@users.noreply.github.com', + }, + }); + + console.log( + `pnpm deps hash updated: ${process.env.OLD_HASH} -> ${process.env.NEW_HASH}` + ); From cdd75ea818b04612190bd15b11994744cf5ee4bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 14 May 2026 13:21:55 +0200 Subject: [PATCH 3/7] try to trigger the new job --- package.json | 8 +-- pnpm-lock.yaml | 135 +++++++++++++++++++------------------------------ 2 files changed, 56 insertions(+), 87 deletions(-) diff --git a/package.json b/package.json index e8b7c2d7..d4db1374 100644 --- a/package.json +++ b/package.json @@ -56,7 +56,7 @@ "@react-hook/resize-observer": "^2.0.2", "@stablelib/base64": "^2.0.1", "@stablelib/x25519": "^2.0.1", - "@tanstack/query-core": "^5.100.9", + "@tanstack/query-core": "^5.100.10", "@tanstack/react-virtual": "^3.13.24", "@tauri-apps/api": "^2.11.0", "@tauri-apps/plugin-clipboard-manager": "^2.3.2", @@ -115,12 +115,12 @@ "@biomejs/biome": "^2.4.15", "@hookform/devtools": "^4.4.0", "@svgr/cli": "^8.1.0", - "@tanstack/react-query": "^5.100.9", - "@tanstack/react-query-devtools": "^5.100.9", + "@tanstack/react-query": "^5.100.10", + "@tanstack/react-query-devtools": "^5.100.10", "@tauri-apps/cli": "^2.11.1", "@types/file-saver": "^2.0.7", "@types/lodash-es": "^4.17.12", - "@types/node": "^24.12.3", + "@types/node": "^24.12.4", "@types/react": "^19.2.14", "@types/react-dom": "^19.2.3", "@vitejs/plugin-react": "^5.2.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 4ff73c6a..9a4443fe 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,9 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + mdast-util-to-hast: 13.2.1 + importers: .: @@ -24,8 +27,8 @@ importers: specifier: ^2.0.1 version: 2.0.1 '@tanstack/query-core': - specifier: ^5.100.9 - version: 5.100.9 + specifier: ^5.100.10 + version: 5.100.10 '@tanstack/react-virtual': specifier: ^3.13.24 version: 3.13.24(react-dom@19.2.6(react@19.2.6))(react@19.2.6) @@ -196,11 +199,11 @@ importers: specifier: ^8.1.0 version: 8.1.0(typescript@5.9.3) '@tanstack/react-query': - specifier: ^5.100.9 - version: 5.100.9(react@19.2.6) + specifier: ^5.100.10 + version: 5.100.10(react@19.2.6) '@tanstack/react-query-devtools': - specifier: ^5.100.9 - version: 5.100.9(@tanstack/react-query@5.100.9(react@19.2.6))(react@19.2.6) + specifier: ^5.100.10 + version: 5.100.10(@tanstack/react-query@5.100.10(react@19.2.6))(react@19.2.6) '@tauri-apps/cli': specifier: ^2.11.1 version: 2.11.1 @@ -211,8 +214,8 @@ importers: specifier: ^4.17.12 version: 4.17.12 '@types/node': - specifier: ^24.12.3 - version: 24.12.3 + specifier: ^24.12.4 + version: 24.12.4 '@types/react': specifier: ^19.2.14 version: 19.2.14 @@ -221,10 +224,10 @@ importers: version: 19.2.3(@types/react@19.2.14) '@vitejs/plugin-react': specifier: ^5.2.0 - version: 5.2.0(vite@7.3.3(@types/node@24.12.3)(sass@1.92.1)(yaml@2.8.4)) + version: 5.2.0(vite@7.3.3(@types/node@24.12.4)(sass@1.92.1)(yaml@2.9.0)) '@vitejs/plugin-react-swc': specifier: ^4.3.0 - version: 4.3.0(vite@7.3.3(@types/node@24.12.3)(sass@1.92.1)(yaml@2.8.4)) + version: 4.3.0(vite@7.3.3(@types/node@24.12.4)(sass@1.92.1)(yaml@2.9.0)) autoprefixer: specifier: ^10.5.0 version: 10.5.0(postcss@8.5.14) @@ -251,7 +254,7 @@ importers: version: 5.9.3 vite: specifier: ^7.3.3 - version: 7.3.3(@types/node@24.12.3)(sass@1.92.1)(yaml@2.8.4) + version: 7.3.3(@types/node@24.12.4)(sass@1.92.1)(yaml@2.9.0) packages: @@ -364,28 +367,24 @@ packages: engines: {node: '>=14.21.3'} cpu: [arm64] os: [linux] - libc: [musl] '@biomejs/cli-linux-arm64@2.4.15': resolution: {integrity: sha512-owaAMZD/T4LrD0ELNCk0Km3qrRHuM0X6EAyVE1FSqGY0rbLoiDLrO4Us2tllm6cAeB2Ioa9C2C08NZPdr8+0Ug==} engines: {node: '>=14.21.3'} cpu: [arm64] os: [linux] - libc: [glibc] '@biomejs/cli-linux-x64-musl@2.4.15': resolution: {integrity: sha512-CNq/9W38SYSH023lfcQ4KKU8K0YX8T//FZUhcgtMMRABDojx5XsMV7jlweAvGSl389wJQB29Qo6Zb/a+jdvt+w==} engines: {node: '>=14.21.3'} cpu: [x64] os: [linux] - libc: [musl] '@biomejs/cli-linux-x64@2.4.15': resolution: {integrity: sha512-0jj7THz12GbUOLmMibktK6DZjqz2zV64KFxyBtcFTKPiiOIY0a7vns1elpO1dERvxpsZ5ik0oFfz0oGwFde1+g==} engines: {node: '>=14.21.3'} cpu: [x64] os: [linux] - libc: [glibc] '@biomejs/cli-win32-arm64@2.4.15': resolution: {integrity: sha512-ouhkYdlhp/1GghEJPdWwD/Vi3gQ1nFxuSpMolWsbq3Lsq3QUR4jl6UdhhscdCugKU5vOEuMiJhvKj66O0OCq+w==} @@ -689,42 +688,36 @@ packages: engines: {node: '>= 10.0.0'} cpu: [arm] os: [linux] - libc: [glibc] '@parcel/watcher-linux-arm-musl@2.5.6': resolution: {integrity: sha512-Ve3gUCG57nuUUSyjBq/MAM0CzArtuIOxsBdQ+ftz6ho8n7s1i9E1Nmk/xmP323r2YL0SONs1EuwqBp2u1k5fxg==} engines: {node: '>= 10.0.0'} cpu: [arm] os: [linux] - libc: [musl] '@parcel/watcher-linux-arm64-glibc@2.5.6': resolution: {integrity: sha512-f2g/DT3NhGPdBmMWYoxixqYr3v/UXcmLOYy16Bx0TM20Tchduwr4EaCbmxh1321TABqPGDpS8D/ggOTaljijOA==} engines: {node: '>= 10.0.0'} cpu: [arm64] os: [linux] - libc: [glibc] '@parcel/watcher-linux-arm64-musl@2.5.6': resolution: {integrity: sha512-qb6naMDGlbCwdhLj6hgoVKJl2odL34z2sqkC7Z6kzir8b5W65WYDpLB6R06KabvZdgoHI/zxke4b3zR0wAbDTA==} engines: {node: '>= 10.0.0'} cpu: [arm64] os: [linux] - libc: [musl] '@parcel/watcher-linux-x64-glibc@2.5.6': resolution: {integrity: sha512-kbT5wvNQlx7NaGjzPFu8nVIW1rWqV780O7ZtkjuWaPUgpv2NMFpjYERVi0UYj1msZNyCzGlaCWEtzc+exjMGbQ==} engines: {node: '>= 10.0.0'} cpu: [x64] os: [linux] - libc: [glibc] '@parcel/watcher-linux-x64-musl@2.5.6': resolution: {integrity: sha512-1JRFeC+h7RdXwldHzTsmdtYR/Ku8SylLgTU/reMuqdVD7CtLwf0VR1FqeprZ0eHQkO0vqsbvFLXUmYm/uNKJBg==} engines: {node: '>= 10.0.0'} cpu: [x64] os: [linux] - libc: [musl] '@parcel/watcher-win32-arm64@2.5.6': resolution: {integrity: sha512-3ukyebjc6eGlw9yRt678DxVF7rjXatWiHvTXqphZLvo7aC5NdEgFufVwjFfY51ijYEWpXbqF5jtrK275z52D4Q==} @@ -818,79 +811,66 @@ packages: resolution: {integrity: sha512-DV6fJoxEYWJOvaZIsok7KrYl0tPvga5OZ2yvKHNNYyk/2roMLqQAbGhr78EQ5YhHpnhLKJD3S1WFusAkmUuV5g==} cpu: [arm] os: [linux] - libc: [glibc] '@rollup/rollup-linux-arm-musleabihf@4.60.3': resolution: {integrity: sha512-mQKoJAzvuOs6F+TZybQO4GOTSMUu7v0WdxEk24krQ/uUxXoPTtHjuaUuPmFhtBcM4K0ons8nrE3JyhTuCFtT/w==} cpu: [arm] os: [linux] - libc: [musl] '@rollup/rollup-linux-arm64-gnu@4.60.3': resolution: {integrity: sha512-Whjj2qoiJ6+OOJMGptTYazaJvjOJm+iKHpXQM1P3LzGjt7Ff++Tp7nH4N8J/BUA7R9IHfDyx4DJIflifwnbmIA==} cpu: [arm64] os: [linux] - libc: [glibc] '@rollup/rollup-linux-arm64-musl@4.60.3': resolution: {integrity: sha512-4YTNHKqGng5+yiZt3mg77nmyuCfmNfX4fPmyUapBcIk+BdwSwmCWGXOUxhXbBEkFHtoN5boLj/5NON+u5QC9tg==} cpu: [arm64] os: [linux] - libc: [musl] '@rollup/rollup-linux-loong64-gnu@4.60.3': resolution: {integrity: sha512-SU3kNlhkpI4UqlUc2VXPGK9o886ZsSeGfMAX2ba2b8DKmMXq4AL7KUrkSWVbb7koVqx41Yczx6dx5PNargIrEA==} cpu: [loong64] os: [linux] - libc: [glibc] '@rollup/rollup-linux-loong64-musl@4.60.3': resolution: {integrity: sha512-6lDLl5h4TXpB1mTf2rQWnAk/LcXrx9vBfu/DT5TIPhvMhRWaZ5MxkIc8u4lJAmBo6klTe1ywXIUHFjylW505sg==} cpu: [loong64] os: [linux] - libc: [musl] '@rollup/rollup-linux-ppc64-gnu@4.60.3': resolution: {integrity: sha512-BMo8bOw8evlup/8G+cj5xWtPyp93xPdyoSN16Zy90Q2QZ0ZYRhCt6ZJSwbrRzG9HApFabjwj2p25TUPDWrhzqQ==} cpu: [ppc64] os: [linux] - libc: [glibc] '@rollup/rollup-linux-ppc64-musl@4.60.3': resolution: {integrity: sha512-E0L8X1dZN1/Rph+5VPF6Xj2G7JJvMACVXtamTJIDrVI44Y3K+G8gQaMEAavbqCGTa16InptiVrX6eM6pmJ+7qA==} cpu: [ppc64] os: [linux] - libc: [musl] '@rollup/rollup-linux-riscv64-gnu@4.60.3': resolution: {integrity: sha512-oZJ/WHaVfHUiRAtmTAeo3DcevNsVvH8mbvodjZy7D5QKvCefO371SiKRpxoDcCxB3PTRTLayWBkvmDQKTcX/sw==} cpu: [riscv64] os: [linux] - libc: [glibc] '@rollup/rollup-linux-riscv64-musl@4.60.3': resolution: {integrity: sha512-Dhbyh7j9FybM3YaTgaHmVALwA8AkUwTPccyCQ79TG9AJUsMQqgN1DDEZNr4+QUfwiWvLDumW5vdwzoeUF+TNxQ==} cpu: [riscv64] os: [linux] - libc: [musl] '@rollup/rollup-linux-s390x-gnu@4.60.3': resolution: {integrity: sha512-cJd1X5XhHHlltkaypz1UcWLA8AcoIi1aWhsvaWDskD1oz2eKCypnqvTQ8ykMNI0RSmm7NkTdSqSSD7zM0xa6Ig==} cpu: [s390x] os: [linux] - libc: [glibc] '@rollup/rollup-linux-x64-gnu@4.60.3': resolution: {integrity: sha512-DAZDBHQfG2oQuhY7mc6I3/qB4LU2fQCjRvxbDwd/Jdvb9fypP4IJ4qmtu6lNjes6B531AI8cg1aKC2di97bUxA==} cpu: [x64] os: [linux] - libc: [glibc] '@rollup/rollup-linux-x64-musl@4.60.3': resolution: {integrity: sha512-cRxsE8c13mZOh3vP+wLDxpQBRrOHDIGOWyDL93Sy0Ga8y515fBcC2pjUfFwUe5T7tqvTvWbCpg1URM/AXdWIXA==} cpu: [x64] os: [linux] - libc: [musl] '@rollup/rollup-openbsd-x64@4.60.3': resolution: {integrity: sha512-QaWcIgRxqEdQdhJqW4DJctsH6HCmo5vHxY0krHSX4jMtOqfzC+dqDGuHM87bu4H8JBeibWx7jFz+h6/4C8wA5Q==} @@ -1075,42 +1055,36 @@ packages: engines: {node: '>=10'} cpu: [arm64] os: [linux] - libc: [glibc] '@swc/core-linux-arm64-musl@1.15.33': resolution: {integrity: sha512-il7tYM+CpUNzieQbwAjFT1P8zqAhmGWNAGhQZBnxurXZ0aNn+5nqYFTEUKNZl7QibtT0uQXzTZrNGHCIj6Y1Og==} engines: {node: '>=10'} cpu: [arm64] os: [linux] - libc: [musl] '@swc/core-linux-ppc64-gnu@1.15.33': resolution: {integrity: sha512-ZtNBwN0Z7CFj9Il0FcPaKdjgP7URyKu/3RfH46vq+0paOBqLj4NYldD6Qo//Duif/7IOtAraUfDOmp0PLAufog==} engines: {node: '>=10'} cpu: [ppc64] os: [linux] - libc: [glibc] '@swc/core-linux-s390x-gnu@1.15.33': resolution: {integrity: sha512-De1IyajoOmhOYYjw/lx66bKlyDpHZTueqwpDrWgf5O7T6d1ODeJJO9/OqMBmrBQc5C+dNnlmIufHsp4QVCWufA==} engines: {node: '>=10'} cpu: [s390x] os: [linux] - libc: [glibc] '@swc/core-linux-x64-gnu@1.15.33': resolution: {integrity: sha512-mGTH0YxmUN+x6vRN/I6NOk5X0ogNktkwPnJ94IMvR7QjhRDwL0O8RXEDhyUM0YtwWrryBOqaJQBX4zruxEPRGw==} engines: {node: '>=10'} cpu: [x64] os: [linux] - libc: [glibc] '@swc/core-linux-x64-musl@1.15.33': resolution: {integrity: sha512-hj628ZkSEJf6zMf5VMbYrG2O6QqyTIp2qwY6VlCjvIa9lAEZ5c2lfPblCLVGYubTeLJDxadLB/CxqQYOQABeEQ==} engines: {node: '>=10'} cpu: [x64] os: [linux] - libc: [musl] '@swc/core-win32-arm64-msvc@1.15.33': resolution: {integrity: sha512-GV2oohtN2/5+KSccl86VULu3aT+LrISC8uzgSq0FRnikpD+Zwc+sBlXmoKQ+Db6jI57ITUOIB8jRkdGMABC29g==} @@ -1145,20 +1119,20 @@ packages: '@swc/types@0.1.26': resolution: {integrity: sha512-lyMwd7WGgG79RS7EERZV3T8wMdmPq3xwyg+1nmAM64kIhx5yl+juO2PYIHb7vTiPgPCj8LYjsNV2T5wiQHUEaw==} - '@tanstack/query-core@5.100.9': - resolution: {integrity: sha512-SJSFw1S8+kQ0+knv/XGfrbocWoAlT7vDKsSImtLx3ZPQmEcR46hkDjLSvynSy25N8Ms4tIEini1FuBd5k7IscQ==} + '@tanstack/query-core@5.100.10': + resolution: {integrity: sha512-8UR0yJR+GiQ40m3lPhUr0xbfAupe6GSQiksSBSa9SM2NjezFyxXCIA69/lz8cSoNKZLrw1/PktIyQBJcVeMi3w==} - '@tanstack/query-devtools@5.100.9': - resolution: {integrity: sha512-gqiptrTIhbK2PuCaPRHmWXfJG1NGYVFpAr0HqogEqiSBNB5xDz6fmesQt7w4WgMOqOQPnPHJ3ZDMuhDaXvNO8g==} + '@tanstack/query-devtools@5.100.10': + resolution: {integrity: sha512-3DmJf25hDPus5IpVvp6ujXv6bKV2zPzI9vpbAmpJigsL/H6DPvPjmf7/Q9yVKEke//8fgeQ45abjgnLuyYxAiw==} - '@tanstack/react-query-devtools@5.100.9': - resolution: {integrity: sha512-mM3slaVGXJmz+pOLgXdANj75ikgQCyudyl3kmFvm6brI1JyVeY/+IeD17uDHIvZrD8hfoO2sdZ54RFsHdYAuhA==} + '@tanstack/react-query-devtools@5.100.10': + resolution: {integrity: sha512-zes0+o9ef5rAZXJ9f/SeaLs2nufJaeVkZkl/Or9NGrWVF41kL9Od9ED9nCwtQlgiF2VGtrzhEw5AU/igAO+aAg==} peerDependencies: - '@tanstack/react-query': ^5.100.9 + '@tanstack/react-query': ^5.100.10 react: ^18 || ^19 - '@tanstack/react-query@5.100.9': - resolution: {integrity: sha512-Oa44XkaI3kCNN6ME0KByU3xT3SEUNOMfZpHxL6+wFoTm+OeUFYHKdeYVe0aOXlRDm/f15sgLwEt2HDorIdW8+A==} + '@tanstack/react-query@5.100.10': + resolution: {integrity: sha512-FLaZf2RCrA/Zgp4aiu5tG3TyasTRO7aZ99skxQpr3Hg/zXOhu6yq5FZCYQ/tRaJtM9ylnoK8tFK7PolXQadv6Q==} peerDependencies: react: ^18 || ^19 @@ -1197,35 +1171,30 @@ packages: engines: {node: '>= 10'} cpu: [arm64] os: [linux] - libc: [glibc] '@tauri-apps/cli-linux-arm64-musl@2.11.1': resolution: {integrity: sha512-mNA5dbbqPqDUdTIwdUYYuhO2GvIe9UnB2r0VU2njxBOS3Opbx4gKNC5yP0Iu4rYmEmqdlwry9VzGZQ3wq9dyFg==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] - libc: [musl] '@tauri-apps/cli-linux-riscv64-gnu@2.11.1': resolution: {integrity: sha512-fZj3Gwq+6fUs305T5WQiD5iSGJw+j/4w/HGmk4sHDAcy+rp9zU5eaxB7nOyz5/I/nkNAuKPqfp6uIbiUBXkBCw==} engines: {node: '>= 10'} cpu: [riscv64] os: [linux] - libc: [glibc] '@tauri-apps/cli-linux-x64-gnu@2.11.1': resolution: {integrity: sha512-XFxGxOvHM7jjeD6ozCKdGfhzJ7lERYDGZl1/Kb4fsvchaJsfLJ981TlyTG8Qy/gFq+f5GitH3bfrX9JAkjPEyw==} engines: {node: '>= 10'} cpu: [x64] os: [linux] - libc: [glibc] '@tauri-apps/cli-linux-x64-musl@2.11.1': resolution: {integrity: sha512-d5C2/Zm+68v7R9wTuTCjRQEVrWjcdMkJBZ1+rXse+QdMMlTB9+u9PDNDLw9PQflWxYLaYZ7tjxxL9Nb9II6PbA==} engines: {node: '>= 10'} cpu: [x64] os: [linux] - libc: [musl] '@tauri-apps/cli-win32-arm64-msvc@2.11.1': resolution: {integrity: sha512-YdeVWFAR1pTXzUU6NLstPq4G6OLxuDrXCXEBdmBH+5EZIDXUx0D2kJlz3+YjpazkKvAzYpgziTsyRagls0OfRQ==} @@ -1355,8 +1324,8 @@ packages: '@types/ms@2.1.0': resolution: {integrity: sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==} - '@types/node@24.12.3': - resolution: {integrity: sha512-8oljBDGun9cIsZRJR6fkihn0TSXJI0UDOOhncYaERq6M0JMDoPLxyscwruJcb4GKS6dvK/d8xebYBg27h/duaQ==} + '@types/node@24.12.4': + resolution: {integrity: sha512-GUUEShf+PBCGW2KaXwcIt3Yk+e3pkKwWKb9GSyM9WQVE+ep2jzmHdGsHzu4wgcZy5fN9FBdVzjpBQsYlpfpgLA==} '@types/parse-json@4.0.2': resolution: {integrity: sha512-dISoDXWWQwUquiKsyZ4Ng+HX2KsPL7LyHKHQwgGFEA3IaKac4Obd+h2a/a6waisAoepJlBcx9paWqjA8/HVjCw==} @@ -1749,8 +1718,8 @@ packages: resolution: {integrity: sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==} engines: {node: '>= 0.4'} - electron-to-chromium@1.5.353: - resolution: {integrity: sha512-kOrWphBi8TOZyiJZqsgqIle0lw+tzmnQK83pV9dZUd01Nm2POECSyFQMAuarzZdYqQW7FH9RaYOuaRo3h+bQ3w==} + electron-to-chromium@1.5.355: + resolution: {integrity: sha512-LUPZhKzZPYSPme1jEYohpkA+ybYCJztr1quAdBd7E7h3+VOBVcKkwwtBJu41nrjawrRzfb8mtMfzWozoaK0ZIQ==} emoji-regex@8.0.0: resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==} @@ -2373,8 +2342,8 @@ packages: node-addon-api@7.1.1: resolution: {integrity: sha512-5m3bsyrjFWE1xf7nz7YXdN4udnVtXK6/Yfgn5qnahL6bCkf2yKt4k3nuTKAtT4r3IG8JNR2ncsIMdZuAzJjHQQ==} - node-releases@2.0.38: - resolution: {integrity: sha512-3qT/88Y3FbH/Kx4szpQQ4HzUbVrHPKTLVpVocKiLfoYvw9XSGOX2FmD2d6DrXbVYyAQTF2HeF6My8jmzx7/CRw==} + node-releases@2.0.44: + resolution: {integrity: sha512-5WUyunoPMsvvEhS8AxHtRzP+oA8UCkJ7YRxatWKjngndhDGLiqEVAQKWjFAiAiuL8zMRGzGSJxFnLetoa43qGQ==} normalize-package-data@2.5.0: resolution: {integrity: sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==} @@ -3024,8 +2993,8 @@ packages: resolution: {integrity: sha512-vIYeF1u3CjlhAFekPPAk2h/Kv4T3mAkMox5OymRiJQB0spDP10LHvt+K7G9Ny6NuuMAb25/6n1qyUjAcGNf/AA==} engines: {node: '>= 6'} - yaml@2.8.4: - resolution: {integrity: sha512-ml/JPOj9fOQK8RNnWojA67GbZ0ApXAUlN2UQclwv2eVgTgn7O9gg9o7paZWKMp4g0H3nTLtS9LVzhkpOFIKzog==} + yaml@2.9.0: + resolution: {integrity: sha512-2AvhNX3mb8zd6Zy7INTtSpl1F15HW6Wnqj0srWlkKLcpYl/gMIMJiyuGq2KeI2YFxUPjdlB+3Lc10seMLtL4cA==} engines: {node: '>= 14.6'} hasBin: true @@ -3825,19 +3794,19 @@ snapshots: dependencies: '@swc/counter': 0.1.3 - '@tanstack/query-core@5.100.9': {} + '@tanstack/query-core@5.100.10': {} - '@tanstack/query-devtools@5.100.9': {} + '@tanstack/query-devtools@5.100.10': {} - '@tanstack/react-query-devtools@5.100.9(@tanstack/react-query@5.100.9(react@19.2.6))(react@19.2.6)': + '@tanstack/react-query-devtools@5.100.10(@tanstack/react-query@5.100.10(react@19.2.6))(react@19.2.6)': dependencies: - '@tanstack/query-devtools': 5.100.9 - '@tanstack/react-query': 5.100.9(react@19.2.6) + '@tanstack/query-devtools': 5.100.10 + '@tanstack/react-query': 5.100.10(react@19.2.6) react: 19.2.6 - '@tanstack/react-query@5.100.9(react@19.2.6)': + '@tanstack/react-query@5.100.10(react@19.2.6)': dependencies: - '@tanstack/query-core': 5.100.9 + '@tanstack/query-core': 5.100.10 react: 19.2.6 '@tanstack/react-virtual@3.13.24(react-dom@19.2.6(react@19.2.6))(react@19.2.6)': @@ -4018,7 +3987,7 @@ snapshots: '@types/ms@2.1.0': {} - '@types/node@24.12.3': + '@types/node@24.12.4': dependencies: undici-types: 7.16.0 @@ -4047,15 +4016,15 @@ snapshots: '@use-gesture/core': 10.3.1 react: 19.2.6 - '@vitejs/plugin-react-swc@4.3.0(vite@7.3.3(@types/node@24.12.3)(sass@1.92.1)(yaml@2.8.4))': + '@vitejs/plugin-react-swc@4.3.0(vite@7.3.3(@types/node@24.12.4)(sass@1.92.1)(yaml@2.9.0))': dependencies: '@rolldown/pluginutils': 1.0.0-rc.7 '@swc/core': 1.15.33 - vite: 7.3.3(@types/node@24.12.3)(sass@1.92.1)(yaml@2.8.4) + vite: 7.3.3(@types/node@24.12.4)(sass@1.92.1)(yaml@2.9.0) transitivePeerDependencies: - '@swc/helpers' - '@vitejs/plugin-react@5.2.0(vite@7.3.3(@types/node@24.12.3)(sass@1.92.1)(yaml@2.8.4))': + '@vitejs/plugin-react@5.2.0(vite@7.3.3(@types/node@24.12.4)(sass@1.92.1)(yaml@2.9.0))': dependencies: '@babel/core': 7.29.0 '@babel/plugin-transform-react-jsx-self': 7.27.1(@babel/core@7.29.0) @@ -4063,7 +4032,7 @@ snapshots: '@rolldown/pluginutils': 1.0.0-rc.3 '@types/babel__core': 7.20.5 react-refresh: 0.18.0 - vite: 7.3.3(@types/node@24.12.3)(sass@1.92.1)(yaml@2.8.4) + vite: 7.3.3(@types/node@24.12.4)(sass@1.92.1)(yaml@2.9.0) transitivePeerDependencies: - supports-color @@ -4142,8 +4111,8 @@ snapshots: dependencies: baseline-browser-mapping: 2.10.29 caniuse-lite: 1.0.30001792 - electron-to-chromium: 1.5.353 - node-releases: 2.0.38 + electron-to-chromium: 1.5.355 + node-releases: 2.0.44 update-browserslist-db: 1.2.3(browserslist@4.28.2) byte-size@9.0.1: {} @@ -4409,7 +4378,7 @@ snapshots: es-errors: 1.3.0 gopd: 1.2.0 - electron-to-chromium@1.5.353: {} + electron-to-chromium@1.5.355: {} emoji-regex@8.0.0: {} @@ -5221,7 +5190,7 @@ snapshots: node-addon-api@7.1.1: optional: true - node-releases@2.0.38: {} + node-releases@2.0.44: {} normalize-package-data@2.5.0: dependencies: @@ -5817,7 +5786,7 @@ snapshots: markdown-it: 14.1.1 minimatch: 10.2.5 typescript: 5.9.3 - yaml: 2.8.4 + yaml: 2.9.0 typesafe-i18n@5.27.1(typescript@5.9.3): dependencies: @@ -5924,7 +5893,7 @@ snapshots: d3-time: 3.1.0 d3-timer: 3.0.1 - vite@7.3.3(@types/node@24.12.3)(sass@1.92.1)(yaml@2.8.4): + vite@7.3.3(@types/node@24.12.4)(sass@1.92.1)(yaml@2.9.0): dependencies: esbuild: 0.27.7 fdir: 6.5.0(picomatch@4.0.4) @@ -5933,10 +5902,10 @@ snapshots: rollup: 4.60.3 tinyglobby: 0.2.16 optionalDependencies: - '@types/node': 24.12.3 + '@types/node': 24.12.4 fsevents: 2.3.3 sass: 1.92.1 - yaml: 2.8.4 + yaml: 2.9.0 which-boxed-primitive@1.1.1: dependencies: @@ -5997,7 +5966,7 @@ snapshots: yaml@1.10.3: {} - yaml@2.8.4: {} + yaml@2.9.0: {} yargs-parser@21.1.1: {} From a5f750721e3d1e27648244db16ab03ab0ffce4af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 14 May 2026 15:02:06 +0200 Subject: [PATCH 4/7] try out a different nix setup action --- .github/workflows/update-pnpm-hash.yaml | 27 ++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/workflows/update-pnpm-hash.yaml b/.github/workflows/update-pnpm-hash.yaml index b1525975..2aab14d4 100644 --- a/.github/workflows/update-pnpm-hash.yaml +++ b/.github/workflows/update-pnpm-hash.yaml @@ -25,37 +25,45 @@ jobs: # updated while this job is in flight. ref: ${{ github.event.pull_request.head.sha }} - - uses: DeterminateSystems/nix-installer-action@v14 + - uses: cachix/install-nix-action@v31 + with: + install_options: --no-daemon + extra_nix_config: | + experimental-features = nix-command flakes - name: Compute correct pnpm deps hash id: hash run: | set -euo pipefail + echo "=== starting hash computation ===" + echo "nix: $(which nix 2>/dev/null || echo 'NOT IN PATH')" + echo "nix version: $(nix --version 2>/dev/null || echo 'unavailable')" + # A valid-format but always-wrong sha256 hash. # Identical to lib.fakeHash in nixpkgs. FAKE="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" # Extract the current pnpm hash. - # Pattern targets the bare `hash = "..."` key inside pnpmDeps. - # This is distinct from the cargo outputHashes entries, which use - # string keys like `"boringtun-0.6.0" = "sha256-..."`. - CURRENT=$(grep -oP '^\s+hash = "\Ksha256-[^"]+' nix/package.nix) + CURRENT=$(sed -n 's/^[[:space:]]*hash = "\(sha256-[^"]*\)".*/\1/p' nix/package.nix | head -1) + if [ -z "$CURRENT" ]; then + echo "::error::Could not extract current hash from nix/package.nix" + exit 1 + fi + echo "current hash: ${CURRENT}" echo "current=${CURRENT}" >> "$GITHUB_OUTPUT" # Swap in the fake hash so Nix will fail and report the real one. sed -i "s|hash = \"${CURRENT}\"|hash = \"${FAKE}\"|" nix/package.nix # Build only the pnpmDeps fixed-output derivation. - # Targeting .pnpmDeps in isolation avoids pulling down all Cargo - # crates unnecessarily - stdenv.mkDerivation exposes its input - # attributes on the resulting derivation, so this is valid. SYSTEM=$(nix eval --impure --raw --expr 'builtins.currentSystem') + echo "building pnpmDeps for ${SYSTEM}..." BUILD_LOG=$(nix build --no-link --no-write-lock-file \ ".#packages.${SYSTEM}.default.pnpmDeps" 2>&1 || true) # Nix prints "got: sha256-..." in the hash mismatch error. - NEW=$(printf '%s' "$BUILD_LOG" | grep -oP 'got:\s+\Ksha256-\S+') + NEW=$(printf '%s' "$BUILD_LOG" | sed -n 's/.*got:[[:space:]]*\(sha256-[^[:space:]]*\).*/\1/p' | head -1) if [ -z "$NEW" ]; then echo "::error::Could not extract the correct hash from nix output." echo "Full build log:" @@ -63,6 +71,7 @@ jobs: exit 1 fi + echo "new hash: ${NEW}" echo "new=${NEW}" >> "$GITHUB_OUTPUT" # Write the correct hash back into the file. From b5079c4b6ef611384c018cc888810a81c94bc9a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 14 May 2026 15:57:02 +0200 Subject: [PATCH 5/7] checkout submodules --- .github/workflows/update-pnpm-hash.yaml | 48 ++++++++++++------------- 1 file changed, 22 insertions(+), 26 deletions(-) diff --git a/.github/workflows/update-pnpm-hash.yaml b/.github/workflows/update-pnpm-hash.yaml index 2aab14d4..00eeb9cd 100644 --- a/.github/workflows/update-pnpm-hash.yaml +++ b/.github/workflows/update-pnpm-hash.yaml @@ -24,6 +24,7 @@ jobs: # matches what we read from disk - avoids a race if the branch is # updated while this job is in flight. ref: ${{ github.event.pull_request.head.sha }} + submodules: recursive - uses: cachix/install-nix-action@v31 with: @@ -88,34 +89,29 @@ jobs: script: | const fs = require('fs'); const content = fs.readFileSync('nix/package.nix', 'utf8'); + // GraphQL createCommitOnBranch requires base64-encoded file contents. const encoded = Buffer.from(content).toString('base64'); - // Fetch the current blob SHA so createOrUpdateFileContents can - // do a safe update (will 409 if the branch moved under us). - const { data: file } = await github.rest.repos.getContent({ - owner: context.repo.owner, - repo: context.repo.repo, - path: 'nix/package.nix', - ref: context.payload.pull_request.head.sha, - }); - - // Creating the commit via the REST API means GitHub signs it - // automatically - the commit will carry the Verified badge. - await github.rest.repos.createOrUpdateFileContents({ - owner: context.repo.owner, - repo: context.repo.repo, - path: 'nix/package.nix', - message: 'chore(nix): update pnpm deps hash', - content: encoded, - sha: file.sha, - branch: context.payload.pull_request.head.ref, - committer: { - name: 'github-actions[bot]', - email: '41898282+github-actions[bot]@users.noreply.github.com', - }, - author: { - name: 'github-actions[bot]', - email: '41898282+github-actions[bot]@users.noreply.github.com', + // The GraphQL createCommitOnBranch mutation creates commits that + // GitHub signs automatically - producing a Verified badge. + await github.graphql(` + mutation CreateCommit($input: CreateCommitOnBranchInput!) { + createCommitOnBranch(input: $input) { + commit { url } + } + } + `, { + input: { + branch: { + repositoryNameWithOwner: `${context.repo.owner}/${context.repo.repo}`, + branchName: context.payload.pull_request.head.ref, + }, + message: { headline: 'chore(nix): update pnpm deps hash' }, + fileChanges: { + additions: [{ path: 'nix/package.nix', contents: encoded }], + }, + // Safety check - fails if the branch moved under us. + expectedHeadOid: context.payload.pull_request.head.sha, }, }); From de612082d47b436899fccfbf7b65da4a5a66d84e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 14 May 2026 14:42:57 +0000 Subject: [PATCH 6/7] chore(nix): update pnpm deps hash --- nix/package.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/package.nix b/nix/package.nix index afc60e3a..e248d8c6 100644 --- a/nix/package.nix +++ b/nix/package.nix @@ -90,7 +90,7 @@ in ; fetcherVersion = 2; - hash = "sha256-rAP30CyXVVEfkkg+ddEsXHuJMf4cl9vxGmjBV7GmPCE="; + hash = "sha256-XXsR+zc4HsHByzzd2oHyAOrrpH9t2juUcAIoimlukbc="; }; buildPhase = '' From e7f1b18a8ef41e7392ec01a39489b5746b444642 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 15 May 2026 08:43:16 +0200 Subject: [PATCH 7/7] cleanup --- .github/workflows/update-pnpm-hash.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/update-pnpm-hash.yaml b/.github/workflows/update-pnpm-hash.yaml index 00eeb9cd..68a265c9 100644 --- a/.github/workflows/update-pnpm-hash.yaml +++ b/.github/workflows/update-pnpm-hash.yaml @@ -18,7 +18,7 @@ jobs: - codebuild-defguard-client-runner-${{ github.run_id }}-${{ github.run_attempt }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: # Check out the exact PR head commit so the sha we pass to the API # matches what we read from disk - avoids a race if the branch is @@ -37,8 +37,6 @@ jobs: run: | set -euo pipefail - echo "=== starting hash computation ===" - echo "nix: $(which nix 2>/dev/null || echo 'NOT IN PATH')" echo "nix version: $(nix --version 2>/dev/null || echo 'unavailable')" # A valid-format but always-wrong sha256 hash. @@ -114,7 +112,3 @@ jobs: expectedHeadOid: context.payload.pull_request.head.sha, }, }); - - console.log( - `pnpm deps hash updated: ${process.env.OLD_HASH} -> ${process.env.NEW_HASH}` - );