buildGoModule: add vendorHash

the _unset hack is kind of ugly, but it needs to default to something
and it can't be null, because that already has special meaning

1 files changed, 30 insertions, 10 deletions

diff --git a/pkgs/development/go-modules/generic/default.nix b/pkgs/development/go-modules/generic/default.nix
index b6af52d0efb..0ca16f80b41 100644
--- a/pkgs/development/go-modules/generic/default.nix
+++ b/pkgs/development/go-modules/generic/default.nix
@@ -19,17 +19,20 @@
 # path to go.mod and go.sum directory
 , modRoot ? "./"
 
-# vendorSha256 is the sha256 of the vendored dependencies
+# vendorHash is the SRI hash of the vendored dependencies
 #
-# if vendorSha256 is null, then we won't fetch any dependencies and
+# if vendorHash is null, then we won't fetch any dependencies and
 # rely on the vendor folder within the source.
-, vendorSha256
+, vendorHash ? "_unset"
+# same as vendorHash, but outputHashAlgo is hardcoded to sha256
+# so regular base32 sha256 hashes work
+, vendorSha256 ? "_unset"
 # Whether to delete the vendor folder supplied with the source.
 , deleteVendor ? false
 # Whether to fetch (go mod download) and proxy the vendor directory.
 # This is useful if your code depends on c code and go mod tidy does not
 # include the needed sources to build or if any dependency has case-insensitive
-# conflicts which will produce platform dependant `vendorSha256` checksums.
+# conflicts which will produce platform dependant `vendorHash` checksums.
 , proxyVendor ? false
 
 # We want parallel builds by default
@@ -55,11 +58,23 @@
 with builtins;
 
 assert goPackagePath != "" -> throw "`goPackagePath` is not needed with `buildGoModule`";
+assert (vendorSha256 == "_unset" && vendorHash == "_unset") -> throw "either `vendorHash` or `vendorSha256` is required";
+assert (vendorSha256 != "_unset" && vendorHash != "_unset") -> throw "both `vendorHash` and `vendorSha256` set. only one can be set.";
 
 let
-  args = removeAttrs args' [ "overrideModAttrs" "vendorSha256" ];
+  hasAnyVendorHash = (vendorSha256 != null && vendorSha256 != "_unset") || (vendorHash != null && vendorHash != "_unset");
+  vendorHashType =
+    if hasAnyVendorHash then
+      if vendorSha256 != null && vendorSha256 != "_unset" then
+        "sha256"
+      else
+        "sri"
+    else
+      null;
+
+  args = removeAttrs args' [ "overrideModAttrs" "vendorSha256" "vendorHash" ];
 
-  go-modules = if vendorSha256 != null then stdenv.mkDerivation (let modArgs = {
+  go-modules = if hasAnyVendorHash then stdenv.mkDerivation (let modArgs = {
 
     name = "${name}-go-modules";
 
@@ -98,7 +113,7 @@ let
       fi
     '' + ''
       if [ -d vendor ]; then
-        echo "vendor folder exists, please set 'vendorSha256 = null;' in your expression"
+        echo "vendor folder exists, please set 'vendorHash = null;' or 'vendorSha256 = null;' in your expression"
         exit 10
       fi
 
@@ -134,9 +149,14 @@ let
   }; in modArgs // (
       {
         outputHashMode = "recursive";
+      } // (if (vendorHashType == "sha256") then {
         outputHashAlgo = "sha256";
         outputHash = vendorSha256;
-      }
+      } else {
+        outputHash = vendorHash;
+      }) // (lib.optionalAttrs (vendorHashType == "sri" && vendorHash == "") {
+        outputHashAlgo = "sha256";
+      })
   ) // overrideModAttrs modArgs) else "";
 
   package = stdenv.mkDerivation (args // {
@@ -156,7 +176,7 @@ let
       export GOPROXY=off
       export GOSUMDB=off
       cd "$modRoot"
-    '' + lib.optionalString (vendorSha256 != null) ''
+    '' + lib.optionalString hasAnyVendorHash ''
       ${if proxyVendor then ''
         export GOPROXY=file://${go-modules}
       '' else ''
@@ -274,7 +294,7 @@ let
 
     disallowedReferences = lib.optional (!allowGoReference) go;
 
-    passthru = passthru // { inherit go go-modules vendorSha256 ; };
+    passthru = passthru // { inherit go go-modules vendorSha256 vendorHash; };
 
     enableParallelBuilding = enableParallelBuilding;