source urls cannot be versioned

[OmarTawfik]

A recent update in hermit-packages broke all rust pipelines: cashapp/hermit-packages#235

To avoid this, projects typically fix their dependencies versions. As Hermit docs suggest, this can be done by locking the version of the packages sources they import.

An optional # suffix can be added to checkout a specific tag.

Which suggests something like this:

# hermit.hcl
sources = [
  "https://github.com/cashapp/hermit-packages.git#tag"
]

However, I had the following issues using that feature:

One: hermit-packages does not push tags regularly

For users to stay up to date, there need to be regular tags/versions pushed from this repository. Looking at the existing tags, I find only one index tag that is 6 months old: https://github.com/cashapp/hermit-packages/tags

If pushing tags more regularly is useful for Hermit long-term plans, should it be automated? Otherwise, I suggest supporting any ref in the URL, so that users can specify a specific commit hash (instead of a tag), and update it regularly.

Two: url format is not clear

Now I tried using the following formats, which all failed:

• https://github.com/cashapp/hermit-packages.git#index
  • fatal:hermit: /github/workspace/bin/hermit.hcl: unsupported source
• https://github.com/cashapp/hermit-packages#index.git
  • exit status 128: git sync failed: git clone --depth=1 failed

I suggest adding an explicit example of a versioned url in sources array in the documentation, for clarity.

Three: regular updates

Looking at Renovate plugin docs, it is not clear to me if the bot can update tags (or commit hashes) in the sources URLs in hermit.hcl .. Is this a supported scenario?

[alecthomas]

The problem is actually much more straightforward: the documentation is incorrect and git sources don't support #<ref> at all 🤦‍♂️

We haven't actually thought about pinning the sources before, but this is actually a great idea! I will add support for refs.

[alecthomas]

I forgot to add that the Renovate bot does not update source tags, only packages.

[OmarTawfik]

@alecthomas Thanks for working on #343 .. Can we add a code example to the docs (this page) of a sources entry using a URL + a specific commit SHA? I will definitely be using this feature as soon as it is released.

I forgot to add that the Renovate bot does not update source tags, only packages.

Not urgent/blocking for me right now, but Is this something on your road map?

[alecthomas]

Not urgent/blocking for me right now, but Is this something on your road map?

It is not on the roadmap currently, no. Want to file an issue?

[OmarTawfik]

Want to file an issue?

Created these two issues, and added more details/comments to them:

• Update sources URL refs from Renovate Bot #344
• Update hermit cli version from Renovate bot #345

[alecthomas]

Awesome thanks Omar!