Nixpkgs pinning example

README.md

Nixpkgs pinning example

This is an example of how to pin the version of nixpkgs in a package repo. The goal is to improve reproducibility, make sure all the developers use the same version of nixpkgs and also allow to share binary caches.

Usage

Put all these files in a nixpkgs folder and then in other derivations, instead of import <nixpkgs> {} use import ./path/to/nixpkgs {}

Keeping nixpkgs up to date

Run the path/to/nixpkgs/update script to pull the latest version on the channel. The channel is hard-coded in the script.

default.nix

let
  _nixpkgs = import <nixpkgs> {};
  nixpkgs = _nixpkgs.fetchFromGitHub (_nixpkgs.lib.importJSON ./src.json);
in
  import nixpkgs

src.json

{
  "owner": "NixOS",
  "repo": "nixpkgs-channels",
  "rev": "4da11d7c9b7ed59b5acb19dd6ba335aef113db94",
  "sha256": "0w7wsbdjglmcvy9b2z2gpb56c057v9rs2mh79nxjffj1jmvq7dsm"
}

update

#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash nix curl jq
#
# Updates the nixpkgs.json to the latest channel release
set -euo pipefail

cd "$(dirname "$0")" || exit 1

branch=nixos-16.09

owner=NixOS
repo=nixpkgs-channels
rev=$(curl -sfL https://api.github.com/repos/$owner/$repo/git/refs/heads/$branch | jq -r .object.sha)
url=https://github.com/$owner/$repo/archive/$rev.tar.gz

release_sha256=$(nix-prefetch-url --unpack "$url")

cat <<NIXPKGS | tee src.json
{
  "owner": "$owner",
  "repo": "$repo",
  "rev": "$rev",
  "sha256": "$release_sha256"
}
NIXPKGS

This seems to do the trick with current nixpkgs:

1. Get the name and URL:

   curl https://api.github.com/repos/NixOS/nixpkgs/git/refs/heads/release-22.05 | \
       jq '{name: (.ref | split("/")[-1] + "-" + (now|strflocaltime("%Y-%m-%dT%H-%M-%SZ"))), url: ("https://github.com/NixOS/nixpkgs/archive/" + .object.sha + ".tar.gz")}' \
       > nixpkgs.json
   

2. Add the checksum:

   jq '. + {sha256: $hash}' --arg hash "$(nix-prefetch-url --unpack "$(jq --raw-output .url nixpkgs.json)")" nixpkgs.json | \
       sponge nixpkgs.json
   

Example result: