Merge branch 'master' into staging-next

3 files changed, 65 insertions, 11 deletions

diff --git a/pkgs/build-support/php/hooks/composer-install-hook.sh b/pkgs/build-support/php/hooks/composer-install-hook.sh
index 86d17d0f50f7..b1b5e2ac553d 100644
--- a/pkgs/build-support/php/hooks/composer-install-hook.sh
+++ b/pkgs/build-support/php/hooks/composer-install-hook.sh
@@ -22,13 +22,47 @@ composerInstallConfigureHook() {
     fi
 
     if [[ ! -f "composer.lock" ]]; then
-        echo "No composer.lock file found, consider adding one to your repository to ensure reproducible builds."
+        composer \
+            --no-ansi \
+            --no-install \
+            --no-interaction \
+            ${composerNoDev:+--no-dev} \
+            ${composerNoPlugins:+--no-plugins} \
+            ${composerNoScripts:+--no-scripts} \
+            update
+
+        mkdir -p $out
+        cp composer.lock $out/
+
+        echo
+        echo 'No composer.lock file found, consider adding one to your repository to ensure reproducible builds.'
+        echo "In the meantime, a composer.lock file has been generated for you in $out/composer.lock"
+        echo
+        echo 'To fix the issue:'
+        echo "1. Copy the composer.lock file from $out/composer.lock to the project's source:"
+        echo "  cp $out/composer.lock <path>"
+        echo '2. Add the composerLock attribute, pointing to the copied composer.lock file:'
+        echo '  composerLock = ./composer.lock;'
+        echo
 
-        if [[ -f "${composerRepository}/composer.lock" ]]; then
-            cp ${composerRepository}/composer.lock composer.lock
-        fi
+        exit 1
+    fi
 
-        echo "Using an autogenerated composer.lock file."
+    echo "Validating consistency between composer.lock and ${composerRepository}/composer.lock"
+    if [[! @diff@ composer.lock "${composerRepository}/composer.lock"]]; then
+        echo
+        echo "ERROR: vendorHash is out of date"
+        echo
+        echo "composer.lock is not the same in $composerRepository"
+        echo
+        echo "To fix the issue:"
+        echo '1. Set vendorHash to an empty string: `vendorHash = "";`'
+        echo '2. Build the derivation and wait for it to fail with a hash mismatch'
+        echo '3. Copy the "got: sha256-..." value back into the vendorHash field'
+        echo '   You should have: vendorHash = "sha256-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=";'
+        echo
+
+        exit 1
     fi
 
     chmod +w composer.json composer.lock
diff --git a/pkgs/build-support/php/hooks/composer-repository-hook.sh b/pkgs/build-support/php/hooks/composer-repository-hook.sh
index 057acf1fcc30..779f07347548 100644
--- a/pkgs/build-support/php/hooks/composer-repository-hook.sh
+++ b/pkgs/build-support/php/hooks/composer-repository-hook.sh
@@ -17,7 +17,6 @@ composerRepositoryConfigureHook() {
     fi
 
     if [[ ! -f "composer.lock" ]]; then
-        echo "No composer.lock file found, consider adding one to your repository to ensure reproducible builds."
         composer \
             --no-ansi \
             --no-install \
@@ -26,7 +25,22 @@ composerRepositoryConfigureHook() {
             ${composerNoPlugins:+--no-plugins} \
             ${composerNoScripts:+--no-scripts} \
             update
-        echo "Using an autogenerated composer.lock file."
+
+        mkdir -p $out
+        cp composer.lock $out/
+
+        echo
+        echo 'No composer.lock file found, consider adding one to your repository to ensure reproducible builds.'
+        echo "In the meantime, a composer.lock file has been generated for you in $out/composer.lock"
+        echo
+        echo 'To fix the issue:'
+        echo "1. Copy the composer.lock file from $out/composer.lock to the project's source:"
+        echo "  cp $out/composer.lock <path>"
+        echo '2. Add the composerLock attribute, pointing to the copied composer.lock file:'
+        echo '  composerLock = ./composer.lock;'
+        echo
+
+        exit 1
     fi
 
     echo "Finished composerRepositoryConfigureHook"
@@ -61,8 +75,8 @@ composerRepositoryInstallHook() {
 
     cp -ar repository/. $out/
 
-    # Copy the composer.lock files to the output directory, in case it has been
-    # autogenerated.
+    # Copy the composer.lock files to the output directory, to be able to validate consistency with
+    # the src composer.lock file where this fixed-output derivation is used
     cp composer.lock $out/
 
     echo "Finished composerRepositoryInstallHook"
diff --git a/pkgs/build-support/php/hooks/default.nix b/pkgs/build-support/php/hooks/default.nix
index 5ff69a877863..c19bc757581f 100644
--- a/pkgs/build-support/php/hooks/default.nix
+++ b/pkgs/build-support/php/hooks/default.nix
@@ -1,9 +1,11 @@
-{ makeSetupHook
+{ lib
+, makeSetupHook
 , jq
 , moreutils
 , makeBinaryWrapper
 , php
 , cacert
+, buildPackages
 }:
 
 {
@@ -18,6 +20,10 @@
     {
       name = "composer-install-hook.sh";
       propagatedBuildInputs = [ jq makeBinaryWrapper moreutils php cacert ];
-      substitutions = { };
+      substitutions = {
+        # Specify the stdenv's `diff` by abspath to ensure that the user's build
+        # inputs do not cause us to find the wrong `diff`.
+        diff = "${lib.getBin buildPackages.diffutils}/bin/diff";
+      };
     } ./composer-install-hook.sh;
 }