A recent update in hermit-packages
broke all rust pipelines: https://github.com/cashapp/hermit-packages/issues/235
To avoid this, projects typically fix their dependencies versions. As Hermit docs suggest, this can be done by locking the version of the packages sources they import.
An optional # suffix can be added to checkout a specific tag.
Which suggests something like this:
# hermit.hcl
sources = [
"https://github.com/cashapp/hermit-packages.git#tag"
]
However, I had the following issues using that feature:
One: hermit-packages
does not push tags regularly
For users to stay up to date, there need to be regular tags/versions pushed from this repository. Looking at the existing tags, I find only one index
tag that is 6 months old: https://github.com/cashapp/hermit-packages/tags
If pushing tags more regularly is useful for Hermit long-term plans, should it be automated? Otherwise, I suggest supporting any ref in the URL, so that users can specify a specific commit hash (instead of a tag), and update it regularly.
Two: url format is not clear
Now I tried using the following formats, which all failed:
- https://github.com/cashapp/hermit-packages.git#index
fatal:hermit: /github/workspace/bin/hermit.hcl: unsupported source
- https://github.com/cashapp/hermit-packages#index.git
exit status 128: git sync failed: git clone --depth=1 failed
I suggest adding an explicit example of a versioned url in sources
array in the documentation, for clarity.
Three: regular updates
Looking at Renovate plugin docs, it is not clear to me if the bot can update tags (or commit hashes) in the sources
URLs in hermit.hcl
.. Is this a supported scenario?