Build and Install Devbox via Nix Flake (#2308)

## Summary

This adds a flake.nix to our repo for building and distributing Devbox.
This will make it easier for developers who install Devbox with Nix to
use pre-releases, and keep Devbox up-to-date on their system.

This changes our workflow in a few small ways:

1. Whenever `go.mod` changes, we'll need to run `devbox run update-hash`
to update the vendorHash for the flake. You can also run this script
when you run `go mod tidy`
2. Releasing a new version will also require us to update the version
number in the flake.nix. This should be done with a commit ("Bump
version to x.y") that also gets tagged with the release number.
3. For debugging purposes, the flake will add the shortened commit hash
to the version string. This also helps identify if a user built the
binary from a flake.
4. I've added a test to `cli-tests` that will build the flake. I've
confirmed that it will fail if the vendorHash is out of date or
incorrect
5. We'll periodically need to run `nix flake update` to update the
flake.lock file.

## How was it tested?

1. Ran `nix build .` in the Devbox repo, confirmed that the resulting
build worked
2. Tested the Github Action by pushing an invalid vendorHash

---------

Signed-off-by: John Lago <[email protected]>
Co-authored-by: Greg Curtis <[email protected]>

Author: Lagoja

.github/workflows/cli-tests.yaml

@@ -76,6 +76,16 @@ jobs:
       - uses: actions/checkout@v4
       - uses: crate-ci/[email protected]
 
+  flake-test:
+    name: Test Flake Build
+    if: github.ref != 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - run: nix build .
+      - run: ./result/bin/devbox version
+  
   golangci-lint:
     strategy:
       matrix:

.gitignore

@@ -38,3 +38,7 @@ __pycache__/
 # deployment
 .vercel
 .yarn
+
+# Nix
+vendor/
+result

devbox.json

@@ -1,45 +1,55 @@
 {
-  "name":        "devbox",
+  "name": "devbox",
   "description": "Instant, easy, and predictable development environments",
   "packages": {
-    "go":                          "latest",
+    "go": "latest",
     "runx:golangci/golangci-lint": "latest",
-    "runx:mvdan/gofumpt":          "latest",
+    "runx:mvdan/gofumpt": "latest"
   },
   "env": {
     "GOENV": "off",
-    "PATH":  "$PATH:$PWD/dist",
+    "PATH": "$PATH:$PWD/dist"
   },
   "shell": {
     "init_hook": [
       // Remove Go environment variables that might've been inherited from the
       // user's environment and could affect the build.
       "test -z $FISH_VERSION && \\",
       "unset       CGO_ENABLED GO111MODULE GOARCH GOFLAGS GOMOD GOOS GOROOT GOTOOLCHAIN GOWORK || \\",
-      "set --erase CGO_ENABLED GO111MODULE GOARCH GOFLAGS GOMOD GOOS GOROOT GOTOOLCHAIN GOWORK",
+      "set --erase CGO_ENABLED GO111MODULE GOARCH GOFLAGS GOMOD GOOS GOROOT GOTOOLCHAIN GOWORK"
     ],
     "scripts": {
       // Build devbox for the current platform
-      "build":              "go build -o dist/devbox ./cmd/devbox",
+      "build": "go build -o dist/devbox ./cmd/devbox",
       "build-darwin-amd64": "GOOS=darwin GOARCH=amd64 go build -o dist/devbox-darwin-amd64 ./cmd/devbox",
       "build-darwin-arm64": "GOOS=darwin GOARCH=arm64 go build -o dist/devbox-darwin-arm64 ./cmd/devbox",
-      "build-linux-amd64":  "GOOS=linux GOARCH=amd64 go build -o dist/devbox-linux-amd64 ./cmd/devbox",
-      "build-linux-arm64":  "GOOS=linux GOARCH=arm64 go build -o dist/devbox-linux-arm64 ./cmd/devbox",
+      "build-linux-amd64": "GOOS=linux GOARCH=amd64 go build -o dist/devbox-linux-amd64 ./cmd/devbox",
+      "build-linux-arm64": "GOOS=linux GOARCH=arm64 go build -o dist/devbox-linux-arm64 ./cmd/devbox",
       "build-all": [
         "devbox run build-darwin-amd64",
         "devbox run build-darwin-arm64",
         "devbox run build-linux-amd64",
-        "devbox run build-linux-arm64",
+        "devbox run build-linux-arm64"
       ],
       // Open VSCode
-      "code":               "code .",
-      "lint":               "golangci-lint run --timeout 5m && scripts/gofumpt.sh",
-      "fmt":                "scripts/gofumpt.sh",
-      "test":               "go test -race -cover ./...",
+      "code": "code .",
+      "lint": "golangci-lint run --timeout 5m && scripts/gofumpt.sh",
+      "fmt": "scripts/gofumpt.sh",
+      "test": "go test -race -cover ./...",
       "test-projects-only": "DEVBOX_RUN_PROJECT_TESTS=1 go test -v -timeout ${DEVBOX_GOLANG_TEST_TIMEOUT:-30m} ./... -run \"TestExamples|TestScriptsWithProjects\"",
-      "update-examples":    "devbox run build && go run testscripts/testrunner/updater/main.go",
-      "tidy":               "go mod tidy",
-
+      "update-examples": "devbox run build && go run testscripts/testrunner/updater/main.go",
+      // Updates the Flake's vendorHash: First run `go mod vendor` to vendor
+      // the dependencies, then hash the vendor directory with Nix.
+      // The hash is saved to the `vendor-hash` file, which is then
+      // read into the Nix Flake.
+      "update-hash": [
+        // realpath to work-around nix hash not liking symlinks
+        "vendor=$(realpath $(mktemp -d))",
+        "trap \"rm -rf $vendor\" EXIT",
+        "go mod vendor -o $vendor",
+        "nix hash path $vendor >vendor-hash",
+      ],
+      "tidy": ["go mod tidy", "devbox run update-hash"],
       // docker-testscripts runs the testscripts with Docker to exercise
       // Linux-specific tests. It invokes the test binary directly, so any extra
       // test runner flags must have their "-test." prefix.
@@ -58,8 +68,8 @@
         "GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go test -c -o testscripts-linux-amd64",
         "GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go test -c -o testscripts-linux-arm64",
         "image=$(docker build --quiet --tag devbox-testscripts-ubuntu:noble --platform linux/amd64 .)",
-        "docker run --rm --mount type=volume,src=devbox-testscripts-amd64,dst=/nix --platform linux/amd64 -e DEVBOX_RUN_FAILING_TESTS -e DEVBOX_RUN_PROJECT_TESTS -e DEVBOX_DEBUG $image \"$@\"",
-      ],
-    },
-  },
+        "docker run --rm --mount type=volume,src=devbox-testscripts-amd64,dst=/nix --platform linux/amd64 -e DEVBOX_RUN_FAILING_TESTS -e DEVBOX_RUN_PROJECT_TESTS -e DEVBOX_DEBUG $image \"$@\""
+      ]
+    }
+  }
 }

flake.lock

@@ -0,0 +1,69 @@
+{
+  description = "Instant, easy, predictable shells and containers";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = nixpkgs.legacyPackages.${system};
+
+        lastTag = "0.13.2";
+
+        # Add the commit to the version string, in case someone builds from main
+        getVersion = pkgs.lib.trivial.pipe self [
+          (x: "${lastTag}")
+          (x: if (self ? revCount)
+              then "${x}-${self.shortRev}"
+              else "${x}-${self.dirtyShortRev}")
+        ];
+
+        # Run `devbox run update-flake` to update the vendorHash
+        vendorHash = if builtins.pathExists ./vendor-hash
+                     then builtins.readFile ./vendor-hash
+                     else "";
+
+        buildGoModule = pkgs.buildGo123Module;
+
+      in
+      {
+        inherit self;
+        packages.default = buildGoModule rec {
+          pname = "devbox";
+          version = getVersion;
+
+          src = ./.;
+
+          inherit vendorHash;
+
+          ldflags = [
+            "-s"
+            "-w"
+            "-X go.jetpack.io/devbox/internal/build.Version=${version}"
+          ];
+
+          # Disable tests if they require network access or are integration tests
+          doCheck = false;
+
+          nativeBuildInputs = [ pkgs.installShellFiles ];
+
+          postInstall = ''
+            installShellCompletion --cmd devbox \
+              --bash <($out/bin/devbox completion bash) \
+              --fish <($out/bin/devbox completion fish) \
+              --zsh <($out/bin/devbox completion zsh)
+          '';
+
+          meta = with pkgs.lib; {
+            description = "Instant, easy, and predictable development environments";
+            homepage = "https://www.jetify.com/devbox";
+            license = licenses.asl20;
+            maintainers = with maintainers; [ lagoja ];
+          };
+        };
+      }
+    );
+}

flake.nix

@@ -0,0 +1 @@
+sha256-rwmNzYzmZqNcNVV4GgqCVLT6ofIkblVCMJHLGwlhcGw=