From 4027784d1d36b38e2f914ec73d7e1cba2db94b51 Mon Sep 17 00:00:00 2001
From: Dave Gallant <davegallant@proton.me>
Date: Sat, 14 Feb 2026 06:59:08 -0500
Subject: [PATCH] Update flake.nix vendor-hash in a workflow

---
 .github/workflows/update-vendor-hash.yml | 55 ++++++++++++++++++++++++
 flake.lock                               |  6 +--
 flake.nix                                |  2 +-
 3 files changed, 59 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/update-vendor-hash.yml

diff --git a/.github/workflows/update-vendor-hash.yml b/.github/workflows/update-vendor-hash.yml
new file mode 100644
index 0000000..c28e40b
--- /dev/null
+++ b/.github/workflows/update-vendor-hash.yml
@@ -0,0 +1,55 @@
+name: Update vendorHash in flake.nix
+
+on:
+  push:
+    paths:
+      - 'go.mod'
+      - 'go.sum'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  update-hash:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixpkgs-unstable
+
+      - name: Calculate new vendorHash
+        id: hash
+        run: |
+          # First, set vendorHash to null to get Nix to calculate what it should be
+          sed -i 's/vendorHash = .*/vendorHash = null;/' flake.nix
+          
+          # Try to build and capture the expected hash
+          HASH=$(nix build .#vpngate 2>&1 | grep -oP "sha256-[a-zA-Z0-9+/]+={0,2}" | head -1)
+          
+          if [ -z "$HASH" ]; then
+            echo "Failed to extract hash from build output"
+            exit 1
+          fi
+          
+          echo "hash=$HASH" >> $GITHUB_OUTPUT
+          echo "Calculated hash: $HASH"
+
+      - name: Update flake.nix with correct hash
+        run: |
+          sed -i 's/vendorHash = null;/vendorHash = "${{ steps.hash.outputs.hash }}";/' flake.nix
+
+      - name: Commit and push if changed
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          
+          if git diff --quiet flake.nix; then
+            echo "No changes to commit"
+          else
+            git add flake.nix
+            git commit -m "chore: update vendorHash in flake.nix"
+            git push
+          fi
\ No newline at end of file
diff --git a/flake.lock b/flake.lock
index 11b6cad..f05b020 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1763934636,
-        "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=",
+        "lastModified": 1770843696,
+        "narHash": "sha256-LovWTGDwXhkfCOmbgLVA10bvsi/P8eDDpRudgk68HA8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261",
+        "rev": "2343bbb58f99267223bc2aac4fc9ea301a155a16",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 5fa4421..b4530d8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,7 +16,7 @@
         pkgs.buildGo125Module rec {
           name = "vpngate";
           src = ./.;
-          vendorHash = "sha256-tVNffrT+r3pA+0pvBaNKsq9K4wkB7WepkuSa1nCWloc=";
+          vendorHash = "sha256-FCYVkLhuVsVhxhjiSWJi02Fr0mhjQMCmHX1n2pjZM+U=";
           nativeBuildInputs = pkgs.lib.optionals pkgs.stdenv.isLinux [ pkgs.makeWrapper ];
           env.CGO_ENABLED = 0;
           doCheck = false;