A recent update in
hermit-packages broke all rust pipelines: https://github.com/cashapp/hermit-packages/issues/235
To avoid this, projects typically fix their dependencies versions. As Hermit docs suggest, this can be done by locking the version of the packages sources they import.
An optional # suffix can be added to checkout a specific tag.
Which suggests something like this:
sources = [
However, I had the following issues using that feature:
hermit-packages does not push tags regularly
For users to stay up to date, there need to be regular tags/versions pushed from this repository. Looking at the existing tags, I find only one
index tag that is 6 months old: https://github.com/cashapp/hermit-packages/tags
If pushing tags more regularly is useful for Hermit long-term plans, should it be automated? Otherwise, I suggest supporting any ref in the URL, so that users can specify a specific commit hash (instead of a tag), and update it regularly.
Two: url format is not clear
Now I tried using the following formats, which all failed:
fatal:hermit: /github/workspace/bin/hermit.hcl: unsupported source
exit status 128: git sync failed: git clone --depth=1 failed
I suggest adding an explicit example of a versioned url in
sources array in the documentation, for clarity.
Three: regular updates
Looking at Renovate plugin docs, it is not clear to me if the bot can update tags (or commit hashes) in the
sources URLs in
hermit.hcl .. Is this a supported scenario?