source urls cannot be versioned #342
Description
A recent update in hermit-packages broke all rust pipelines: https://github.com/cashapp/hermit-packages/issues/235
To avoid this, projects typically fix their dependencies versions. As Hermit docs suggest, this can be done by locking the version of the packages sources they import.
An optional # suffix can be added to checkout a specific tag.
Which suggests something like this:
# hermit.hcl
sources = [
"https://github.com/cashapp/hermit-packages.git#tag"
]However, I had the following issues using that feature:
One: hermit-packages does not push tags regularly
For users to stay up to date, there need to be regular tags/versions pushed from this repository. Looking at the existing tags, I find only one index tag that is 6 months old: https://github.com/cashapp/hermit-packages/tags
If pushing tags more regularly is useful for Hermit long-term plans, should it be automated? Otherwise, I suggest supporting any ref in the URL, so that users can specify a specific commit hash (instead of a tag), and update it regularly.
Two: url format is not clear
Now I tried using the following formats, which all failed:
- https://github.com/cashapp/hermit-packages.git#index
fatal:hermit: /github/workspace/bin/hermit.hcl: unsupported source
- https://github.com/cashapp/hermit-packages#index.git
exit status 128: git sync failed: git clone --depth=1 failed
I suggest adding an explicit example of a versioned url in sources array in the documentation, for clarity.
Three: regular updates
Looking at Renovate plugin docs, it is not clear to me if the bot can update tags (or commit hashes) in the sources URLs in hermit.hcl .. Is this a supported scenario?