feat(tvix): run crate2nix generate in CI

This runs `crate2nix generate` in CI and then runs `depotfmt` on the
result to ensure that our machine-generated code is really, really
readable and pretty.  Then it checks that the result of all that
is identical to the committed Cargo.nix.

A self-hashing FOD is used to allow network access.

No magic hashes are involved.

Co-Authored-By: Florian Klink <flokli@flokli.de>
Change-Id: I68ec5003dbc6a40894a5a4d6e902f138c99f6719
Reviewed-on: https://cl.tvl.fyi/c/depot/+/10194
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: Adam Joseph <adam@westernsemico.com>
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>

tvix/default.nix

@@ -89,17 +89,68 @@ let
   # The cleaned sources.
   src = depot.third_party.gitignoreSource ./.;
 
-in
-{
-  inherit crates;
-
   # Run crate2nix generate in the current working directory, then
   # format the generated file with depotfmt.
-  crate2nixGenerate = pkgs.writeShellScriptBin "crate2nix-generate" ''
+  crate2nix-generate = pkgs.writeShellScriptBin "crate2nix-generate" ''
     ${pkgs.crate2nix}/bin/crate2nix generate --all-features
     ${depot.tools.depotfmt}/bin/depotfmt Cargo.nix
   '';
 
+in
+{
+  inherit crates crate2nix-generate;
+
+  # Run crate2nix generate, ensure the output doesn't differ afterwards
+  # (and doesn't fail).
+  #
+  # Currently this re-downloads every crate every time
+  # crate2nix-check (but not crate2nix) is built.
+  # TODO(amjoseph): be less wasteful with bandwidth.
+  #
+  crate2nix-check =
+    let
+      outputHashAlgo = "sha256";
+    in
+    pkgs.stdenv.mkDerivation {
+      inherit src;
+
+      # Important: we include the hash of the Cargo.lock file and
+      # Cargo.nix file in the derivation name.  This forces the FOD
+      # to be rebuilt/reverified whenever either of them changes.
+      name = "tvix-crate2nix-check-" +
+        (builtins.substring 0 8 (builtins.hashFile "sha256" ./Cargo.lock)) +
+        "-" +
+        (builtins.substring 0 8 (builtins.hashFile "sha256" ./Cargo.nix));
+
+      nativeBuildInputs = with pkgs; [ git cacert cargo ];
+      buildPhase = ''
+        export CARGO_HOME=$(mktemp -d)
+
+        # The following command can be omitted, in which case
+        # crate2nix-generate will run it automatically, but won't show the
+        # output, which makes it look like the build is somehow "stuck" for a
+        # minute or two.
+        cargo metadata > /dev/null
+
+        # running this command counteracts depotfmt brokenness
+        git init
+
+        ${crate2nix-generate}/bin/crate2nix-generate
+
+        # technically unnecessary, but provides more-helpful output in case of error
+        diff -ur Cargo.nix ${src}/Cargo.nix
+
+        # the FOD hash will check that the (re-)generated Cargo.nix matches the committed Cargo.nix
+        cp Cargo.nix $out
+      '';
+
+      # This is an FOD in order to allow `cargo` to perform network access.
+      outputHashMode = "flat";
+      inherit outputHashAlgo;
+      outputHash = builtins.hashFile outputHashAlgo ./Cargo.nix;
+      env.SSL_CERT_FILE = "${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt";
+    };
+
   # Provide the Tvix logo in both .webp and .png format.
   logo = pkgs.runCommand "logo"
     {
@@ -167,6 +218,7 @@ in
 
   meta.ci.targets = [
     "clippy"
+    "crate2nix-check"
     "shell"
     "rust-docs"
   ];