Update Flatpak pnpm source preparation#23517
Conversation
|
When experimenting with a nix package, I noticed that Did you need to address this for the flatpak package too?1 IIRC, flatpak has similar requirements for deterministic dependencies. Footnotes
|
|
Pretty interesting stuff; not sure at which time I'll be able to review this personally- as doing Linux support outside of dev-environment is more further down the road, but I'm all down for it. |
|
Thank you! I do agree with Matt's comment and I'll try my best to address it.
I hope it won't take too long 😅 |
|
This PR has conflicts. You need to rebase the PR before it can be merged. |
1ba03e6 to
e73f934
Compare
|
This PR doesn't have conflicts anymore. It can be merged after all status checks have passed and it has been reviewed. |
I've updated this PR with DuckDB sources SHA256 config & verification. There's a couple of documentation updates needed, but I will hold them off until the final approach is decided (so we avoid unnecessary changes and code review). There's one open question though (see PR description). |
|
I believe #23551 will also be an issue, as it is generating the API schema during postinstall. /cc @Aragas Removing Also, I wonder if it'd be easier to land this if the DuckDB stuff was split off into a dedicated PR? |
|
@MattSturgeon I can split this into 2 PRs (Flatpak + DuckDB), or even 3 (Flatpak + DuckDB + workflow adjustments after proper review/verification of the DuckDB part). Happy to split it however you prefer. Also, my bad if I’m missing something, but I don’t see how |
I'm not part of the Nexus Mods team, so my opinion doesn't really matter, here. Just throwing suggestions out there 🙂
I was going off of Vortex/packages/nexus-api-v3/README.md Lines 11 to 14 in 1c34e34 EDIT: to be clear, this is unrelated to DuckDB. It's just another impure/non-deterministic build step, that I believe would block reproducible packaging (like flatpak). |
Me neither, but any reasonable opinion is welcome 🙂
EDIT: Gotcha. Well, sounds like a separate PR for sure. |
|
This PR has been marked as stale due to inactivity. |
|
This PR has conflicts. You need to rebase the PR before it can be merged. |
Summary
This updates the Flatpak packaging flow to use
pnpminstead of the old Yarn-based dependency setup, then adds locked DuckDB extension artifacts so the Flatpak build can keep working offline.The repo now uses
pnpm-lock.yaml, but the Flatpak source generation path still depended on Yarn-style generated sources and Yarn install commands. This PR switches the Flatpak JavaScript dependency sources to pnpm, installs withpnpm install --frozen-lockfile --offline, and regeneratesflatpak/generated-sources.jsonfrom the current pnpm lockfile.While testing that path, DuckDB extension downloads became the next offline-build gap. The downloader was still resolving extension URLs at build time, which does not fit Flatpak well because external files need to be declared before the sandboxed build starts. This PR adds a DuckDB extension lockfile with pinned URLs and SHA256 hashes, teaches the downloader to consume it, and generates Flatpak sources for those locked extension artifacts.
What I've changed, more specifically
Flatpak pnpm migration
yarn ...topnpm ...flatpak-node-generatorfrom Yarn mode to pnpm modeflatpak-builder-toolscommit to one that includes pnpm lockfile supportflatpak/scripts/flatpak_prepare_pnpm.pyto prepare the copied Flatpak build tree before offline installflatpak/yarnrcflatpak/generated-sources.jsonandflatpak/generated-sources.hashfrompnpm-lock.yamlDuckDB extension locking
src/main/duckdb-extensions.lock.jsonto pin DuckDB extension artifacts by DuckDB version, platform, URL, and SHA256--update-duckdb-lock, and install from a prefetched source directory whenVORTEX_DUCKDB_EXTENSION_SOURCE_DIRis setscripts/generate-query-types.tsto load the same locked locallevel_pivotextension instead of resolvingcurrent_releaseflatpak/scripts/flatpak_sources.pyto emitgenerated-duckdb-sources.jsonflatpak/generated-duckdb-sources.jsonandflatpak/generated-duckdb-sources.hashTech Notes
The generated JavaScript source diff is large, but that is expected. The output moved from Yarn-style generated sources to pnpm-style generated sources, including pnpm store population data based on
pnpm-lock.yaml.The Flatpak pnpm preparation step removes the managed Node runtime from the copied package metadata and normalizes the lockfile for the build sandbox. Flatpak already provides Node through
org.freedesktop.Sdk.Extension.node24, so the offline pnpm install should use that SDK runtime instead of trying to resolve/download Node as a package dependency inside the sandbox.DuckDB extension locking pins the compressed
.duckdb_extension.gzartifacts, because those are the files Flatpak fetches before the build starts. The downloader verifies the compressed file hash first, then unpacks it into the normal build output directory.Normal app builds still download the locked DuckDB URLs directly. Flatpak builds set
VORTEX_DUCKDB_EXTENSION_SOURCE_DIR, so the downloader reads the already-prefetched artifacts from the Flatpak source directory instead of using the network.scripts/generate-query-types.tsalso uses the locked extension flow now. It validates the lockfile against the installed@duckdb/node-api, checks that the host platform artifact has been downloaded, sets DuckDB'sextension_directory, and runsLOAD level_pivotfrom the local locked output. That keeps generated query types aligned with the extension artifact Vortex packages.Refreshing the DuckDB lockfile is intentionally explicit:
That keeps normal builds from silently accepting changed upstream DuckDB extension artifacts.
Open Questions
current_release. The lockfile pins SHA256, so changed upstream bytes fail builds instead of being accepted silently. However, previous builds are only reproducible while the old bytes remain available at that URL. How should the build process work if the actual bytes behindcurrent_releasechange, but the previous bytes are still preferred?Proposed answer: keep the SHA256 lock as the build gate, and do not auto-refresh it during normal builds. If
current_releasechanges and the hash check fails, the build should fail with a clear message and require a maintainer decision. If the new bytes are intended, refresh the lockfile. If the previous bytes are still required, they need to come from an immutable source that still has them, such as a release asset, CI artifact, or project-owned mirror. If no such source exists, the previous build is not fully reproducible fromcurrent_releasealone. Longer term, the extension publish flow should expose immutable versioned artifact URLs so the lockfile can pin both the URL and hash without depending oncurrent_release.scripts/generate-query-types.tsnow loads the unpacked DuckDB extension fromsrc/main/build/duckdb-extensions/.... That file is hash-verified when produced byduckdb:download-duckdb-extensions, but the query type generator does not re-check SHA256 itself. Is that trust boundary OK, or should query type generation verify or recreate the locked extension artifact before loading it?Proposed answer: keep SHA256 verification centralized in the downloader for now. The generator should require the local locked extension output to exist and fail with instructions to run
pnpm run --filter @vortex/main duckdb:download-duckdb-extensionswhen it is missing. If maintainers want query generation to be independently verifiable later, the lockfile should also record the unpacked extension hash or the generator should call the downloader flow directly before loading DuckDB.Validation Performed
Regenerated the pnpm Flatpak node sources:
Regenerated the Flatpak DuckDB sources from the DuckDB extension lockfile:
Ran the targeted DuckDB extension tests:
pnpm run --filter @vortex/main test -- download-duckdb-extensions.test.tsRegenerated query types using the locked local DuckDB extension:
Checked that the generated Flatpak DuckDB source file is valid JSON:
python3 -c "import json; json.load(open('flatpak/generated-duckdb-sources.json'))"What Is Still Needed To Be Done
This gets the Flatpak dependency/source-generation path onto pnpm and makes DuckDB extension artifacts available to the Flatpak build offline, but it does not prove the final Flatpak package is ready to publish.