Support devbox

[secustor]

Discussed in #27316

^{Originally posted by nieomylnieja February 15, 2024}

Tell us more.

Devbox is a tool for creating isolated dev environments built on top of nix.
It is configured with JSON, a sample config file looks like this:

{
  "packages": [
    "mockgen@latest",
    "[email protected]",
    "gotools@latest"
  ],
  "shell": {
    "init_hook": [
      "export \"GOROOT=$(go env GOROOT)\""
    ]
  }
}

The exact version of packages is stored in devbox.lock.json file:

{
  "lockfile_version": "1",
  "packages": {
    "[email protected]": {
      "last_modified": "2024-02-08T11:55:47Z",
      "resolved": "github:NixOS/nixpkgs/c0b7a892fb042ede583bdaecbbdc804acb85eabe#go_1_22",
      "source": "devbox-search",
      "version": "1.22.0",
      "systems": {
        "aarch64-darwin": {
          "store_path": "/nix/store/2022s0jnrn2iyxjaikfy51w5fvifp38b-go-1.22.0"
        },
        "aarch64-linux": {
          "store_path": "/nix/store/7wxzkvjv8qc2awhagpz0r8q9ay38q3wj-go-1.22.0"
        },
        "x86_64-darwin": {
          "store_path": "/nix/store/fgkl3qk8p5hnd07b0dhzfky3ys5gxjmq-go-1.22.0"
        },
        "x86_64-linux": {
          "store_path": "/nix/store/88y9r33p3j8f7bc8sqiy9jdlk7yqfrlg-go-1.22.0"
        }
      }
    },
    "gotools@latest": {
      "last_modified": "2024-01-27T14:55:31Z",
      "resolved": "github:NixOS/nixpkgs/160b762eda6d139ac10ae081f8f78d640dd523eb#gotools",
      "source": "devbox-search",
      "version": "0.16.1",
      "systems": {
        "aarch64-darwin": {
          "store_path": "/nix/store/dgh1j43hzn7w5djkl5fkb8mmg6zqcr1c-gotools-0.16.1"
        },
        "aarch64-linux": {
          "store_path": "/nix/store/kdy76bywmdza2rca2ks3zd72bibgx7zc-gotools-0.16.1"
        },
        "x86_64-darwin": {
          "store_path": "/nix/store/mxsvgy1bkzpj57mdc5h4y7d8gjiviv86-gotools-0.16.1"
        },
        "x86_64-linux": {
          "store_path": "/nix/store/6y9k19pm3hyadm0zzg3bsgbrjsfgxrm1-gotools-0.16.1"
        }
      }
    },
    "mockgen@latest": {
      "last_modified": "2024-01-27T14:55:31Z",
      "resolved": "github:NixOS/nixpkgs/160b762eda6d139ac10ae081f8f78d640dd523eb#mockgen",
      "source": "devbox-search",
      "version": "0.4.0",
      "systems": {
        "aarch64-darwin": {
          "store_path": "/nix/store/f9nlx8zjmzlhk5hdqkavjvcrpv69sxg6-mockgen-0.4.0"
        },
        "aarch64-linux": {
          "store_path": "/nix/store/6bqnm6mhicphr1k96my93q8v8z9rwsjw-mockgen-0.4.0"
        },
        "x86_64-darwin": {
          "store_path": "/nix/store/5azrpi395ffw1nj1nwv15sc8w0xwbg78-mockgen-0.4.0"
        },
        "x86_64-linux": {
          "store_path": "/nix/store/9j3482y5py35g4z9gaf61qibi0gr5gfq-mockgen-0.4.0"
        }
      }
    }
  }
}

The packages are updated with devbox update command according to constraints specified in devbox.json, for instance [email protected] will not be updated to Go 1.23 but to the latest 1.22 minor/patch version.
Latest will always update to the latest, major including.

Thre's an API we could use which queries https://www.nixhub.io/, example:

curl 'https://www.nixhub.io/search?q=go&_data=routes%2F_nixhub.search'

Although that would require writing custom logic around resolving the package version constraints, ideally we would simply call devbox update, but I'm not sure If that's a possibility with Renovate --> calling external programs.

Ref: jetify-com/devbox#1175.

[secustor]

New package manager questionnaire

Did you read our documentation on adding a package manager?

• I've read the adding a package manager documentation.

Basics

What's the name of the package manager?

I'm not sure I understand this question. Devbox is built in Go but it also utilizes nix ecosystem.

What language(s) does this package manager support?

nix

How popular is this package manager?

Hard to judge, but with 7k stars on GitHub I think It's fairly popular and I think it will only gain popularity as it's approach is quiet unique from existing container-based solutions.

Does this language have other (competing?) package managers?

• Yes (give names).
  • https://devenv.sh/ --> this is also built on top of nix but requires a bit more knowledge on nix itself while devbox abstracts it completely away
  • https://github.com/containers/toolbox
  • https://containers.dev/
• No.

What are the big selling points for this package manager?

Unlike container based developer environments, the usage of nix allows seamless integration with directly inside the developers' shell. Developers get to keep all their tools and workflows with Devbox environment sitting on top, instead of a new, more isolated environment container based solutions offer. This makes developing much more enjoyable and easier.

Detecting package files

What kind of package files, and names, does this package manager use?

• devbox.json --> main configuration file
• devbox.lock.json --> lockfile

Which fileMatch pattern(s) should Renovate use?

See above

Do many users need to extend the fileMatch pattern for custom file names?

• Yes, provide details.
  Devbox can use an arbitrary config file name and path with --config flag.
• No.

Is the fileMatch pattern going to get many "false hits" for files that have nothing to do with package management?

That's very unlikely.

Parsing and Extraction

Can package files have "local" links to each other that need to be resolved?

No.

Package file parsing method

Currently there's no way to combine many devbox files. So this shouldn't be an issue.

Which format/syntax does the package file use?

• JSON
• TOML
• YAML
• Custom (explain below)

How should we parse the package files?

Not sure If I understand what "off the shelf" means, but if it refers to JS builtin supported encodings, then yes (JSON module).

• Off the shelf parser.
• Using regex.
• Custom-parsed line by line.
• Other.

Does the package file have different "types" of dependencies?

• Yes, production and development dependencies.
• No, all dependencies are treated the same.

List all the sources/syntaxes of dependencies that can be extracted

Describe which types of dependencies above are supported and which will be implemented in future

Versioning

What versioning scheme does the package file(s) use?

<PKG_NAME>@<VERSION>

Version will be semver with either MAJOR, MINOR or PATCH precision and a special case latest keyword.

If the current Go version is 1.22.2, the following versions will likely resolve to it:

• go@latest
• [email protected]
• [email protected]
• go@1

The exact version is defined and updated inside the lockfile.

Does this versioning scheme support range constraints, like ^1.0.0 or 1.x?

• Supports range constraints (for example: ^1.0.0 or 1.x), provide details.
• No.

Lookup

Is a new datasource required?

• Yes, provide details.
  I'm not sure here, but I think to query an API like https://www.nixhub.io/ we'd need new datasource, maybe?
• No.

Will users want (or need to) set a custom host or custom registry for Renovate's lookup?

• Yes, provide details.
• No.

Are there any constraints in the package files that Renovate should use in the lookup procedure?

• Yes, there are constraints on the parent language (for example: supports only Python v3.x), provide details.
• Yes, there are constraints on the parent platform (for example: only supports Linux, Windows, etc.), provide details.
• Yes, some other kind of constraint, provide details.
• No constraints.

Will users need the ability to configure language or other constraints using Renovate config?

• Yes, provide details.
• No.

Artifacts

Does the package manager use a lock file or checksum file?

• Yes, uses lock file.
• Yes, uses checksum file.
• Yes, uses lock file and checksum file.
• No lock file or checksum.

Is the locksum or checksum mandatory?

• Yes, locksum is mandatory.
• Yes, checksum is mandatory.
• Yes, lock file and checksum are mandatory.
• No mandatory locksum or checksum.
• Package manager does not use locksums or checksums.

If lockfiles or checksums are used: what tool and exact commands should Renovate use to update one (or more) package versions in a dependency file?

devbox update

Package manager cache

Purely for updates, I don' think we need to use cache at all.

Does the package manager use a cache?

• Yes, provide details.
• No.

If the package manager uses a cache, how can Renovate control the cache?

• Package manager does not use a cache.
• Controlled via command line interface, provide details.
• Controlled via environment variables, provide details.

Should Renovate keep a cache?

• Yes, ignore/disable the cache.
• No.

Generating a lockfile from scratch

Renovate can perform "lock file maintenance" by getting the package manager to generate a lockfile from scratch.
Can the package manager generate a lockfile from scratch?

• Yes, explain which command Renovate should use to generate the lockfile.
  devbox update and that's it
• No, the package manager does not generate a lockfile from scratch.
• No, the package manager does not use lockfiles.

[t-monaghan]

Just a heads up, devbox is not using vanilla json but rather hujson.

You can see this here: https://github.com/jetify-com/devbox/blob/815ff115fe43fffc6666b34347b28a996a7ffb48/internal/devconfig/configfile/ast.go#L34-L36

Link to hujson: https://github.com/tailscale/hujson