Inexplicable importCargoLock failure

I’m trying to make a flake for the python app posting. It pins a few of its dependencies to versions that are more recent than anything available on nixpkgs, so I’m use overridePythonAttrs to update the source and version of the package to what they need to be. I’m specifically concerned with the python library watchfiles, whose version is pinned to 0.24.0. Watchfiles uses some rust code, so I have to update its cargoDeps attr. While the current packaging of watchfiles, on version 0.22.0, uses fetchCargoTarball for its cargoDeps, watchfiles 0.24.0 has a git dependency in its lock file, which means that fetchCargoTarball can’t be used. Luckily, importCargoLock can be used instead to specify a hash for the git dependency. Here’s what my final override looks like:

(watchfiles.overridePythonAttrs (old: rec {
  version = "0.24.0";
  src = pkgs.fetchPypi {
    pname = "watchfiles";
    inherit version;
    hash = "sha256-r7cjJbdPp6QowAnBuL5LTXwq/tr7KYKCfvIVZkbfL+E=";
  };
  cargoDeps = pkgs.rustPlatform.importCargoLock {
    lockFile = pkgs.fetchurl {
      url = "https://raw.githubusercontent.com/samuelcolvin/watchfiles/refs/tags/v0.24.0/Cargo.lock";
      hash = "sha256-rA6K0bjivOGhoGUYUk5OubFaMh3duEMaDgGtCqbY26g=";
    };
    outputHashes = {
      "notify-6.1.1" = "sha256-lT3R5ZQpjx52NVMEKTTQI90EWT16YnbqphqvZmNpw/I=";
    };
  };
}))

However, this doesn’t work. Here’s the error (the rest of the build log is fine):

Executing cargoSetupPostPatchHook
Validating consistency between /build/watchfiles-0.24.0/Cargo.lock and /build/cargo-vendor-dir/Cargo.lock
370c370
< version = "0.24.0"
---
> version = "0.0.0"

ERROR: cargoHash or cargoSha256 is out of date

Cargo.lock is not the same in /build/cargo-vendor-dir

To fix the issue:
1. Set cargoHash/cargoSha256 to an empty string: `cargoHash = "";`
2. Build the derivation and wait for it to fail with a hash mismatch
3. Copy the "got: sha256-..." value back into the cargoHash field
   You should have: cargoHash = "sha256-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=";

This is especially confusing because watchfiles’s Cargo.lock doesn’t have any line containing version = "0.24.0", but the diff claims it does.

Am I somehow misusing importCargoLock? Is there a way to use fetchCargoTarball on crates with git dependencies?

You need to use fetchFromGitHub like the original derivation instead of fetchPypi:

{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
  };

  outputs =
    { self, nixpkgs }:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};

      python3 = pkgs.python3.override {
        packageOverrides = self: super: {
          watchfiles = super.watchfiles.overridePythonAttrs (old: rec {
            pname = "watchfiles";
            version = "0.24.0";

            src = pkgs.fetchFromGitHub {
              owner = "samuelcolvin";
              repo = pname;
              rev = "refs/tags/v${version}";
              hash = "sha256-uc4CfczpNkS4NMevtRxhUOj9zTt59cxoC0BXnuHFzys=";
            };

            cargoDeps = pkgs.rustPlatform.importCargoLock {
              lockFile = pkgs.fetchurl {
                url = "https://raw.githubusercontent.com/samuelcolvin/watchfiles/refs/tags/v${version}/Cargo.lock";
                hash = "sha256-rA6K0bjivOGhoGUYUk5OubFaMh3duEMaDgGtCqbY26g=";
              };
              outputHashes = {
                "notify-6.1.1" = "sha256-lT3R5ZQpjx52NVMEKTTQI90EWT16YnbqphqvZmNpw/I=";
              };
            };

            postPatch = ''
              sed -i "/^requires-python =.*/a version = '${version}'" pyproject.toml
              substituteInPlace Cargo.toml \
                --replace-fail 'version = "0.0.0"' 'version = "${version}"'
            '';
          });
        };
      };
    in
    {
      devShells.default = pkgs.mkShell {
        packages = [ (python3.withPackages (ps: [ ps.watchfiles ])) ];
        shellHook = ''
          watchfiles --version
        '';
      };
    };
}
$ nix develop .#devShells.default
watchfiles v0.24.0