Nix build reports mismatch Go vendor hash on GitHub Actions for nested Go modules

Hi! I’m having an issue with nix build on GitHub Actions for a Go project.

I’m using Nix Flake on my GitHub repo for a Go app. My GitHub Actions workflow then uses nix build to build binaries from the flake.

This repository contains 2 Go modules:

Both modules put their main programs in their own respective ./cmd/ directories (Go convention is to place the main programs in cmd directory).

Within the flake, there’re 2 outputs that involves buildGoModule:

  • output .#ssg-go builds executables in the root module in /cmd/

  • output .#soyweb builds executables in /soyweb/cmd/

Both of the outputs use buildGoModule to build the executables in cmd. On my local machine (NixOS), both outputs can be built just fine.

But on GitHub Actions, nix build .#soyweb fails, complaining about vendor hash mismatch. My observation is that these actual hash changes every time I correct the vendor hash for .#soyweb in the flake.

I assumed it was because the GitHub runner clutters the root of the projects with its files, and thus changing the digest hash of the root module. - i.e. I assume that if the root directory changes, so does the vendor hash for .#soyweb.

So I did an experiment and build .#soyweb locally with tainted new files in root module, but the build also succeeded, so my theory went out the window. I also logged the files in GitHub Action runner’s $pwd, yet it seems there’s no cluttering new files, only .git dir whose hash might differ from .git on my own local machine.

Now I’m lost and really not sure what to look for. Can anyone help or shine some light on this? Thanks!