php.buildComposerProject: warn about outdated vendorHash

pkgs/build-support/php/hooks/composer-install-hook.sh

@@ -26,6 +26,23 @@ composerInstallConfigureHook() {
         exit 1
     fi
 
+    echo "Validating consistency between composer.lock and ${composerRepository}/composer.lock"
+    if ! @diff@ composer.lock "${composerRepository}/composer.lock"; then
+        echo
+        echo "ERROR: vendorHash is out of date"
+        echo
+        echo "composer.lock is not the same in $composerRepository"
+        echo
+        echo "To fix the issue:"
+        echo '1. Set vendorHash to an empty string: `vendorHash = "";`'
+        echo '2. Build the derivation and wait for it to fail with a hash mismatch'
+        echo '3. Copy the "got: sha256-..." value back into the vendorHash field'
+        echo '   You should have: vendorHash = "sha256-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=";'
+        echo
+
+        exit 1
+    fi
+
     chmod +w composer.json composer.lock
 
     echo "Finished composerInstallConfigureHook"

pkgs/build-support/php/hooks/default.nix

@@ -1,9 +1,11 @@
-{ makeSetupHook
+{ lib
+, makeSetupHook
 , jq
 , moreutils
 , makeBinaryWrapper
 , php
 , cacert
+, buildPackages
 }:
 
 {
@@ -18,6 +20,10 @@
     {
       name = "composer-install-hook.sh";
       propagatedBuildInputs = [ jq makeBinaryWrapper moreutils php cacert ];
-      substitutions = { };
+      substitutions = {
+        # Specify the stdenv's `diff` by abspath to ensure that the user's build
+        # inputs do not cause us to find the wrong `diff`.
+        diff = "${lib.getBin buildPackages.diffutils}/bin/diff";
+      };
     } ./composer-install-hook.sh;
 }