github: use libgit2 transport for ref resolution

Use libgit2's high level remote API (git_remote_create_detached,
git_remote_connect, git_remote_ls) instead of manually downloading
and parsing the smart HTTP pkt-line format. This delegates protocol
handling to libgit2 while keeping auth via custom HTTP headers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: domenkozar

src/libfetchers/git-utils.cc

@@ -1541,4 +1541,39 @@ bool isLegalRefName(const std::string & refName)
     return false;
 }
 
+Hash resolveRemoteRef(const std::string & url, const std::string & ref, const Headers & headers)
+{
+    initLibGit2();
+
+    Remote remote;
+    if (git_remote_create_detached(Setter(remote), url.c_str()))
+        throw GitError("creating detached remote for '%s'", url);
+
+    // Convert Headers (vector<pair<string,string>>) to git_strarray
+    std::vector<std::string> headerStrs;
+    for (auto & [name, value] : headers)
+        headerStrs.push_back(name + ": " + value);
+    std::vector<char *> headerPtrs;
+    for (auto & s : headerStrs)
+        headerPtrs.push_back(s.data());
+    git_strarray customHeaders = {headerPtrs.data(), headerPtrs.size()};
+
+    if (git_remote_connect(remote.get(), GIT_DIRECTION_FETCH, nullptr, nullptr, &customHeaders))
+        throw GitError("connecting to remote '%s'", url);
+
+    const git_remote_head ** refs;
+    size_t refCount;
+    if (git_remote_ls(&refs, &refCount, remote.get()))
+        throw GitError("listing remote refs for '%s'", url);
+
+    std::regex refRegex(ref == "HEAD" ? "HEAD" : fmt("refs/(heads|tags)/%s", ref));
+
+    for (size_t i = 0; i < refCount; i++) {
+        if (std::regex_match(refs[i]->name, refRegex))
+            return toHash(refs[i]->oid);
+    }
+
+    throw Error("could not find ref '%s' in remote '%s'", ref, url);
+}
+
 } // namespace nix

src/libfetchers/github.cc

@@ -414,22 +414,11 @@ struct GitHubInputScheme : GitArchiveInputScheme
     RefInfo getRevFromRef(const Settings & settings, nix::Store & store, const Input & input) const override
     {
         auto host = getHost(input);
-        auto url = fmt(
-            host == "github.com" ? "https://api.%s/repos/%s/%s/commits/%s" : "https://%s/api/v3/repos/%s/%s/commits/%s",
-            host,
-            getOwner(input),
-            getRepo(input),
-            *input.getRef());
-
+        auto url = fmt("https://%s/%s/%s.git", host, getOwner(input), getRepo(input));
         Headers headers = makeHeadersWithAuthTokens(settings, host, input);
 
-        auto downloadResult = downloadFile(store, settings, url, "source", headers);
-        auto json = nlohmann::json::parse(
-            store.requireStoreObjectAccessor(downloadResult.storePath)->readFile(CanonPath::root));
-
-        return RefInfo{
-            .rev = Hash::parseAny(std::string{json["sha"]}, HashAlgorithm::SHA1),
-            .treeHash = Hash::parseAny(std::string{json["commit"]["tree"]["sha"]}, HashAlgorithm::SHA1)};
+        auto rev = resolveRemoteRef(url, *input.getRef(), headers);
+        return RefInfo{.rev = rev};
     }
 
     DownloadUrl getDownloadUrl(const Settings & settings, const Input & input) const override

src/libfetchers/include/nix/fetchers/git-utils.hh

@@ -2,6 +2,7 @@
 
 #include "nix/fetchers/filtering-source-accessor.hh"
 #include "nix/util/fs-sink.hh"
+#include "nix/util/types.hh"
 
 namespace nix {
 
@@ -178,4 +179,11 @@ struct Setter
  */
 bool isLegalRefName(const std::string & refName);
 
+/**
+ * Resolve a ref on a remote repository to a commit hash using
+ * libgit2's smart HTTP transport. The ref can be "HEAD" or a branch/tag
+ * name (matched against refs/heads and refs/tags).
+ */
+Hash resolveRemoteRef(const std::string & url, const std::string & ref, const Headers & headers);
+
 } // namespace nix

tests/nixos/github-flakes.nix

@@ -57,24 +57,50 @@ let
 
   private-flake-rev = "9f1dd0df5b54a7dc75b618034482ed42ce34383d";
 
-  private-flake-api = pkgs.runCommand "private-flake" { } ''
-    mkdir -p $out/{commits,tarball}
-
-    # Setup https://docs.github.com/en/rest/commits/commits#get-a-commit
-    echo '{"sha": "${private-flake-rev}", "commit": {"tree": {"sha": "ffffffffffffffffffffffffffffffffffffffff"}}}' > $out/commits/HEAD
+  private-flake-git-refs = pkgs.runCommand "private-flake-git-refs" { } ''
+        mkdir -p $out/info
+        pkt_line() {
+          local content="$1"
+          local len=$(( ''${#content} + 4 ))
+          printf '%04x%s' "$len" "$content"
+        }
+        {
+          pkt_line "# service=git-upload-pack
+    "
+          printf '0000'
+          pkt_line "${private-flake-rev} HEAD
+    "
+          pkt_line "${private-flake-rev} refs/heads/master
+    "
+          printf '0000'
+        } > $out/info/refs
+  '';
 
-    # Setup tarball download via API
+  private-flake-tarball = pkgs.runCommand "private-flake-tarball" { } ''
+    mkdir -p $out/tarball
     dir=private-flake
     mkdir $dir
     echo '{ outputs = {...}: {}; }' > $dir/flake.nix
     tar cfz $out/tarball/${private-flake-rev} $dir --hard-dereference
   '';
 
-  nixpkgs-api = pkgs.runCommand "nixpkgs-flake" { } ''
-    mkdir -p $out/commits
-
-    # Setup https://docs.github.com/en/rest/commits/commits#get-a-commit
-    echo '{"sha": "${nixpkgs.rev}", "commit": {"tree": {"sha": "ffffffffffffffffffffffffffffffffffffffff"}}}' > $out/commits/HEAD
+  nixpkgs-git-refs = pkgs.runCommand "nixpkgs-git-refs" { } ''
+        mkdir -p $out/info
+        pkt_line() {
+          local content="$1"
+          local len=$(( ''${#content} + 4 ))
+          printf '%04x%s' "$len" "$content"
+        }
+        {
+          pkt_line "# service=git-upload-pack
+    "
+          printf '0000'
+          pkt_line "${nixpkgs.rev} HEAD
+    "
+          pkt_line "${nixpkgs.rev} refs/heads/master
+    "
+          printf '0000'
+        } > $out/info/refs
   '';
 
   archive = pkgs.runCommand "nixpkgs-flake" { } ''
@@ -123,25 +149,34 @@ in
           sslServerKey = "${cert}/server.key";
           sslServerCert = "${cert}/server.crt";
           servedDirs = [
-            {
-              urlPath = "/repos/NixOS/nixpkgs";
-              dir = nixpkgs-api;
-            }
             {
               urlPath = "/repos/fancy-enterprise/private-flake";
-              dir = private-flake-api;
+              dir = private-flake-tarball;
             }
           ];
         };
         services.httpd.virtualHosts."github.com" = {
           forceSSL = true;
           sslServerKey = "${cert}/server.key";
           sslServerCert = "${cert}/server.crt";
+          extraConfig = ''
+            <LocationMatch "\.git/info/refs$">
+              ForceType application/x-git-upload-pack-advertisement
+            </LocationMatch>
+          '';
           servedDirs = [
             {
               urlPath = "/NixOS/nixpkgs";
               dir = archive;
             }
+            {
+              urlPath = "/NixOS/nixpkgs.git";
+              dir = nixpkgs-git-refs;
+            }
+            {
+              urlPath = "/fancy-enterprise/private-flake.git";
+              dir = private-flake-git-refs;
+            }
           ];
         };
       };