diff --git a/.github/actions/pushdiff/action.yml b/.github/actions/pushdiff/action.yml new file mode 100644 index 000000000..56ab93e34 --- /dev/null +++ b/.github/actions/pushdiff/action.yml @@ -0,0 +1,48 @@ +name: pushdiff +description: Check for diff and push on renovate branches + +inputs: + error: + description: "Error message to print" + required: true + suggested-fix: + description: "Suggestion printed in addition to diff" + required: true + renovate-commit-msg: + description: "Commit message for changes on renovate branches" + required: true + +runs: + using: "composite" + steps: + - name: Check diff + id: check-diff + shell: bash + run: | + diff=$(git diff) + if [[ -z "$diff" ]]; then + echo "No diff detected." + exit 0 + fi + + cat << EOF >> "${GITHUB_STEP_SUMMARY}" + ${{ inputs.suggested-fix}} + \`\`\`diff + ${diff} + \`\`\` + EOF + + echo "::error::${{ inputs.error }}" + exit 1 + - name: Push changes + if: | + failure() && + (steps.check-diff.conclusion == 'failure') && + startsWith(github.head_ref, 'renovate/') && + (!github.event.pull_request.head.repo.fork) + shell: bash + run: | + git config --global user.name "edgelessci" + git config --global user.email "edgelessci@users.noreply.github.com" + git commit -am "${{ inputs.renovate-commit-msg }}" + git push diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index f736e600f..5ffc5f8ed 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -8,46 +8,44 @@ on: pull_request: jobs: - check: + flake-check: runs-on: ubuntu-22.04 steps: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - name: Install Nix uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} - - name: nix flake check run: nix -L flake check - generate: + go-source: runs-on: ubuntu-22.04 steps: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - name: Install Nix uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} - - name: Run code generations & tidying run: nix run .#generate - - - name: Check if modifications were made - run: | - diff=$(git diff) - if [[ -z "$diff" ]]; then - echo "Everything is tidy and generated." - exit 0 - fi - cat << EOF >> "${GITHUB_STEP_SUMMARY}" - Run \`nix run .#generate\` to generate and tidy Go code. - \`\`\`diff - ${diff} - \`\`\` - EOF - echo "Module is not tidy, check the GitHub run summary for the diff." - exit 1 + - name: Check for modifications, commit changes on renovate PRs + uses: ./.github/actions/pushdiff + with: + error: Go source needs to be updated, check the GitHub run summary for the diff. + suggested-fix: Run \`nix run .#generate\` to generate and tidy Go code. + renovate-commit-msg: "fixup: update Go source" + + govulncheck: + runs-on: ubuntu-22.04 + steps: + - name: Checkout + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: Install Nix + uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24 + with: + github_access_token: ${{ secrets.GITHUB_TOKEN }} + - name: Run govulncheck + run: nix run .#govulncheck -- ./... diff --git a/flake.nix b/flake.nix index 21fa9e2dc..806de036c 100644 --- a/flake.nix +++ b/flake.nix @@ -23,12 +23,12 @@ pkgs = import nixpkgs { inherit system; }; inherit (pkgs) lib; - goVendorHash = "sha256-7ibre61H0pz+2o3DtisSEXNirlX9DE9XUBe+gUI8+kg="; + version = "0.0.0-devel"; treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix; in { - packages = import ./packages { inherit pkgs goVendorHash; }; + packages = import ./packages { inherit pkgs version; }; devShells.default = pkgs.mkShell { packages = with pkgs; [ just ]; diff --git a/packages/default.nix b/packages/default.nix index 9a3c2b60a..c5671ea23 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -1,5 +1,5 @@ { pkgs -, goVendorHash +, version }: with pkgs; @@ -16,6 +16,7 @@ let # Builder function for Go packages of our local module. buildGoSubPackage = subpackage: attrs: callPackage ({ buildGoModule }: buildGoModule ({ + inherit version; name = subpackage; src = lib.fileset.toSource { root = ../.; @@ -25,7 +26,7 @@ let CGO_ENABLED = 0; ldflags = [ "-s" "-w" "-buildid=" ]; proxyVendor = true; - vendorHash = goVendorHash; + vendorHash = "sha256-7ibre61H0pz+2o3DtisSEXNirlX9DE9XUBe+gUI8+kg="; checkPhase = '' runHook preCheck @@ -99,14 +100,31 @@ rec { generate = writeShellApplication { name = "generate"; - runtimeInputs = [ go protobuf protoc-gen-go protoc-gen-go-grpc ]; + runtimeInputs = [ + go + protobuf + protoc-gen-go + protoc-gen-go-grpc + nix-update + ]; text = '' - go generate ./... go mod tidy + go generate ./... + + # All binaries of the local Go module share the same builder, + # we only need to update one of them to update the vendorHash + # of the builder. + nix-update --version=skip --flake cli ''; }; genpolicy = genpolicy-msft; genpolicy-msft = callPackage ./genpolicy_msft.nix { }; genpolicy-kata = callPackage ./genpolicy_kata.nix { }; + + govulncheck = writeShellApplication { + name = "govulncheck"; + runtimeInputs = [ go pkgs.govulncheck ]; + text = ''govulncheck "$@"''; + }; }