From 20cc230dc0dfcb5acd11c8bdc30e37524925dedc Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Thu, 4 Jan 2024 17:48:40 +0100 Subject: [PATCH 1/4] ci: refactor pushdiff into action Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- .github/actions/pushdiff/action.yml | 48 +++++++++++++++++++++++++++++ .github/workflows/static.yml | 30 +++++------------- 2 files changed, 56 insertions(+), 22 deletions(-) create mode 100644 .github/actions/pushdiff/action.yml diff --git a/.github/actions/pushdiff/action.yml b/.github/actions/pushdiff/action.yml new file mode 100644 index 000000000..56ab93e34 --- /dev/null +++ b/.github/actions/pushdiff/action.yml @@ -0,0 +1,48 @@ +name: pushdiff +description: Check for diff and push on renovate branches + +inputs: + error: + description: "Error message to print" + required: true + suggested-fix: + description: "Suggestion printed in addition to diff" + required: true + renovate-commit-msg: + description: "Commit message for changes on renovate branches" + required: true + +runs: + using: "composite" + steps: + - name: Check diff + id: check-diff + shell: bash + run: | + diff=$(git diff) + if [[ -z "$diff" ]]; then + echo "No diff detected." + exit 0 + fi + + cat << EOF >> "${GITHUB_STEP_SUMMARY}" + ${{ inputs.suggested-fix}} + \`\`\`diff + ${diff} + \`\`\` + EOF + + echo "::error::${{ inputs.error }}" + exit 1 + - name: Push changes + if: | + failure() && + (steps.check-diff.conclusion == 'failure') && + startsWith(github.head_ref, 'renovate/') && + (!github.event.pull_request.head.repo.fork) + shell: bash + run: | + git config --global user.name "edgelessci" + git config --global user.email "edgelessci@users.noreply.github.com" + git commit -am "${{ inputs.renovate-commit-msg }}" + git push diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index f736e600f..e3c3e7af9 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -8,46 +8,32 @@ on: pull_request: jobs: - check: + flake-check: runs-on: ubuntu-22.04 steps: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - name: Install Nix uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} - - name: nix flake check run: nix -L flake check - generate: + go-source: runs-on: ubuntu-22.04 steps: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - name: Install Nix uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} - - name: Run code generations & tidying run: nix run .#generate - - - name: Check if modifications were made - run: | - diff=$(git diff) - if [[ -z "$diff" ]]; then - echo "Everything is tidy and generated." - exit 0 - fi - cat << EOF >> "${GITHUB_STEP_SUMMARY}" - Run \`nix run .#generate\` to generate and tidy Go code. - \`\`\`diff - ${diff} - \`\`\` - EOF - echo "Module is not tidy, check the GitHub run summary for the diff." - exit 1 + - name: Check for modifications, commit changes on renovate PRs + uses: ./.github/actions/pushdiff + with: + error: Go source needs to be updated, check the GitHub run summary for the diff. + suggested-fix: Run \`nix run .#generate\` to generate and tidy Go code. + renovate-commit-msg: "fixup: update Go source" From 7120660ac7a3731a8156711db796cdf139481024 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Thu, 4 Jan 2024 17:49:27 +0100 Subject: [PATCH 2/4] ci: add govulncheck Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- .github/workflows/static.yml | 12 ++++++++++++ packages/default.nix | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index e3c3e7af9..5ffc5f8ed 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -37,3 +37,15 @@ jobs: error: Go source needs to be updated, check the GitHub run summary for the diff. suggested-fix: Run \`nix run .#generate\` to generate and tidy Go code. renovate-commit-msg: "fixup: update Go source" + + govulncheck: + runs-on: ubuntu-22.04 + steps: + - name: Checkout + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: Install Nix + uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24 + with: + github_access_token: ${{ secrets.GITHUB_TOKEN }} + - name: Run govulncheck + run: nix run .#govulncheck -- ./... diff --git a/packages/default.nix b/packages/default.nix index 9a3c2b60a..2945dff20 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -109,4 +109,10 @@ rec { genpolicy = genpolicy-msft; genpolicy-msft = callPackage ./genpolicy_msft.nix { }; genpolicy-kata = callPackage ./genpolicy_kata.nix { }; + + govulncheck = writeShellApplication { + name = "govulncheck"; + runtimeInputs = [ go pkgs.govulncheck ]; + text = ''govulncheck "$@"''; + }; } From e0a79abdac78c8d510d1c2e72b2e537115db7caa Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Fri, 5 Jan 2024 10:05:16 +0100 Subject: [PATCH 3/4] nix: move vendorHash into builder So we can update it using nix-update Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- flake.nix | 4 ++-- packages/default.nix | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index 21fa9e2dc..806de036c 100644 --- a/flake.nix +++ b/flake.nix @@ -23,12 +23,12 @@ pkgs = import nixpkgs { inherit system; }; inherit (pkgs) lib; - goVendorHash = "sha256-7ibre61H0pz+2o3DtisSEXNirlX9DE9XUBe+gUI8+kg="; + version = "0.0.0-devel"; treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix; in { - packages = import ./packages { inherit pkgs goVendorHash; }; + packages = import ./packages { inherit pkgs version; }; devShells.default = pkgs.mkShell { packages = with pkgs; [ just ]; diff --git a/packages/default.nix b/packages/default.nix index 2945dff20..0144b6b9b 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -1,5 +1,5 @@ { pkgs -, goVendorHash +, version }: with pkgs; @@ -16,6 +16,7 @@ let # Builder function for Go packages of our local module. buildGoSubPackage = subpackage: attrs: callPackage ({ buildGoModule }: buildGoModule ({ + inherit version; name = subpackage; src = lib.fileset.toSource { root = ../.; @@ -25,7 +26,7 @@ let CGO_ENABLED = 0; ldflags = [ "-s" "-w" "-buildid=" ]; proxyVendor = true; - vendorHash = goVendorHash; + vendorHash = "sha256-7ibre61H0pz+2o3DtisSEXNirlX9DE9XUBe+gUI8+kg="; checkPhase = '' runHook preCheck From c81e9e18986059420faef01ccbe491611b4220a3 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Fri, 5 Jan 2024 10:17:23 +0100 Subject: [PATCH 4/4] nix: add nix-update to .#generate This will update the vendor hash if needed. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- packages/default.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/packages/default.nix b/packages/default.nix index 0144b6b9b..c5671ea23 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -100,10 +100,21 @@ rec { generate = writeShellApplication { name = "generate"; - runtimeInputs = [ go protobuf protoc-gen-go protoc-gen-go-grpc ]; + runtimeInputs = [ + go + protobuf + protoc-gen-go + protoc-gen-go-grpc + nix-update + ]; text = '' - go generate ./... go mod tidy + go generate ./... + + # All binaries of the local Go module share the same builder, + # we only need to update one of them to update the vendorHash + # of the builder. + nix-update --version=skip --flake cli ''; };