feat(nix-actions): Initial version

2024-11-11 16:29:36 +01:00 · 2024-11-11 16:29:36 +01:00 · 15833ec9d7
commit 15833ec9d7
parent 882c844a7e
8 changed files with 305 additions and 0 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
+use nix
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,5 @@
 result
 result-*

+.direnv
+.pre-commit-config.yaml
--- a/default.nix
+++ b/default.nix
@ -0,0 +1,58 @@
+{
+  sources ? import ./npins,
+  pkgs ? import sources.nixpkgs { },
+}:
+
+let
+  inherit (pkgs) lib mkShell;
+
+  git-checks = (import sources.git-hooks).run {
+    src = ./.;
+
+    hooks = {
+      statix = {
+        enable = true;
+        stages = [ "pre-push" ];
+        settings.ignore = [ "npins" ];
+      };
+
+      deadnix = {
+        enable = true;
+        stages = [ "pre-push" ];
+      };
+
+      nixfmt-rfc-style = {
+        enable = true;
+        stages = [ "pre-push" ];
+      };
+
+      commitizen.enable = true;
+    };
+  };
+in
+
+{
+  devShell = mkShell {
+    name = "nix-actions.dev";
+
+    inherit (git-checks) shellHook;
+  };
+
+  install =
+    config:
+    let
+      project = lib.evalModules {
+        modules = [
+          ./modules
+          {
+            config = config // {
+              _module.args.pkgs = pkgs;
+            };
+          }
+        ];
+      };
+    in
+    {
+      shellHook = project.config.installationScript;
+    };
+}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ./workflows.nix
+  ];
+}
--- a/modules/workflows.nix
+++ b/modules/workflows.nix
@ -0,0 +1,136 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib)
+    attrNames
+    concatMapStringsSep
+    concatStringsSep
+    getExe
+    getExe'
+    mapAttrsToList
+    mkOption
+    optionalString
+    ;
+
+  inherit (lib.types)
+    attrsOf
+    bool
+    enum
+    str
+    ;
+
+  cfg = config;
+
+  generate =
+    name: value:
+    pkgs.callPackage (
+      {
+        runCommand,
+        remarshal,
+        action-validator,
+      }:
+      runCommand "${name}.yaml"
+        {
+          nativeBuildInputs = [
+            action-validator
+            remarshal
+          ];
+
+          value = builtins.toJSON value;
+          passAsFile = [ "value" ];
+          preferLocalBuild = true;
+        }
+        ''
+          json2yaml "$valuePath" "$out"
+
+          # Check that the workflow is valid
+          action-validator "$out"
+        ''
+    ) { };
+
+  install =
+    name: value:
+    let
+      result = generate name value;
+      path = ".${cfg.platform}/workflows/${name}.yaml";
+    in
+    ''
+      if [ ! -f "$GIT_WC/${path}" ] || ! ${getExe' pkgs.diffutils "cmp"} -s "$GIT_WC/${path}" ${result} ; then
+        # Copy the updated workflow definition
+        cp --no-preserve=mode,ownership ${result} "$GIT_WC/${path}" && echo "nix-actions: Updated ${name}.yaml"
+      fi
+    '';
+in
+
+{
+  options = {
+    platform = mkOption {
+      type = enum [
+        "forgejo"
+        "gitea"
+        "github"
+      ];
+      default = "forgejo";
+      description = ''
+        The platform where the workflows will run.
+        This will induce the directory in which the yaml files are installed.
+      '';
+    };
+
+    workflows = mkOption {
+      type = attrsOf (pkgs.formats.yaml { }).type;
+      description = ''
+        Set of workflows to install.
+      '';
+    };
+
+    installationScript = mkOption {
+      type = str;
+      description = ''
+        A bash snippet that installs the workflows files in the current project.
+      '';
+      readOnly = true;
+    };
+
+    removeUnknown = mkOption {
+      type = bool;
+      default = true;
+      description = ''
+        Whether to remove unknown workflow files.
+      '';
+    };
+  };
+
+  config = {
+    installationScript = ''
+      if ! type -t git >/dev/null; then
+        # This happens in pure shells, including lorri
+        echo 1>&2 "WARNING: nix-actions: git command not found; skipping installation."
+      elif ! git rev-parse --git-dir &> /dev/null; then
+        echo 1>&2 "WARNING: nix-actions: .git not found; skipping installation."
+      else
+        GIT_WC=`git rev-parse --show-toplevel`
+
+        # Ensure that the directory exists
+        mkdir -p "$GIT_WC/.${cfg.platform}/workflows"
+
+        # Install the workflow files
+        ${concatStringsSep "\n" (mapAttrsToList install cfg.workflows)}
+
+        ${optionalString cfg.removeUnknown ''
+          # Remove unknown workflow files
+          for file in $(ls "$GIT_WC/.${cfg.platform}/workflows" | ${getExe pkgs.gnugrep} -v '\(${
+            concatMapStringsSep "|" (name: "${name}.yaml") (attrNames cfg.workflows)
+          }\)'); do
+            rm "$GIT_WC/.${cfg.platform}/workflows/$file" && echo "nix-actions: Removed $file"
+          done
+        ''}
+      fi
+    '';
+  };
+}
--- a/npins/default.nix
+++ b/npins/default.nix
@ -0,0 +1,79 @@
+# Generated by npins. Do not modify; will be overwritten regularly
+let
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
+  version = data.version;
+
+  mkSource =
+    spec:
+    assert spec ? type;
+    let
+      path =
+        if spec.type == "Git" then
+          mkGitSource spec
+        else if spec.type == "GitRelease" then
+          mkGitSource spec
+        else if spec.type == "PyPi" then
+          mkPyPiSource spec
+        else if spec.type == "Channel" then
+          mkChannelSource spec
+        else
+          builtins.throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+
+  mkGitSource =
+    {
+      repository,
+      revision,
+      url ? null,
+      hash,
+      ...
+    }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (builtins.fetchTarball {
+        inherit url;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
+      })
+    else
+      assert repository.type == "Git";
+      let
+        urlToName =
+          url: rev:
+          let
+            matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
+
+            short = builtins.substring 0 7 rev;
+
+            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
+          in
+          "${if matched == null then "source" else builtins.head matched}${appendShort}";
+        name = urlToName repository.url revision;
+      in
+      builtins.fetchGit {
+        url = repository.url;
+        rev = revision;
+        inherit name;
+        # hash = hash;
+      };
+
+  mkPyPiSource =
+    { url, hash, ... }:
+    builtins.fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource =
+    { url, hash, ... }:
+    builtins.fetchTarball {
+      inherit url;
+      sha256 = hash;
+    };
+in
+if version == 3 then
+  builtins.mapAttrs (_: mkSource) data.pins
+else
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
--- a/npins/sources.json
+++ b/npins/sources.json
@ -0,0 +1,23 @@
+{
+  "pins": {
+    "git-hooks": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "cachix",
+        "repo": "git-hooks.nix"
+      },
+      "branch": "master",
+      "revision": "d70155fdc00df4628446352fc58adc640cd705c2",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/d70155fdc00df4628446352fc58adc640cd705c2.tar.gz",
+      "hash": "1s4w7bnign9lfzm8bm9j0zkvqfh5f1x671jp4g61psq42v5cfqvx"
+    },
+    "nixpkgs": {
+      "type": "Channel",
+      "name": "nixpkgs-unstable",
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre704822.85f7e662eda4/nixexprs.tar.xz",
+      "hash": "0dqlz0xqd3nn49hnx943y5sfqd7nmj25s6gi1pjm907j3vbgg47k"
+    }
+  },
+  "version": 3
+}
--- a/shell.nix
+++ b/shell.nix
@ -0,0 +1 @@
+(import ./. { }).devShell