From d4c6f05ed364e3e79660a7410e904ca09c04db92 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom.hubrecht@dgnum.eu>
Date: Thu, 7 Mar 2024 09:04:16 +0100
Subject: [PATCH] feat(colmena): Apply deployment protection from Jade Lovelace

---
 default.nix               |  6 ++++--
 lib/colmena/default.nix   | 11 +++++++++++
 lib/colmena/wrapper.sh.in | 31 +++++++++++++++++++++++++++++++
 3 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 lib/colmena/default.nix
 create mode 100644 lib/colmena/wrapper.sh.in

diff --git a/default.nix b/default.nix
index 46daed7..1b97910 100644
--- a/default.nix
+++ b/default.nix
@@ -74,10 +74,12 @@ in
           with pkgs;
           [
             npins
-            colmena
             nixos-generators
           ]
-          ++ (builtins.map (p: callPackage p { }) [ (sources.disko + "/package.nix") ])
+          ++ (builtins.map (p: callPackage p { }) [
+            (sources.disko + "/package.nix")
+            ./lib/colmena
+          ])
         )
         ++ (import ./scripts { inherit pkgs; });
 
diff --git a/lib/colmena/default.nix b/lib/colmena/default.nix
new file mode 100644
index 0000000..b5c7f5d
--- /dev/null
+++ b/lib/colmena/default.nix
@@ -0,0 +1,11 @@
+# Copyright: Jade Lovelace <lix@jade.fyi> 2024
+
+{ colmena, runCommandNoCC }:
+runCommandNoCC "colmena-wrapper" { env.colmena = "${colmena}/bin/colmena"; } ''
+  mkdir -p $out
+  ln -s ${colmena}/share $out/share
+  mkdir $out/bin
+
+  substituteAll ${./wrapper.sh.in} $out/bin/colmena
+  chmod +x $out/bin/colmena
+''
diff --git a/lib/colmena/wrapper.sh.in b/lib/colmena/wrapper.sh.in
new file mode 100644
index 0000000..4c1ba17
--- /dev/null
+++ b/lib/colmena/wrapper.sh.in
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+#
+# Copyright: Jade Lovelace <lix@jade.fyi> 2024
+
+doChecks() {
+	# creates refs in the refs/prefetch/remotes/origin namespace
+	echo "Prefetching repo changes..." >&2
+	git fetch --quiet --prefetch --no-write-fetch-head origin
+
+	diffs=$(git rev-list --left-right --count HEAD...refs/prefetch/remotes/origin/main)
+	only_in_local=$(echo "$diffs" | cut -f1)
+	only_in_main=$(echo "$diffs" | cut -f2)
+
+	if [[ $only_in_main -gt 0 && ! -v $FORCE_DEPLOY_DGNUM ]]; then
+		echo >&2
+		echo "Attempting to deploy when main has $only_in_main commits not in your branch!" >&2
+		echo "This will probably revert someone's changes. Consider merging them." >&2
+		echo "If you really mean it, set the environment variable FORCE_DEPLOY_DGNUM" >&2
+		exit 1
+	fi
+
+	if [[ $only_in_local -gt 0 ]]; then
+		echo "You have $only_in_local commits not yet pushed to main. Reminder to push them after :)" >&2
+	fi
+}
+
+if [[ $1 == 'apply' ]]; then
+	doChecks
+fi
+
+exec @colmena@ "$@"