feat(colmena): Apply deployment protection from Jade Lovelace

default.nix

@@ -74,10 +74,12 @@ in
           with pkgs;
           [
             npins
-            colmena
             nixos-generators
           ]
-          ++ (builtins.map (p: callPackage p { }) [ (sources.disko + "/package.nix") ])
+          ++ (builtins.map (p: callPackage p { }) [
+            (sources.disko + "/package.nix")
+            ./lib/colmena
+          ])
         )
         ++ (import ./scripts { inherit pkgs; });
 

lib/colmena/default.nix

@@ -0,0 +1,11 @@
+# Copyright: Jade Lovelace <lix@jade.fyi> 2024
+
+{ colmena, runCommandNoCC }:
+runCommandNoCC "colmena-wrapper" { env.colmena = "${colmena}/bin/colmena"; } ''
+  mkdir -p $out
+  ln -s ${colmena}/share $out/share
+  mkdir $out/bin
+
+  substituteAll ${./wrapper.sh.in} $out/bin/colmena
+  chmod +x $out/bin/colmena
+''

lib/colmena/wrapper.sh.in

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+#
+# Copyright: Jade Lovelace <lix@jade.fyi> 2024
+
+doChecks() {
+	# creates refs in the refs/prefetch/remotes/origin namespace
+	echo "Prefetching repo changes..." >&2
+	git fetch --quiet --prefetch --no-write-fetch-head origin
+
+	diffs=$(git rev-list --left-right --count HEAD...refs/prefetch/remotes/origin/main)
+	only_in_local=$(echo "$diffs" | cut -f1)
+	only_in_main=$(echo "$diffs" | cut -f2)
+
+	if [[ $only_in_main -gt 0 && ! -v $FORCE_DEPLOY_DGNUM ]]; then
+		echo >&2
+		echo "Attempting to deploy when main has $only_in_main commits not in your branch!" >&2
+		echo "This will probably revert someone's changes. Consider merging them." >&2
+		echo "If you really mean it, set the environment variable FORCE_DEPLOY_DGNUM" >&2
+		exit 1
+	fi
+
+	if [[ $only_in_local -gt 0 ]]; then
+		echo "You have $only_in_local commits not yet pushed to main. Reminder to push them after :)" >&2
+	fi
+}
+
+if [[ $1 == 'apply' ]]; then
+	doChecks
+fi
+
+exec @colmena@ "$@"