feat(tvix): run crate2nix generate in CI

This runs `crate2nix generate` in CI and then runs `depotfmt` on the
result to ensure that our machine-generated code is really, really
readable and pretty.  Then it checks that the result of all that
is identical to the committed Cargo.nix.

A self-hashing FOD is used to allow network access.

No magic hashes are involved.

Co-Authored-By: Florian Klink <flokli@flokli.de>
Change-Id: I68ec5003dbc6a40894a5a4d6e902f138c99f6719
Reviewed-on: https://cl.tvl.fyi/c/depot/+/10194
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: Adam Joseph <adam@westernsemico.com>
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
This commit is contained in:
Adam Joseph 2023-12-07 03:49:07 -08:00 committed by clbot
parent 23dae8ebc5
commit 0e2633048e

View file

@ -89,17 +89,68 @@ let
# The cleaned sources. # The cleaned sources.
src = depot.third_party.gitignoreSource ./.; src = depot.third_party.gitignoreSource ./.;
in
{
inherit crates;
# Run crate2nix generate in the current working directory, then # Run crate2nix generate in the current working directory, then
# format the generated file with depotfmt. # format the generated file with depotfmt.
crate2nixGenerate = pkgs.writeShellScriptBin "crate2nix-generate" '' crate2nix-generate = pkgs.writeShellScriptBin "crate2nix-generate" ''
${pkgs.crate2nix}/bin/crate2nix generate --all-features ${pkgs.crate2nix}/bin/crate2nix generate --all-features
${depot.tools.depotfmt}/bin/depotfmt Cargo.nix ${depot.tools.depotfmt}/bin/depotfmt Cargo.nix
''; '';
in
{
inherit crates crate2nix-generate;
# Run crate2nix generate, ensure the output doesn't differ afterwards
# (and doesn't fail).
#
# Currently this re-downloads every crate every time
# crate2nix-check (but not crate2nix) is built.
# TODO(amjoseph): be less wasteful with bandwidth.
#
crate2nix-check =
let
outputHashAlgo = "sha256";
in
pkgs.stdenv.mkDerivation {
inherit src;
# Important: we include the hash of the Cargo.lock file and
# Cargo.nix file in the derivation name. This forces the FOD
# to be rebuilt/reverified whenever either of them changes.
name = "tvix-crate2nix-check-" +
(builtins.substring 0 8 (builtins.hashFile "sha256" ./Cargo.lock)) +
"-" +
(builtins.substring 0 8 (builtins.hashFile "sha256" ./Cargo.nix));
nativeBuildInputs = with pkgs; [ git cacert cargo ];
buildPhase = ''
export CARGO_HOME=$(mktemp -d)
# The following command can be omitted, in which case
# crate2nix-generate will run it automatically, but won't show the
# output, which makes it look like the build is somehow "stuck" for a
# minute or two.
cargo metadata > /dev/null
# running this command counteracts depotfmt brokenness
git init
${crate2nix-generate}/bin/crate2nix-generate
# technically unnecessary, but provides more-helpful output in case of error
diff -ur Cargo.nix ${src}/Cargo.nix
# the FOD hash will check that the (re-)generated Cargo.nix matches the committed Cargo.nix
cp Cargo.nix $out
'';
# This is an FOD in order to allow `cargo` to perform network access.
outputHashMode = "flat";
inherit outputHashAlgo;
outputHash = builtins.hashFile outputHashAlgo ./Cargo.nix;
env.SSL_CERT_FILE = "${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt";
};
# Provide the Tvix logo in both .webp and .png format. # Provide the Tvix logo in both .webp and .png format.
logo = pkgs.runCommand "logo" logo = pkgs.runCommand "logo"
{ {
@ -167,6 +218,7 @@ in
meta.ci.targets = [ meta.ci.targets = [
"clippy" "clippy"
"crate2nix-check"
"shell" "shell"
"rust-docs" "rust-docs"
]; ];