diff --git a/ops/besadii/default.nix b/ops/besadii/default.nix new file mode 100644 index 000000000..fc7b2286c --- /dev/null +++ b/ops/besadii/default.nix @@ -0,0 +1,8 @@ +# This program is used as a git post-update hook to trigger builds on +# sourcehut. +{ depot, ... }: + +depot.buildGo.program { + name = "besadii"; + srcs = [ ./main.go ]; +} diff --git a/ops/besadii/main.go b/ops/besadii/main.go new file mode 100644 index 000000000..e9feadd95 --- /dev/null +++ b/ops/besadii/main.go @@ -0,0 +1,119 @@ +// Copyright 2019 Google LLC. +// SPDX-License-Identifier: Apache-2.0 +// +// besadii is a small CLI tool that triggers depot builds on +// builds.sr.ht +// +// It is designed to run as a post-update git hook on the server +// hosting the depot. +package main + +import ( + "bytes" + "encoding/json" + "fmt" + "io/ioutil" + "log" + "net/http" + "os" +) + +// Represents a builds.sr.ht build object as described on +// https://man.sr.ht/builds.sr.ht/api.md +type Build struct { + Manifest string `json:"manifest"` + Note string `json:"note"` + Tags []string `json:"tags"` +} + +// Represents a build trigger object as described on +type Trigger struct { + Action string `json:"action"` + Condition string `json:"condition"` + To string `json:"to"` +} + +// Represents a build manifest for sourcehut. +type Manifest struct { + Image string `json:"image"` + Sources []string `json:"sources"` + Secrets []string `json:"secrets"` + Tasks [](map[string]string) `json:"tasks"` + Triggers []Trigger `json:"triggers"` +} + +func prepareManifest(commit string) string { + m := Manifest{ + Image: "nixos/latest", + Sources: []string{"https://git.camden.tazj.in/"}, + + // secret for cachix/tazjin + Secrets: []string{"f7f02546-4d95-44f7-a98e-d61fdded8b5b"}, + + Tasks: [](map[string]string){ + {"setup": `# sourcehut does not censor secrets in builds, hence this hack: +echo -n 'export CACHIX_SIGNING_KEY=' >> ~/.buildenv +cat ~/.cachix-tazjin >> ~/.buildenv +nix-env -iA third_party.cachix -f git.tazj.in +cachix use tazjin +cd git.tazj.in +git checkout ` + commit}, + + {"build": `cd git.tazj.in +nix-build ci-builds.nix > built-paths`}, + + {"cache": `cd git.tazj.in +cat built-paths | cachix push tazjin`}, + }, + + Triggers: []Trigger{ + Trigger{Action: "email", Condition: "failure", To: "mail@tazj.in"}, + }, + } + + j, _ := json.Marshal(m) + return string(j) +} + +// Trigger a build of a given branch & commit on builds.sr.ht +func triggerBuild(branch, commit string) { + build := Build{ + Manifest: prepareManifest(commit), + Note: fmt.Sprintf("Build of 'master' at '%s'", commit), + Tags: []string{ + "depot", branch, + }, + } + + body, _ := json.Marshal(build) + reader := ioutil.NopCloser(bytes.NewReader(body)) + + req, err := http.NewRequest("POST", "https://builds.sr.ht/api/jobs", reader) + if err != nil { + log.Fatalln("[ERROR] failed to create an HTTP request:", err) + } + + req.Header.Add("Authorization", fmt.Sprintf("token %s", os.Getenv("SRHT_TOKEN"))) + req.Header.Add("Content-Type", "application/json") + + resp, err := http.DefaultClient.Do(req) + if err != nil { + // This might indicate a temporary error on the SourceHut side, do + // not fail the whole program. + log.Println("failed to send builds.sr.ht request:", err) + return + } + defer resp.Body.Close() + + if resp.StatusCode != 200 { + respBody, err := ioutil.ReadAll(resp.Body) + log.Printf("received non-success response from builds.sr.ht: %s (%v)[%s]", respBody, resp.Status, err) + } else { + log.Println("triggered builds.sr.ht job for commit", commit) + } +} + +func main() { + triggerBuild("master", "c5806a44a728d5a46878f54de7b695321a38559c") +} diff --git a/ops/sync-gcsr/default.nix b/ops/sync-gcsr/default.nix deleted file mode 100644 index ea5d0594a..000000000 --- a/ops/sync-gcsr/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ depot, ... }: - -depot.nix.buildGo.program { - name = "sync-gcsr"; - srcs = [ ./main.go ]; - - deps = with depot.third_party; map (p: p.gopkg) [ - gopkgs."gopkg.in".src-d.go-git - ]; - - x_defs = { - "main.BuildManifest" = "${./manifest.yaml}"; - }; -} diff --git a/ops/sync-gcsr/main.go b/ops/sync-gcsr/main.go deleted file mode 100644 index 62c24a92c..000000000 --- a/ops/sync-gcsr/main.go +++ /dev/null @@ -1,202 +0,0 @@ -// Copyright 2019 Google LLC. -// SPDX-License-Identifier: Apache-2.0 -// -// sync-gcsr implements a small utility that periodically mirrors a -// remote Google Cloud Source Repository to a local file path. -// -// This utility is also responsible for triggering depot builds on -// builds.sr.ht if a change is detected on the master branch. -package main - -import ( - "encoding/json" - "fmt" - "io/ioutil" - "log" - "net/http" - "os" - "time" - "bytes" - - git "gopkg.in/src-d/go-git.v4" - "gopkg.in/src-d/go-git.v4/plumbing" - githttp "gopkg.in/src-d/go-git.v4/plumbing/transport/http" -) - -// Path to the build manifest, added by Nix at compile time. -var BuildManifest string - -// Represents a builds.sr.ht build object as described on -// https://man.sr.ht/builds.sr.ht/api.md -type Build struct { - Manifest string `json:"manifest"` - Note string `json:"note"` - Tags []string `json:"tags"` -} - -func EnvOr(key, def string) string { - v := os.Getenv(key) - if v == "" { - return def - } - - return v -} - -// Trigger a build of master on builds.sr.ht -func triggerBuild(commit string) { - manifest, err := ioutil.ReadFile(BuildManifest) - if err != nil { - log.Fatalln("[ERROR] failed to read sr.ht build manifest:", err) - } - - build := Build{ - Manifest: string(manifest), - Note: fmt.Sprintf("Build of 'master' at '%s'", commit), - Tags: []string{ - "depot", "master", - }, - } - - body, _ := json.Marshal(build) - reader := ioutil.NopCloser(bytes.NewReader(body)) - - req, err := http.NewRequest("POST", "https://builds.sr.ht/api/jobs", reader) - if err != nil { - log.Fatalln("[ERROR] failed to create an HTTP request:", err) - } - - req.Header.Add("Authorization", fmt.Sprintf("token %s", os.Getenv("SRHT_TOKEN"))) - req.Header.Add("Content-Type", "application/json") - - resp, err := http.DefaultClient.Do(req) - if err != nil { - // This might indicate a temporary error on the SourceHut side, do - // not fail the whole program. - log.Println("failed to send builds.sr.ht request:", err) - return - } - defer resp.Body.Close() - - if resp.StatusCode != 200 { - respBody, err := ioutil.ReadAll(resp.Body) - log.Printf("received non-success response from builds.sr.ht: %s (%v)[%s]", respBody, resp.Status, err) - } else { - log.Println("triggered builds.sr.ht job for commit", commit) - } -} - -// ensure that all remote branches exist locally & are up to date. -func updateBranches(auth *githttp.BasicAuth, repo *git.Repository) error { - origin, err := repo.Remote("origin") - if err != nil { - return err - } - - refs, err := origin.List(&git.ListOptions{ - Auth: auth, - }) - if err != nil { - return err - } - - for _, ref := range refs { - if !ref.Name().IsBranch() || ref.Type() != plumbing.HashReference { - continue - } - - name := plumbing.NewBranchReferenceName(ref.Name().Short()) - - if current, err := repo.Storer.Reference(name); err == nil { - // Determine whether the reference has changed to skip - // unnecessary modifications. - if current.Hash() == ref.Hash() { - continue - } - } - - branch := plumbing.NewHashReference(name, ref.Hash()) - - err := repo.Storer.SetReference(branch) - if err != nil { - return err - } - - if ref.Name().Short() == "master" { - go triggerBuild(ref.Hash().String()) - } - - log.Println("Updated branch", ref.Name().String()) - } - - return nil -} - -func updateRepo(auth *githttp.BasicAuth, repo *git.Repository, opts *git.FetchOptions) error { - err := repo.Fetch(opts) - - if err == git.NoErrAlreadyUpToDate { - // nothing to do ... - return nil - } else if err != nil { - return err - } - - log.Println("Fetched updates from remote, updating local branches") - return updateBranches(auth, repo) -} - -func cloneRepo(dest, project, repo string, auth *githttp.BasicAuth) (*git.Repository, error) { - var cloneOpts = git.CloneOptions{ - Auth: auth, - URL: fmt.Sprintf("https://source.developers.google.com/p/%s/r/%s", project, repo), - } - - handle, err := git.PlainClone(dest, true, &cloneOpts) - - if err == git.ErrRepositoryAlreadyExists { - handle, err = git.PlainOpen(dest) - } - - return handle, updateBranches(auth, handle) -} - -func main() { - dest := EnvOr("SYNC_DEST", "/git/depot") - project := EnvOr("SYNC_PROJECT", "tazjins-infrastructure") - repo := EnvOr("SYNC_REPO", "depot") - user := os.Getenv("SYNC_USER") - pass := os.Getenv("SYNC_PASS") - - log.Printf("Syncing repository '%s/%s' to destination '%s'", project, repo, dest) - - var auth *githttp.BasicAuth - if user != "" && pass != "" { - auth = &githttp.BasicAuth{ - Username: user, - Password: pass, - } - log.Println("Enabling basic authentication as user", user) - } - - handle, err := cloneRepo(dest, project, repo, auth) - - if err != nil { - log.Fatalf("Failed to clone repository: %s", err) - } else { - log.Println("Initiating update loop") - } - - fetchOpts := git.FetchOptions{ - Auth: auth, - Force: true, - } - - for { - if err = updateRepo(auth, handle, &fetchOpts); err != nil { - log.Fatalf("Failed to pull updated repository: %s", err) - } - - time.Sleep(10 * time.Second) - } -} diff --git a/ops/sync-gcsr/manifest.yaml b/ops/sync-gcsr/manifest.yaml deleted file mode 100644 index 3016c2ca5..000000000 --- a/ops/sync-gcsr/manifest.yaml +++ /dev/null @@ -1,23 +0,0 @@ -image: nixos/latest -sources: - - https://git.tazj.in/ -secrets: - # cachix/tazjin - - f7f02546-4d95-44f7-a98e-d61fdded8b5b -tasks: - - setup: | - # sourcehut does not censor secrets in builds, hence this hack: - echo -n 'export CACHIX_SIGNING_KEY=' > cachix-preamble - cat cachix-preamble ~/.cachix-tazjin >> ~/.buildenv - nix-env -iA third_party.cachix -f git.tazj.in - cachix use tazjin - - build: | - cd git.tazj.in - nix-build ci-builds.nix > built-paths - - cache: | - cd git.tazj.in - cat built-paths | cachix push tazjin -triggers: - - action: email - condition: failure - to: mail@tazj.in