feat(nixpkgs-crate-holes): cc maintainers allowed by a whitelist

Change-Id: Iffbe173a48b466c52669efc70f9b5e5d4a6aff9a Reviewed-on: https://cl.tvl.fyi/c/depot/+/3730 Tested-by: BuildkiteCI Reviewed-by: Alyssa Ross <hi@alyssa.is> Reviewed-by: sterni <sternenseemann@systemli.org>
2021-10-15 20:48:57 +02:00 · 2021-10-15 20:48:57 +02:00 · 9239868daa
commit 9239868daa
parent 795a8de942
2 changed files with 19 additions and 3 deletions
--- a/users/sterni/nixpkgs-crate-holes/default.nix
+++ b/users/sterni/nixpkgs-crate-holes/default.nix
@ -24,6 +24,15 @@ let
    eprintf = depot.tools.eprintf;
  };

+  # list of maintainers we may @mention on GitHub
+  maintainerWhitelist = builtins.attrValues {
+    inherit (lib.maintainers)
+      sternenseemann
+      qyliss
+      jk
+    ;
+  };
+
  # buildRustPackage handling

  /* Predicate by which we identify rust packages we are interested in,
@ -98,9 +107,12 @@ let

  # Report generation and formatting

-  reportFor = { attr, lock, ... }: let
+  reportFor = { attr, lock, maintainers ? [] }: let
    # naïve attribute path to Nix syntax conversion
    strAttr = lib.concatStringsSep "." attr;
+    strMaintainers = lib.concatMapStringsSep " " (m: "@${m.github}") (
+      builtins.filter (x: builtins.elem x maintainerWhitelist) maintainers
+    );
  in
    if lock == null
    then pkgs.emptyFile
@ -113,7 +125,9 @@ let
      ]
      "importas" "out" "out"
      "redirfd" "-w" "1" "$out"
-      bins.jq "-rj" "-f" ./format-audit-result.jq "--arg" "attr" strAttr
+      bins.jq "-rj" "-f" ./format-audit-result.jq
+      "--arg" "attr" strAttr
+      "--arg" "maintainers" strMaintainers
    ];

  # GHMF in issues splits paragraphs on newlines
--- a/users/sterni/nixpkgs-crate-holes/format-audit-result.jq
+++ b/users/sterni/nixpkgs-crate-holes/format-audit-result.jq
@ -53,7 +53,9 @@ else
  ([ "- [ ] "
   , "`", $attr, "`: "
   , (.vulnerabilities.count | tostring)
-   , " vulnerabilities in Cargo.lock\n"
+   , " vulnerabilities in Cargo.lock"
+   , if $maintainers != "" then " (cc " + $maintainers + ")" else "" end
+   , "\n"
   ] + (.vulnerabilities.list | map(format_vulnerability))
  ) | add
 end