refactor(rust-crates-advisory): redo the buildkite report in bash

I've elected to split the check-all-our-lock-files script into two new
scripts: One very simple script which generates the report by invoking
lock-file-report on the fake lock file for //third_party/rust-crates and
all lock files in depot, and one which executes this and adds it as a
buildkite annotation if there are any warnings (which is reported by the
report generating script using a non zero exit code).

The latter script could become the basis for generalizing buildkite
annotations, a slight attempt at making it easily reusable in the future
has been made. So far we expect a report generating script to exit non
zero if a report should be made and to print commonmark to stdout. In
the future we may want to use a JSON format for generating the report,
allowing us to filter it by buildkite target (using the drvmap to
exclude certain reports, potentially).

Change-Id: I1df9e440509d69adff5b8e6304105a45dc62c018
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5260
Reviewed-by: kn <klemens@posteo.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
This commit is contained in:
sterni 2022-02-06 13:07:56 +01:00
parent ffec3c70f4
commit bf18e65719

View file

@ -120,44 +120,43 @@ let
exit $status
'';
check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
"backtick"
"-EI"
"report"
[
"foreground"
[
lock-file-report
"//third_party/rust-crates"
our-crates-lock-file
"false"
]
tree-lock-file-report
"."
]
"ifelse"
[
bins.s6-test
"-z"
"$report"
]
[
"exit"
"0"
]
"pipeline"
[
"printf"
"%s"
"$report"
]
"buildkite-agent"
"annotate"
depot-rust-crates-advisory-report = pkgs.writers.writeBash "depot-advisory-report" ''
set -eu
status=0
"${lock-file-report}" "//third_party/rust-crates" "${our-crates-lock-file}" || status=1
"${tree-lock-file-report}" || status=1
exit $status
'';
buildkiteReportStep =
{ command
, context ? null
, style ? "warning"
}:
let
commandName = depot.nix.utils.storePathName (builtins.head command);
in
pkgs.writers.writeBash "buildkite-report-${commandName}" ''
set -uo pipefail
report="$(${lib.escapeShellArgs command})"
if test $? -ne 0; then
printf "%s" "$report" | \
buildkite-agent annotate ${
lib.escapeShellArgs ([
"--style"
"warning"
style
] ++ lib.optionals (context != null) [
"--context"
"check-all-our-lock-files"
];
context
])
}
fi
'';
in
depot.nix.readTree.drvTargets {
@ -167,12 +166,14 @@ depot.nix.readTree.drvTargets {
lock-file-report
;
tree-lock-file-report = tree-lock-file-report // {
meta.ci.extraSteps.run = {
label = "Check all crates used in depot for advisories";
alwaysRun = true;
command = check-all-our-lock-files;
command = buildkiteReportStep {
command = [ depot-rust-crates-advisory-report ];
style = "warning";
};
};
};
}