Commit graph

548 commits

Author SHA1 Message Date
talyz
5b165e7318 fix(nixery): Set correct depot ref when fetching nix-1p
Change-Id: Iffa49a4e8fd38d0762ed1f60bf72b9a050594a3c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6697
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-09-19 11:28:10 +00:00
talyz
02b6b6c564 fix(nixery): Discard string context before parsing with fromJSON
Discard string context in prepare-image.nix before parsing input read
with readFile with fromJSON. Required for compatibility with nix >2.3.

Change-Id: I3830707e80fd19a700551a15f1a96d2841d0b022
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6696
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-09-19 11:28:10 +00:00
talyz
28417afbb4 fix(nixery): Avoid race when the same image is fetched in parallel
Remove a race condition which appears when uploadHashLayer is called
with the same key from multiple threads simultaneously. This can
easily happen when the same image path is requested by multiple
clients at the same time. When it does, a 500 status is returned and
the following error message is logged:

{
  "context": {
    "filePath": "github.com/google/nixery/builder/builder.go",
    "lineNumber": 440,
    "functionName": "github.com/google/nixery/builder.uploadHashLayer"
  },
  "error": "rename /var/lib/nixery/staging/<hash> /var/lib/nixery/layers/<hash>: no such file or directory",
  "eventTime": "...",
  "layer": "<hash>",
  "message": "failed to move layer from staging",
  ...
}

To solve this issue, introduce a mutex keyed on the uploaded hash and
move all layer caching into uploadHashLayer. This could additionally
provide a small performance benefit when an already built image is
requested and NIXERY_PKGS_PATH is set, since symlink layers and config
layers are now also cached.

Change-Id: I50788a7ec7940cb5e5760f244692e361019a9bb7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6695
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-09-19 11:28:10 +00:00
Luke Granger-Brown
f190712b7f chore(gerrit): migrate OWNERS files to code-owners style
Change-Id: Iacc521dfdd4b4a2d5cef3920cf8189bcce35a488
2022-09-19 11:13:28 +00:00
Vincent Ambo
92c53fe982 feat(tvix/tests): check in Nix' language test suite
This adds scaffolding code for running the Nix language test suite.

The majority of eval-okay-* tests should eventually be runnable as-is
by Tvix, however the eval-fail-* tests might not as we intend to have
more useful error messages than upstream Nix.

Change-Id: I4f3227f0889c55e4274b804a3072850fb78dd1bd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6126
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
2022-08-24 21:25:41 +00:00
Vincent Ambo
b66b1aee69 chore(tools/cheddar): bump cargo dependencies
Change-Id: I41e26046a67635ec3dba2ac955e31e6ca7451cc6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6120
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-08-22 21:15:01 +00:00
Vincent Ambo
fab5d23f14 feat(tvl.el): add magit-gerrit-push-private
This adds a new function (intentionally bound to a rare key (Q)) in
the push menu which can push a *private* change to Gerrit.

A private change is one that, until submitted, is only visible to its
owner and all explicitly added people (reviewers, CC).

Change-Id: I6ee13dbbad099584475d3efac96e5d9b86efbc26
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6061
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: tazjin <tazjin@tvl.su>
2022-08-13 00:31:26 +00:00
William Carroll
2ec0d36119 test(tools/cheddar): Run unit tests during build
TIL `doCheck` is `naersk`'s mechanism for running unit tests during builds.

Change-Id: Ife8eebacdf211ea52ecd50bb7bcdba326db64fbe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5661
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: wpcarro <wpcarro@gmail.com>
2022-06-30 23:08:03 +00:00
Vincent Ambo
544d72189c chore(nixery): use nix-1p from within the depot
Since the source of nix-1p is checked in under //nix/nix-1p, we should
use it from there if Nixery is being built inside of depot.

Change-Id: Iddd54f7b93b398b2f909db6ee105366a9914a2ac
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5882
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2022-06-16 15:08:27 +00:00
Vincent Ambo
ac10907913 docs(nixery): dynamically display current nixpkgs commit
People occasionally ask what the current nixpkgs commit is on
nixery.dev (see e.g. https://github.com/tazjin/nixery/issues/153).

With this change, the commit is displayed on nixery.dev if Nixery is
built for the TVL deployment.

Change-Id: I795220214db5a367a126c9b4bd03754e9f144940
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5881
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
2022-06-16 15:08:26 +00:00
Vincent Ambo
7c3ef7083c fix(tools/checks): Minor typo fix
Change-Id: I5cfd6223a3bd0bb4cc650b53af36193185354062
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5859
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-06-07 10:46:15 +00:00
Vincent Ambo
e0c6198d58 feat(tools/checks): Add factored-out Terraform config check
This can be re-used across Terraform environments.

Change-Id: I3d964a17d1cda1aff1df12bd4c0c3ee84b7f7748
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5850
Tested-by: BuildkiteCI
Reviewed-by: asmundo <asmundo@gmail.com>
2022-06-07 09:32:13 +00:00
Vincent Ambo
45458207df fix(tools/releases): Explicitly set release phase in filteredGitPush
Change-Id: I70fe0eb168064795f704baf1a24556365cfdf8c9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5831
Tested-by: BuildkiteCI
Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
2022-06-06 12:02:26 +00:00
Vincent Ambo
c58cc1e690 feat(ops/buildkite): Bootstrap Buildkite Terraform configuration
In order to run this the secrets needs to be sourced, e.g.:

  eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-buildkite.age)

Change-Id: I9f6a02c0dac22f584181635861ddbb06cf849f14
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5838
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
2022-06-06 11:05:12 +00:00
sterni
89f3f0a5dc feat(tools/magrathea): add repl command
`mg repl` is essentially a shortcut for nix repl $(mg path //) which
comes up often enough for me. Launching a repl only really makes sense
in the repository root with how readTree works at the moment, so I think
this is a convenient addition.

Change-Id: I32b695885c2e6eaecdcc656c7249afa504439913
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5822
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-06-01 10:32:01 +00:00
Vincent Ambo
1c6dc510a6 test(tools/hash-password): ensure that script can execute correctly
This tests loading of the argon2 OpenLDAP module. Relates to b/184

Change-Id: I661af4ddc238ad02d082b3a0cede55af5ef13f1b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5750
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-27 23:48:37 +00:00
Vincent Ambo
385591d8bf chore(nixery): Bump Go dependencies
Change-Id: Id6ff48d66368732cba0b8af6e1cbab64b0f2afbf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5671
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-26 10:05:55 +00:00
Vincent Ambo
85943eeed4 feat(nixery): Automatically mirror subtree to Github
This exports the `:/tools/nixery` subtree to Github automatically
after merges to `canon`.

Due to the way the project was imported this continues the existing
git history in the external repository.

Change-Id: Ie871c14ad5d8f1019f8be86adecbe9b130ffb01a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5667
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-26 08:41:57 +00:00
Vincent Ambo
74c422d0a0 feat(tools/releases): Add release helper for mirroring to Github
This adds an extra step definition which can push the result of
running a josh filter on the repository to Github.

Change-Id: I1f93ae78e1bf452fbd1b21ce943a60acc85c944f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5666
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
2022-05-26 08:41:57 +00:00
Vincent Ambo
e3c26a0083 chore(cheddar): Bump dependencies within bounds
Change-Id: I58a18b41c883c73450fdfafa93a565777710be3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5663
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
2022-05-25 23:53:09 +00:00
Vincent Ambo
f31edeec1b refactor(nixery): Modernise structure of binaries
Nixery is going to gain a new binary (used for building images without
a registry server); to prepare for this the server binary has moved to
cmd/server and the Nix build logic has been updated to wrap this
binary and set the required environment variables.

Change-Id: I9b4f49f47872ae76430463e2fcb8f68114070f72
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5603
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-23 15:04:56 +00:00
Vincent Ambo
796ff086be refactor(nixery): Extract layering logic into separate package
This will be required for making a standalone, Nixery-style image
builder function usable from Nix.

Change-Id: I5e36348bd4c32d249d56f6628cd046916691319f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5601
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-23 15:04:56 +00:00
William Carroll
fe78a53bc9 fix(tool/depot-deps): rebuildSystem -> rebuild-system
The camelCase variant of `rebuild-system`  doesn't exist, but the
kebab-case version does.

Side note: this `lazy-dispatch` upgrade is pretty cool. TIL `direnv`
supports `watch_file` and `PATH_add`.
Change-Id: Idc9109a9b0de327ddf7b9c6a4368b7bebb551196
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5565
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: wpcarro <wpcarro@gmail.com>
2022-05-10 11:47:27 +00:00
zimbatm
c56a0e2760 chore: simplify the .envrc loading
nix-shell pollutes the environment with all sorts of variables. Let's
just add the tools to the PATH?

This also papers over the various differences in users `use_nix`
implementations by not using it at all.

Change-Id: If4282531fd6b7453b3611fe50217beacadc08bb5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5524
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-05-05 17:42:59 +00:00
Vincent Ambo
e812807324 refactor: Replace //bin with //tools/depot-deps
This modifies the envrc configuration to add the result of building
//tools/depot-deps to $PATH, instead of dispatching through the
manually maintained list of symlinks.

While at it, I've cleaned up some stuff from that list that is no
longer actually used.

Change-Id: If345c44da75b23c06b7c7f435be0cb02f99aaac5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5513
Tested-by: BuildkiteCI
Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
2022-05-02 23:34:55 +00:00
Vincent Ambo
dd691b1bd3 feat(magrathea): add flag passthru for arguments to nix-build
in some cases, users might want to pass through flags for
nix-build (such as `-j`).

magrathea now accepts these as arguments to `mg build`, as long as
they are separated by `--`.

the arguments passed to `mg build` are parsed into a proper record,
which enables us to show users very clear error messages in case they
forget to use the `--` separator and keeping us future-compatible with
more potential arguments to magrathea itself.

Change-Id: I81f5d9db52779a5cc3b8bbdd975316274fffe5fc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5507
Tested-by: BuildkiteCI
Reviewed-by: ezemtsov <eugene.zemtsov@gmail.com>
Reviewed-by: asmundo <asmundo@gmail.com>
2022-05-01 20:27:30 +00:00
Vincent Ambo
119462d720 fix(nixery): Avoid impure reading of .git directory
Change-Id: I67405f9c9bd9cc8cb34fafff80e30b2fca53a2b3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5502
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
2022-04-21 17:48:14 +00:00
Vincent Ambo
6716bf018c chore(nixery): Housekeeping for depot compatibility
Cleans up a whole bunch of things I wanted to get out of the door
right away:

* depot internal references to //third_party/nixery have been replaced
  with //tools/nixery
* cleaned up files from Github
* fixed SPDX & Copyright headers
* code formatting and inclusion in //tools/depotfmt checks

Change-Id: Iea79f0fdf3aa04f71741d4f4032f88605ae415bb
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5486
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
2022-04-20 15:31:16 +00:00
Vincent Ambo
70779f4e65 refactor(nixery): Adapt Nix build instructions for readTree
This does not fully change the build structure of Nixery to be
depot-compatible yet, but should allow most targets to be built in
depot CI.

This contains some hacks to work around surface incompatibilities
which we'll clear away later.

Change-Id: I84e7734334abbe299983956f528c0897f49fa8c2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5485
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-04-20 14:23:17 +00:00
Vincent Ambo
e459a6cf3b feat(tools/nixery): Absorb Nixery into depot
This absorbs a josh-filtered Nix subtree into depot, at
//tools/nixery.

This subtree was created through `josh-filter ':prefix=tools/nixery'`,
which allows a filter on tools/nixery to yield the same commit hashes
as the original Nixery repository (allowing for history continuity).

Change-Id: Icc1a99bf1248226b91f437b0a90361d36fb0d327
2022-04-20 16:04:17 +02:00
Raphael Borun Das Gupta
3d26ea9e63 docs: change references to repo URL
The Nixery main Git repo has moved
from https://github.com/google/nixery
to https://github.com/tazjin/nixery .

So change it in README and on the https://nixery.dev/ website.
2022-04-20 14:22:09 +02:00
Vincent Ambo
2586abf6c2 chore(cheddar): Bump dependencies
Change-Id: Id8be05cadb4284cca78875c36a886c9ae0aa027d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5476
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2022-04-17 13:16:34 +00:00
Vincent Ambo
ca92903abf chore(cheddar): Bump rouille and other dependencies
This mitigates the chrono & brotli-sys CVE reports for cheddar.

Change-Id: I2f37cd7575e5ea38f4ca3aac71275652c343753d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5353
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-03-08 12:01:05 +00:00
sterni
4c00ca0421 chore(tools): drop depot-nixpkgs-update
This tool has been replaced by niv.

Change-Id: I011059b7d8890d0456b22f066e723584cc1d9a2b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5329
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-02-26 14:45:27 +00:00
Vincent Ambo
2a7f73926a chore(tools): Remove deprecated depot-build tool
This has been superseded by magrathea.

Change-Id: Ief4a3d1b81e51e7a9c9a0112584fa7efc8aca63f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5328
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-02-26 14:39:25 +00:00
sterni
01b25ebd8e feat(tools/magrathea): implement run command
This command builds the desired target and runs the executable produced
by it. If a directory is produced, it looks for a single (!) executable
in the bin directory. Dot files are ignored, so wrappers should
generally work. In the future we could provide a flag to select one of
multiple executables.

All arguments following the target are passed to the executable as is.

Examples:

    mg run ops/mq_cli ls
    mg run web/bubblegum:examples

Change-Id: I6490668af68e028520973196d9daa5f1d58969ee
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5277
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-02-18 12:06:41 +00:00
sterni
6c4e447587 feat(rust-crates-advisories): check 3p crates together w/ lock files
Instead of the strict check-all-our-crates, generate a fake Cargo.lock
and add it to the report generated by check-all-our-lock-files.
check-all-our-crates was a reimplementation of cargo-audit anyways and
prevented us from updating the advisory db due to its strict
model (failing on any advisory).

Change-Id: I264a7f1a5058a527cbc46d26225352ecd437a22b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5230
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-02-13 18:42:44 +00:00
sterni
f7a0d5a3d0 refactor(rust-crates-advisory): split code for buildkite and report
Rename check-all-our-lock-files to tree-lock-file-report and pull out
all the buildkite-specific code which makes the code less awkward.
check-all-our-lock-files is then only executed in extraSteps and runs
tree-lock-file-report on depot, adding it as a warning to the pipeline
if it is non-empty.

Change-Id: If6bd236d90cc680cba0ed4e988f2f28ddb8012d6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5229
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
2022-02-13 18:42:44 +00:00
sterni
de62043a74 refactor(rust-crates-advisory): move report generation into script
This script is somewhat usable by humans (it even has a help screen!)
and can be reused in //users/sterni/nixpkgs-crate-holes. We are using
bash since that allows us to exit with the actual exit code of
cargo-audit - something that's not possible in execline.

Change-Id: I3331ae8222a20e23b8e30dc920ab48af78f0247c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5228
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
2022-02-13 18:42:44 +00:00
sterni
b7be2660c9 fix(magrathea): print [mg] messages to stderr
I want to add a shortcut to build and run e.g. scripts that are depot
targets - for which it would be useful to not have stdout polluted by
magrathea itself.

Change-Id: Ic58fe28eafb4d0715e53beae041bfaa5d1745812
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5276
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
2022-02-13 17:06:58 +00:00
Vincent Ambo
d254dbb848 feat(depotfmt): Check & format Rust code with rustfmt
The rustfmt configuration of the depot is moved to `rustfmt.toml` (it
is recognised more reliably from this path than from the hidden
.rustfmt.toml).

Nested configuration is theoretically possible, but detection of
nested config files is flaky. Paths with nested config files need to
be disabled in the top-level check (I've excluded my user directory).

Change-Id: I385ce3ef529bda28fac03bfba86fc204c81b8a61
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5241
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2022-02-08 12:06:39 +00:00
Vincent Ambo
3d8ee62087 style(rust): Format all Rust code with rustfmt
Change-Id: Iab7e00cc26a4f9727d3ab98691ef379921a33052
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5240
Tested-by: BuildkiteCI
Reviewed-by: kanepyork <rikingcoding@gmail.com>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>
2022-02-08 12:06:39 +00:00
Vincent Ambo
3318982f81 chore: move some meta.targets definitions to meta.ci.targets
Change-Id: Icdec1dec89158fb596c5185ac7105892081947f5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5252
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: tazjin <tazjin@tvl.su>
2022-02-08 12:06:10 +00:00
Vincent Ambo
18c8c41b5c fix(tools/depotfmt): clear cache when running checks
apparently the cache can get out-of-sync or something; either way we
had a build where it missed a file that was misformated.

Change-Id: I2967aec99ee1c7c8b978a3dfdfed4ff213bb6591
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5249
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-07 22:24:41 +00:00
Vincent Ambo
3452569ddd feat(tools/crfo-approve): Add tool for CRFO depot-interventions
In some cases we want to be able to "emergency approve" something on
behalf of a different user.

Example cases:

* clean up of abandoned directories with restrictive OWNERS
* security fixes blocked on people in different timezones

This script can be used to perform these approvals if the user is a
member of depot-interventions. Note that access to depot-interventions
is audit logged.

The user on behalf of whom approval is performed is always added to
the attention set to ensure that they are made aware of the CRFO
approval.

Note: This depends on nixpkgs#156466. Keeping WIP until we have a
channel with that patch.

Change-Id: I16e5f9d7baa9daab49c88b629bb8f024aad9d94c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5085
Tested-by: BuildkiteCI
Reviewed-by: kn <klemens@posteo.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-02-07 19:12:31 +00:00
sterni
487dd4189e fix(format-audit-results.jq): use advisories over vulnerabilities
Many of the vulnerabilities (in the respective crates) reported are not
actually exploitable vulnerabilties of the packages we report them for.
Consequently it is more accurate to state that they are advisories.

Change-Id: I02932125b77fc9c71e583ae49e822fd3438dce05
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5202
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-02-04 11:22:43 +00:00
sterni
66055161fb feat(tools/rust-crates-advisory): omit GHFM checklist in buildkite
Buildkite doesn't understand GitHub Flavored Markdown and having a read
only checklist in there is probably not much use.

Change-Id: I41538487087e8c817b1a5e653f077bb0fbe6eb47
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5201
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-02-04 11:22:43 +00:00
sterni
5d06425655 chore: move format-audit-result.jq out of //users/sterni
In the spirit of the readTree filter we should also not include files in
user directories from the outside.

Change-Id: I1abe36a721048900d2758b5986063b68b8d1af93
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5200
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-02-04 11:20:41 +00:00
sterni
c3684740ad feat(tools/rust-crates-advisory): also check all our Cargo.locks
check-all-our-lock-files works very similarly to
//users/sterni/nixpkgs-crate-holes, even reusing some parts of it, but
is much simpler since we don't need to extract the lock files — they are
already in tree.

It is implemented as a very simple script which just traverses the
subtree of the current directory, collecting all warnings. When
executing this script in buildkite via extraSteps, it never fails,
instead annotating the pipeline run with a warning.

Change-Id: I0a0bc26deffe7b20b99f5aa7238fb3c3bb9deb92
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3721
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-02-04 11:20:41 +00:00
sterni
32da9861d5 refactor: expose cheddar-about script from cheddar
Any other cgit configuration in depot would need this script wrapper as
well.

Change-Id: Ifa04e1c9de9c925eb3f60c5d3854221ae02ef06c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5206
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: sterni <sternenseemann@systemli.org>
2022-02-03 23:41:08 +00:00