7ab86f5423
I wanted Gitea to call Buildkite's pre-receive pipeline and either accept or reject the incoming code depending on the outcome. The problem is that I can only *create* builds from Gitea's pre-receive hook. Now I'm left with two options: 1. run the lint-secrets step in post-receive 2. run `/nix/store/<hash>/git-secrets --scan-history $REPO_PATH` in Gitea As far as I can tell, I cannot define Gitea hooks in Nix, which is unfortunate; otherwise, option 2 would appeal more. I'm doing option one for now.
31 lines
869 B
Nix
31 lines
869 B
Nix
{ pkgs, ... }:
|
|
|
|
let
|
|
pipeline.steps = [
|
|
{
|
|
key = "lint-secrets";
|
|
command = "${pkgs.git-secrets}/bin/git-secrets --scan-history";
|
|
label = ":broom: lint secrets";
|
|
}
|
|
{
|
|
key = "build-briefcase";
|
|
command = "nix-build . -I briefcase=$(pwd) --no-out-link --show-trace";
|
|
label = ":nix: build briefcase";
|
|
depends_on = "lint-secrets";
|
|
}
|
|
{
|
|
key = "build-socrates";
|
|
command = ''
|
|
nix-build '<nixpkgs/nixos>' \
|
|
-I briefcase="$(pwd)" \
|
|
-I nixpkgs=/var/lib/buildkite-agent-socrates/nixpkgs-channels \
|
|
-I nixos-config=nixos/socrates/default.nix \
|
|
-A system \
|
|
--no-out-link \
|
|
--show-trace
|
|
'';
|
|
label = ":nix: build socrates";
|
|
depends_on = "build-briefcase";
|
|
}
|
|
];
|
|
in pkgs.writeText "pipeline.yaml" (builtins.toJSON pipeline)
|