e9686f84d9
Instead of prepending :unsign to all URLs in josh-proxy, and for all calls to filteredGitPush, explicitly use it only in the filter we use for the `export-kit` extraStep. This means, people cloning tvl-kit via > https://code.tvl.fyi/depot.git:workspace=views/kit.git now need to update the URL to point to > https://code.tvl.fyi/depot.git:unsign:workspace=views/kit.git instead. git@github.com:tvlfyi/kit.git will keep the same hashes, as it's updated to export the unsigned workspace view of it. This is less invasive than dooming every josh workspace to have to strip signatures. Change-Id: I6de05182fad4c3695081388c3bbf37306521d255 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8369 Autosubmit: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
37 lines
1.1 KiB
Nix
37 lines
1.1 KiB
Nix
# Definitions for simple release mechanisms from depot.
|
|
{ depot, lib, pkgs, ... }:
|
|
|
|
let
|
|
inherit (lib.strings) makeBinPath sanitizeDerivationName;
|
|
in
|
|
{
|
|
# Use a josh filter to push a certain subset of canon to another git
|
|
# repository.
|
|
#
|
|
# This expects, of course, that the remote repository has granted
|
|
# push access to the CI SSH key.
|
|
filteredGitPush = { filter, remote, ref ? "refs/heads/canon" }: {
|
|
label = ":git: push '${filter}' to external git repository";
|
|
branches = [ "refs/heads/canon" ];
|
|
phase = "release";
|
|
|
|
command = pkgs.writeShellScript "${sanitizeDerivationName filter}-push" ''
|
|
set -e
|
|
export PATH="${makeBinPath [ pkgs.git depot.third_party.josh ]}:$PATH"
|
|
|
|
echo 'Filtering depot through ${filter}'
|
|
josh-filter '${filter}'
|
|
|
|
echo 'Fetching remote to check if a push is needed'
|
|
git fetch '${remote}' '${ref}'
|
|
|
|
if git merge-base --is-ancestor FILTERED_HEAD FETCH_HEAD; then
|
|
echo 'Commit already present, nothing to push.'
|
|
exit 0
|
|
fi
|
|
|
|
echo 'Pushing filtered repository to ${remote}:${ref}'
|
|
git push '${remote}' 'FILTERED_HEAD:${ref}'
|
|
'';
|
|
};
|
|
}
|