refactor(ops/pipelines): Move :duck: logic into static pipeline r/3177

This simplifies the fallback logic used in case of Nix evaluation failure and makes it so that the evaluation step itself is the one that is marked as failed in Buildkite. This is possible because the pipeline upload command will insert new steps at the point where it runs in the pipeline, and not later. Change-Id: I870534c004ebc457a1602623c4e5f9c0c68e28fc
author: Vincent Ambo <mail@tazj.in> 2021-12-10T07·10+0300
committer: tazjin <mail@tazj.in> 2021-12-10T07·55+0000
commit: e4231c9816dc532b4d4eb0c9e8d7e8e347d0ebe4 (patch)
tree: 119735e2051add221899939b006b75808b6b3cc0 /ops/pipelines
parent: 9ea4d55d81d61b6073e69bebdc614f9694d8223c (diff)
3 files changed, 37 insertions, 49 deletions
diff --git a/ops/pipelines/depot.nix b/ops/pipelines/depot.nix
index f2db69a78ff3..de03755373c0 100644
--- a/ops/pipelines/depot.nix
+++ b/ops/pipelines/depot.nix
@@ -77,40 +77,6 @@ let
       # Simultaneously run protobuf checks
       protoCheck
 
-      # Wait for all previous checks to complete
-      ({
-        wait = null;
-        continue_on_failure = true;
-      })
-
-      # Wait for all steps to complete, then exit with success or
-      # failure depending on whether any other steps failed.
-      #
-      # This information is checked by querying the Buildkite GraphQL
-      # API and fetching the count of failed steps.
-      #
-      # This step must be :duck:! (yes, really!)
-      ({
-        command = let duck = pkgs.writeShellScript "duck" ''
-          set -ueo pipefail
-
-          readonly FAILED_JOBS=$(${pkgs.curl}/bin/curl 'https://graphql.buildkite.com/v1' \
-            --silent \
-            -H "Authorization: Bearer $(cat /etc/secrets/buildkite-besadii)" \
-            -d "{\"query\": \"query BuildStatusQuery { build(uuid: \\\"$BUILDKITE_BUILD_ID\\\") { jobs(passed: false) { count } } }\"}" | \
-            ${pkgs.jq}/bin/jq -r '.data.build.jobs.count')
-
-          echo "$FAILED_JOBS build jobs failed."
-
-          if (( $FAILED_JOBS > 0 )); then
-            exit 1
-          fi
-        ''; in "${duck}";
-
-        label = ":duck:";
-        key = ":duck:";
-      })
-
       # After duck, on success, create a gcroot if the build branch is
       # canon.
       #
diff --git a/ops/pipelines/fallback.yaml b/ops/pipelines/fallback.yaml
deleted file mode 100644
index 73308d937b0c..000000000000
--- a/ops/pipelines/fallback.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-# This build configuration provides a fallback which marks a build as
-# failed. This is used if evaluating the build configuration fails,
-# for example because of a syntax error in Nix code.
----
-steps:
-  - command: "echo 'Nix evaluation failed!' && exit 1"
-    # This step *must* be :duck: to trigger the correct hook.
-    label: ":duck:"
diff --git a/ops/pipelines/static-pipeline.yaml b/ops/pipelines/static-pipeline.yaml
index c864aea65714..2c7767820b94 100644
--- a/ops/pipelines/static-pipeline.yaml
+++ b/ops/pipelines/static-pipeline.yaml
@@ -7,14 +7,44 @@
 steps:
   - label: ":llama:"
     command: |
-      function fallback() {
-        echo 'Using fallback pipeline ...'
-        buildkite-agent pipeline upload ops/pipelines/fallback.yaml
-        exit
-      }
+      set -ue
+      nix-build -A ops.pipelines.depot -o depot.yaml --show-trace && \
+        buildkite-agent pipeline upload depot.yaml
 
-      nix-build -A ops.pipelines.depot -o depot.yaml --show-trace || fallback
-      buildkite-agent pipeline upload depot.yaml || fallback
+  # Wait for all previous steps to complete.
+  - wait: null
+    continue_on_failure: true
+
+  # Exit with success or failure depending on whether any other steps
+  # failed.
+  #
+  # This information is checked by querying the Buildkite GraphQL API
+  # and fetching the count of failed steps.
+  #
+  # This step must be :duck: (yes, really!) because the post-command
+  # hook will inspect this name.
+  #
+  # Note that this step has requirements for the agent environment, which
+  # are enforced in our NixOS configuration:
+  #
+  #  * curl and jq must be on the $PATH of build agents
+  #  * besadii configuration must be readable to the build agents
+  - label: ":duck:"
+    key: ":duck:"
+    command: |
+      set -ueo pipefail
+
+      readonly FAILED_JOBS=$(curl 'https://graphql.buildkite.com/v1' \
+        --silent \
+        -H "Authorization: Bearer $(cat /etc/secrets/buildkite-besadii)" \
+        -d "{\"query\": \"query BuildStatusQuery { build(uuid: \\\"$BUILDKITE_BUILD_ID\\\") { jobs(passed: false) { count } } }\"}" | \
+        jq -r '.data.build.jobs.count')
+
+      echo "$$FAILED_JOBS build jobs failed."
+
+      if (( $$FAILED_JOBS > 0 )); then
+        exit 1
+      fi
 
   # Create a revision number for the current commit for builds on
   # canon.
author	Vincent Ambo <mail@tazj.in>	2021-12-10T07·10+0300
committer	tazjin <mail@tazj.in>	2021-12-10T07·55+0000
commit	e4231c9816dc532b4d4eb0c9e8d7e8e347d0ebe4 (patch)
tree	119735e2051add221899939b006b75808b6b3cc0 /ops/pipelines
parent	9ea4d55d81d61b6073e69bebdc614f9694d8223c (diff)