diff options
Diffstat (limited to 'ops/besadii')
-rw-r--r-- | ops/besadii/default.nix | 12 | ||||
-rw-r--r-- | ops/besadii/main.go | 197 |
2 files changed, 209 insertions, 0 deletions
diff --git a/ops/besadii/default.nix b/ops/besadii/default.nix new file mode 100644 index 000000000000..31f2705d7327 --- /dev/null +++ b/ops/besadii/default.nix @@ -0,0 +1,12 @@ +# This program is used as a git post-update hook to trigger builds on +# sourcehut. +{ depot, ... }: + +depot.buildGo.program { + name = "besadii"; + srcs = [ ./main.go ]; + + x_defs = { + "main.gitBin" = "${depot.third_party.git}/bin/git"; + }; +} diff --git a/ops/besadii/main.go b/ops/besadii/main.go new file mode 100644 index 000000000000..460eddf26538 --- /dev/null +++ b/ops/besadii/main.go @@ -0,0 +1,197 @@ +// Copyright 2019 Google LLC. +// SPDX-License-Identifier: Apache-2.0 +// +// besadii is a small CLI tool that triggers depot builds on +// builds.sr.ht +// +// It is designed to run as a post-update git hook on the server +// hosting the depot. +package main + +import ( + "bufio" + "bytes" + "encoding/json" + "fmt" + "io/ioutil" + "log/syslog" + "net/http" + "os" + "os/exec" + "strings" +) + +var gitBin = "git" + +// Represents an updated reference as passed to besadii by git +// +// https://git-scm.com/docs/githooks#pre-receive +type refUpdate struct { + name string + old string + new string +} + +// Represents a builds.sr.ht build object as described on +// https://man.sr.ht/builds.sr.ht/api.md +type Build struct { + Manifest string `json:"manifest"` + Note string `json:"note"` + Tags []string `json:"tags"` +} + +// Represents a build trigger object as described on <the docs for +// this are currently down> +type Trigger struct { + Action string `json:"action"` + Condition string `json:"condition"` + To string `json:"to"` +} + +// Represents a build manifest for sourcehut. +type Manifest struct { + Image string `json:"image"` + Sources []string `json:"sources"` + Secrets []string `json:"secrets"` + Tasks [](map[string]string) `json:"tasks"` + Triggers []Trigger `json:"triggers"` +} + +func prepareManifest(commit string) string { + m := Manifest{ + Image: "nixos/latest", + Sources: []string{"https://git.camden.tazj.in/"}, + + // secret for cachix/tazjin + Secrets: []string{"f7f02546-4d95-44f7-a98e-d61fdded8b5b"}, + + Tasks: [](map[string]string){ + {"setup": `# sourcehut does not censor secrets in builds, hence this hack: +echo -n 'export CACHIX_SIGNING_KEY=' >> ~/.buildenv +cat ~/.cachix-tazjin >> ~/.buildenv +nix-env -iA third_party.cachix -f git.tazj.in +cachix use tazjin +cd git.tazj.in +git checkout ` + commit}, + + {"build": `cd git.tazj.in +nix-build ci-builds.nix > built-paths`}, + + {"cache": `cd git.tazj.in +cat built-paths | cachix push tazjin`}, + }, + + Triggers: []Trigger{ + Trigger{Action: "email", Condition: "failure", To: "mail@tazj.in"}, + }, + } + + j, _ := json.Marshal(m) + return string(j) +} + +// Trigger a build of a given branch & commit on builds.sr.ht +func triggerBuild(log *syslog.Writer, token, branch, commit string) { + build := Build{ + Manifest: prepareManifest(commit), + Note: fmt.Sprintf("Build of 'master' at '%s'", commit), + Tags: []string{ + // my branch names tend to contain slashes, which are not valid + // identifiers in sourcehut. + "depot", strings.ReplaceAll(branch, "/", "_"), + }, + } + + body, _ := json.Marshal(build) + reader := ioutil.NopCloser(bytes.NewReader(body)) + + req, err := http.NewRequest("POST", "https://builds.sr.ht/api/jobs", reader) + if err != nil { + log.Err(fmt.Sprintf("failed to create an HTTP request: %s", err)) + os.Exit(1) + } + + req.Header.Add("Authorization", "token "+token) + req.Header.Add("Content-Type", "application/json") + + resp, err := http.DefaultClient.Do(req) + if err != nil { + // This might indicate a temporary error on the sourcehut side, do + // not fail the whole program. + log.Err(fmt.Sprintf("failed to send builds.sr.ht request:", err)) + return + } + defer resp.Body.Close() + + if resp.StatusCode != 200 { + respBody, _ := ioutil.ReadAll(resp.Body) + log.Err(fmt.Sprintf("received non-success response from builds.sr.ht: %s (%v)", respBody, resp.Status)) + } else { + fmt.Fprintf(log, "triggered builds.sr.ht job for branch '%s' at commit '%s'", branch, commit) + } +} + +func parseRefUpdates() ([]refUpdate, error) { + var updates []refUpdate + + scanner := bufio.NewScanner(os.Stdin) + for scanner.Scan() { + line := scanner.Text() + fragments := strings.Split(line, " ") + + if len(fragments) != 3 { + return nil, fmt.Errorf("invalid ref update: '%s'", line) + } + + if !strings.HasPrefix(fragments[2], "refs/heads/") { + continue + } + + updates = append(updates, refUpdate{ + old: fragments[0], + new: fragments[1], + name: strings.TrimPrefix(fragments[2], "refs/heads/"), + }) + } + + if err := scanner.Err(); err != nil { + return nil, err + } + + return updates, nil +} + +func main() { + log, err := syslog.New(syslog.LOG_INFO|syslog.LOG_USER, "besadii") + if err != nil { + fmt.Printf("failed to open syslog: %s\n", err) + os.Exit(1) + } + + // Before triggering builds, it is important that git + // update-server-info is run so that cgit correctly serves the + // repository. + err = exec.Command(gitBin, "update-server-info").Run() + if err != nil { + log.Alert("failed to run 'git update-server-info' for depot!") + os.Exit(1) + } + + token, err := ioutil.ReadFile("/etc/secrets/srht-token") + if err != nil { + log.Alert("sourcehot token could not be read") + os.Exit(1) + } + + updates, err := parseRefUpdates() + if err != nil { + log.Err(fmt.Sprintf("could not parse updated refs:", err)) + os.Exit(1) + } + + fmt.Fprintf(log, "triggering builds for %v refs", len(updates)) + + for _, update := range updates { + triggerBuild(log, string(token), update.name, update.new) + } +} |