diff options
Diffstat (limited to 'ops/sync-gcsr')
-rw-r--r-- | ops/sync-gcsr/default.nix | 14 | ||||
-rw-r--r-- | ops/sync-gcsr/main.go | 202 | ||||
-rw-r--r-- | ops/sync-gcsr/manifest.yaml | 23 |
3 files changed, 239 insertions, 0 deletions
diff --git a/ops/sync-gcsr/default.nix b/ops/sync-gcsr/default.nix new file mode 100644 index 000000000000..ae88b34124dc --- /dev/null +++ b/ops/sync-gcsr/default.nix @@ -0,0 +1,14 @@ +{ pkgs, ... }: + +pkgs.buildGo.program { + name = "sync-gcsr"; + srcs = [ ./main.go ]; + + deps = with pkgs.third_party; map (p: p.gopkg) [ + gopkgs."gopkg.in".src-d.go-git + ]; + + x_defs = { + "main.BuildManifest" = "${./manifest.yaml}"; + }; +} diff --git a/ops/sync-gcsr/main.go b/ops/sync-gcsr/main.go new file mode 100644 index 000000000000..62c24a92cef0 --- /dev/null +++ b/ops/sync-gcsr/main.go @@ -0,0 +1,202 @@ +// Copyright 2019 Google LLC. +// SPDX-License-Identifier: Apache-2.0 +// +// sync-gcsr implements a small utility that periodically mirrors a +// remote Google Cloud Source Repository to a local file path. +// +// This utility is also responsible for triggering depot builds on +// builds.sr.ht if a change is detected on the master branch. +package main + +import ( + "encoding/json" + "fmt" + "io/ioutil" + "log" + "net/http" + "os" + "time" + "bytes" + + git "gopkg.in/src-d/go-git.v4" + "gopkg.in/src-d/go-git.v4/plumbing" + githttp "gopkg.in/src-d/go-git.v4/plumbing/transport/http" +) + +// Path to the build manifest, added by Nix at compile time. +var BuildManifest string + +// Represents a builds.sr.ht build object as described on +// https://man.sr.ht/builds.sr.ht/api.md +type Build struct { + Manifest string `json:"manifest"` + Note string `json:"note"` + Tags []string `json:"tags"` +} + +func EnvOr(key, def string) string { + v := os.Getenv(key) + if v == "" { + return def + } + + return v +} + +// Trigger a build of master on builds.sr.ht +func triggerBuild(commit string) { + manifest, err := ioutil.ReadFile(BuildManifest) + if err != nil { + log.Fatalln("[ERROR] failed to read sr.ht build manifest:", err) + } + + build := Build{ + Manifest: string(manifest), + Note: fmt.Sprintf("Build of 'master' at '%s'", commit), + Tags: []string{ + "depot", "master", + }, + } + + body, _ := json.Marshal(build) + reader := ioutil.NopCloser(bytes.NewReader(body)) + + req, err := http.NewRequest("POST", "https://builds.sr.ht/api/jobs", reader) + if err != nil { + log.Fatalln("[ERROR] failed to create an HTTP request:", err) + } + + req.Header.Add("Authorization", fmt.Sprintf("token %s", os.Getenv("SRHT_TOKEN"))) + req.Header.Add("Content-Type", "application/json") + + resp, err := http.DefaultClient.Do(req) + if err != nil { + // This might indicate a temporary error on the SourceHut side, do + // not fail the whole program. + log.Println("failed to send builds.sr.ht request:", err) + return + } + defer resp.Body.Close() + + if resp.StatusCode != 200 { + respBody, err := ioutil.ReadAll(resp.Body) + log.Printf("received non-success response from builds.sr.ht: %s (%v)[%s]", respBody, resp.Status, err) + } else { + log.Println("triggered builds.sr.ht job for commit", commit) + } +} + +// ensure that all remote branches exist locally & are up to date. +func updateBranches(auth *githttp.BasicAuth, repo *git.Repository) error { + origin, err := repo.Remote("origin") + if err != nil { + return err + } + + refs, err := origin.List(&git.ListOptions{ + Auth: auth, + }) + if err != nil { + return err + } + + for _, ref := range refs { + if !ref.Name().IsBranch() || ref.Type() != plumbing.HashReference { + continue + } + + name := plumbing.NewBranchReferenceName(ref.Name().Short()) + + if current, err := repo.Storer.Reference(name); err == nil { + // Determine whether the reference has changed to skip + // unnecessary modifications. + if current.Hash() == ref.Hash() { + continue + } + } + + branch := plumbing.NewHashReference(name, ref.Hash()) + + err := repo.Storer.SetReference(branch) + if err != nil { + return err + } + + if ref.Name().Short() == "master" { + go triggerBuild(ref.Hash().String()) + } + + log.Println("Updated branch", ref.Name().String()) + } + + return nil +} + +func updateRepo(auth *githttp.BasicAuth, repo *git.Repository, opts *git.FetchOptions) error { + err := repo.Fetch(opts) + + if err == git.NoErrAlreadyUpToDate { + // nothing to do ... + return nil + } else if err != nil { + return err + } + + log.Println("Fetched updates from remote, updating local branches") + return updateBranches(auth, repo) +} + +func cloneRepo(dest, project, repo string, auth *githttp.BasicAuth) (*git.Repository, error) { + var cloneOpts = git.CloneOptions{ + Auth: auth, + URL: fmt.Sprintf("https://source.developers.google.com/p/%s/r/%s", project, repo), + } + + handle, err := git.PlainClone(dest, true, &cloneOpts) + + if err == git.ErrRepositoryAlreadyExists { + handle, err = git.PlainOpen(dest) + } + + return handle, updateBranches(auth, handle) +} + +func main() { + dest := EnvOr("SYNC_DEST", "/git/depot") + project := EnvOr("SYNC_PROJECT", "tazjins-infrastructure") + repo := EnvOr("SYNC_REPO", "depot") + user := os.Getenv("SYNC_USER") + pass := os.Getenv("SYNC_PASS") + + log.Printf("Syncing repository '%s/%s' to destination '%s'", project, repo, dest) + + var auth *githttp.BasicAuth + if user != "" && pass != "" { + auth = &githttp.BasicAuth{ + Username: user, + Password: pass, + } + log.Println("Enabling basic authentication as user", user) + } + + handle, err := cloneRepo(dest, project, repo, auth) + + if err != nil { + log.Fatalf("Failed to clone repository: %s", err) + } else { + log.Println("Initiating update loop") + } + + fetchOpts := git.FetchOptions{ + Auth: auth, + Force: true, + } + + for { + if err = updateRepo(auth, handle, &fetchOpts); err != nil { + log.Fatalf("Failed to pull updated repository: %s", err) + } + + time.Sleep(10 * time.Second) + } +} diff --git a/ops/sync-gcsr/manifest.yaml b/ops/sync-gcsr/manifest.yaml new file mode 100644 index 000000000000..3016c2ca57ee --- /dev/null +++ b/ops/sync-gcsr/manifest.yaml @@ -0,0 +1,23 @@ +image: nixos/latest +sources: + - https://git.tazj.in/ +secrets: + # cachix/tazjin + - f7f02546-4d95-44f7-a98e-d61fdded8b5b +tasks: + - setup: | + # sourcehut does not censor secrets in builds, hence this hack: + echo -n 'export CACHIX_SIGNING_KEY=' > cachix-preamble + cat cachix-preamble ~/.cachix-tazjin >> ~/.buildenv + nix-env -iA third_party.cachix -f git.tazj.in + cachix use tazjin + - build: | + cd git.tazj.in + nix-build ci-builds.nix > built-paths + - cache: | + cd git.tazj.in + cat built-paths | cachix push tazjin +triggers: + - action: email + condition: failure + to: mail@tazj.in |