about summary refs log tree commit diff
path: root/ci
AgeCommit message (Collapse)AuthorFilesLines
2020-08-31 Allow configurable BRIEFCASE env var for CIWilliam Carroll1-12/+21
These were hard-coded as $HOME/BRIEFCASE, which won't work in CI, since CI runs as the user buildkite-agent-socrates, whose $HOME directory doesn't exist.
2020-08-31 Attempting to avoid buildkite parse errorWilliam Carroll1-1/+1
For more information, see here: https://github.com/buildkite/agent/issues/584
2020-08-31 Surround subshell in 2x-quotesWilliam Carroll1-1/+3
This wasn't a bug; it's just good practice.
2020-08-27 Add build, lint Emacs steps to post-receive pipelineWilliam Carroll2-1/+60
TL;DR: - Define runEmacsScript to emacs/default.nix for ci/pipelines/post-receive - Write script.el to call (load init.el) and catch any errors - Lint Elisp with gonewest818/elisp-lint Also nice how Buildkite supports :gnu: emojis!
2020-08-22 Abandon the pre-receive hookWilliam Carroll2-11/+6
I wanted Gitea to call Buildkite's pre-receive pipeline and either accept or reject the incoming code depending on the outcome. The problem is that I can only *create* builds from Gitea's pre-receive hook. Now I'm left with two options: 1. run the lint-secrets step in post-receive 2. run `/nix/store/<hash>/git-secrets --scan-history $REPO_PATH` in Gitea As far as I can tell, I cannot define Gitea hooks in Nix, which is unfortunate; otherwise, option 2 would appeal more. I'm doing option one for now.
2020-08-22 Define Buildkite pipelines corresponding to git server hooksWilliam Carroll3-19/+20
I think maintaining a 1:1 correspondence with the git server hook makes sense right now. Let's try it out!
2020-08-22 Ensure that the build step "depends on" the lint stepWilliam Carroll1-0/+3
This way, if the lint step fails, the build step doesn't run. Nice!
2020-08-22 Remove --add-provider step from briefcase lintWilliam Carroll2-18/+10
So it turns out that I was wrong and that .git/config is stateful. Multiple calls to --add-provider will append the same provider each time... Instead I'm defining secret-patterns.txt and version-controlling it. Then: - dev-side: I'm adding `providers = cat ci/secret-patterns.txt` to .git/config - ci-side: I'm adding `providers = cat ci/secret-patterns.txt` to .git/config Unfortunately this is ad-hoc configuration ci-side, which I would like to avoid. The good news is that my pre-commit hooks and failures from git-secrets should now align with my CI, since they're both reading from secret-patterns.txt. One step backwards... two steps forwards?
2020-08-22 Call --add-provider during lint stageWilliam Carroll1-3/+16
I'm also `cat .git/config` because I think the Buildkite destroys the .git/config file for each build, but I want to verify that. If it does, I prefer that because it seems to share the spirit of the "Destroy Your Darlings" essay.
2020-08-22 Log git information during briefcase's lint stageWilliam Carroll1-1/+5
I would like to find out what the state of the repo is during pre-receive hook.
2020-08-21 Prefer :nix: emojiWilliam Carroll2-2/+2
Buildkite support language extensions as emojis!
2020-08-21 Use emojis for build, lint stepsWilliam Carroll2-3/+3
Y'know... the important stuff
2020-08-21 Remove debugging informationWilliam Carroll1-6/+1
Problem: my dev machine returns a different value for `git config --get-all secrets.patterns` than my CI machine... I ran `git-secrets --register-aws` to get additional coverage, but it's still not the same. I created an issue on the git-secrets GH repo to get better troubleshooting advice, but I don't need the logging info. anymore, so I'm removing it.
2020-08-21 Debugging briefcase pipelineWilliam Carroll1-1/+6
Somehow `git-secrets --scan-history` is exiting non-zero, when I don't think it should. Logging some environment information to get a better idea of what's going on.
2020-08-21 Call --scan-historyWilliam Carroll1-1/+1
My current pipeline is succeeding with a false-positive. After this change, it should return a true-negative.
2020-08-21 Define BuildKite pipelines in NixWilliam Carroll5-18/+32
After a handful of failed attempts to run lint-secrets.sh due to a missing `git-secrets` executable on my git server, I decided that now was a good time to use Nix to define my BuildKite pipelines. TL;DR: - Delete ci/scripts directory - Define ci/pipelines/{briefcase,socrates}.nix Outside of this repository: - I logged into my admin account at git.wpcarro.dev and changed my Gitea post-receive hook to trigger the briefcase pipeline - I logged into my BuildKite account, deleted my build-briefcase pipeline, created a new briefcase pipeline that called: ```shell nix-build -A ci.pipelines.briefcase -o briefcase.yaml buildkite-agent pipeline upload briefcase.yaml ``` One day I will audit all of my ad-hoc, non-mono-repo activity (like the steps I listed above) and attempt to fit everything herein... one step at a time, though!
2020-08-20 Testing new CI lint-secrets stepWilliam Carroll1-0/+3
Adding a fake secret to test to the new CI build step. I'm not sure I expect this to fail the step because it relies on a pattern that I defined in .git/config... let's see!
2020-08-20 Add --no-out-link to ci/scriptsWilliam Carroll2-1/+2
I don't need the ./result symlinks...
2020-08-20 Move /home/wpcarro/nixpkgs-channels to /var/libWilliam Carroll2-2/+2
My builds are still failing. This time with... ``` error: getting status of /home/wpcarro/nixpkgs-channels: Permission denied ``` ...what confused me was the following: ```shell $ sudo -u buildkite-agent-socrates stat /home/wpcarro/nixpkgs-channels permission denied ``` But `ls -al /home/wpcarro | grep nixpkgs-channels` showed `r-w` for all users... Thankfully @riking on ##tvl told me that I should check the permissions for /home/wpcarro and /home... After running `ls -al /home`, I saw `---` for all user... I then reproduced the error by running: ```shell $ sudo -u buildkite-agent-socrates stat /home permission denied ``` Great! So then I moved nixpkgs-channels to /var/lib/buildkite-agent-socrates. @edef recommended that I read more about DynamicUser= setting for systemd, which looks relevant after I took a cursory glance. I'll also want a more declarative way to manager this, but I'm making small improvements every day.
2020-08-20 Support build-briefcase.shWilliam Carroll1-0/+6
For now, I'm supporting two CI pipelines: - build-socrates - build-briefcase Conceptually, build-briefcase should cover what build-socrates does now, but eventually I would like build-socrates to call `switch-to-configuration` so that all of my websites, etc. stay fresh.
2020-08-20 Disable failing goals/default.nixWilliam Carroll1-1/+2
Disabling failing packages until I can get a working CI build.
2020-08-20 Revise previous opinions about absolute paths GT <bracket-notation>William Carroll1-1/+2
Unforeseen problem: `buildkite-agent` runs its builds in a separate directory, so if I want the `nix-build` command to build the newly checked out code, I need to set <briefcase> to the CWD.
2020-08-20 Attempt nix-build instead of nixos-rebuild switchWilliam Carroll1-6/+4
I've encountered a few problems with attempting to support nixos-rebuild: - the activation step requires `sudo` privileges - the `buildkite-agent` runs on the same machine, socrates, that is rebuilding itself. This means that when the activation step runs, it will attempt to restart `buildkite-agent` when the agent is still working I'm slowly removing places in my nix code that rely on '<bracket>' notation, so that I no longer depend on NIX_PATH being set. I still have more work to do. {covid-uk,sandbox}/default.nix are breaking when I attempt to run my build-socrates.sh script locally, so I'm temporarily disabling them until I can get CI working as I expect.
2020-08-20 Prefer nixos-rebuild to the rebuild scriptWilliam Carroll1-4/+6
The rebuild script calls sudo, which I won't need as I test running buildkite-agent prefixed with `sudo` or as the root user.
2020-08-20 Debug $USER in build-socrates.shWilliam Carroll1-1/+1
Attempting to see what $USER the buildkite-agent is when it runs.
2020-08-20 Debug build-socrates.shWilliam Carroll1-1/+4
- using `set -euo pipefail` for setting recommended failure-modes - using `set -x` and `echo "$PATH"` to debug my failing build Sidenote: I find BuildKite's documentation quite helpful!
2020-08-20 Attempt to build Socrates using BuildKiteWilliam Carroll1-0/+3
Let's see what happens...