From 0e2633048e4ebadd0d3bf212a7129fdebdc913ad Mon Sep 17 00:00:00 2001 From: Adam Joseph Date: Thu, 7 Dec 2023 03:49:07 -0800 Subject: feat(tvix): run crate2nix generate in CI This runs `crate2nix generate` in CI and then runs `depotfmt` on the result to ensure that our machine-generated code is really, really readable and pretty. Then it checks that the result of all that is identical to the committed Cargo.nix. A self-hashing FOD is used to allow network access. No magic hashes are involved. Co-Authored-By: Florian Klink Change-Id: I68ec5003dbc6a40894a5a4d6e902f138c99f6719 Reviewed-on: https://cl.tvl.fyi/c/depot/+/10194 Autosubmit: flokli Reviewed-by: Adam Joseph Tested-by: BuildkiteCI Reviewed-by: flokli --- tvix/default.nix | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 57 insertions(+), 5 deletions(-) diff --git a/tvix/default.nix b/tvix/default.nix index f6ab256ed473..f8dcfe3a9802 100644 --- a/tvix/default.nix +++ b/tvix/default.nix @@ -89,17 +89,68 @@ let # The cleaned sources. src = depot.third_party.gitignoreSource ./.; -in -{ - inherit crates; - # Run crate2nix generate in the current working directory, then # format the generated file with depotfmt. - crate2nixGenerate = pkgs.writeShellScriptBin "crate2nix-generate" '' + crate2nix-generate = pkgs.writeShellScriptBin "crate2nix-generate" '' ${pkgs.crate2nix}/bin/crate2nix generate --all-features ${depot.tools.depotfmt}/bin/depotfmt Cargo.nix ''; +in +{ + inherit crates crate2nix-generate; + + # Run crate2nix generate, ensure the output doesn't differ afterwards + # (and doesn't fail). + # + # Currently this re-downloads every crate every time + # crate2nix-check (but not crate2nix) is built. + # TODO(amjoseph): be less wasteful with bandwidth. + # + crate2nix-check = + let + outputHashAlgo = "sha256"; + in + pkgs.stdenv.mkDerivation { + inherit src; + + # Important: we include the hash of the Cargo.lock file and + # Cargo.nix file in the derivation name. This forces the FOD + # to be rebuilt/reverified whenever either of them changes. + name = "tvix-crate2nix-check-" + + (builtins.substring 0 8 (builtins.hashFile "sha256" ./Cargo.lock)) + + "-" + + (builtins.substring 0 8 (builtins.hashFile "sha256" ./Cargo.nix)); + + nativeBuildInputs = with pkgs; [ git cacert cargo ]; + buildPhase = '' + export CARGO_HOME=$(mktemp -d) + + # The following command can be omitted, in which case + # crate2nix-generate will run it automatically, but won't show the + # output, which makes it look like the build is somehow "stuck" for a + # minute or two. + cargo metadata > /dev/null + + # running this command counteracts depotfmt brokenness + git init + + ${crate2nix-generate}/bin/crate2nix-generate + + # technically unnecessary, but provides more-helpful output in case of error + diff -ur Cargo.nix ${src}/Cargo.nix + + # the FOD hash will check that the (re-)generated Cargo.nix matches the committed Cargo.nix + cp Cargo.nix $out + ''; + + # This is an FOD in order to allow `cargo` to perform network access. + outputHashMode = "flat"; + inherit outputHashAlgo; + outputHash = builtins.hashFile outputHashAlgo ./Cargo.nix; + env.SSL_CERT_FILE = "${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt"; + }; + # Provide the Tvix logo in both .webp and .png format. logo = pkgs.runCommand "logo" { @@ -167,6 +218,7 @@ in meta.ci.targets = [ "clippy" + "crate2nix-check" "shell" "rust-docs" ]; -- cgit 1.4.1