From 9239868daa54e4f17e6778910c7a49036c49e72e Mon Sep 17 00:00:00 2001 From: sterni Date: Fri, 15 Oct 2021 20:48:57 +0200 Subject: feat(nixpkgs-crate-holes): cc maintainers allowed by a whitelist Change-Id: Iffbe173a48b466c52669efc70f9b5e5d4a6aff9a Reviewed-on: https://cl.tvl.fyi/c/depot/+/3730 Tested-by: BuildkiteCI Reviewed-by: Alyssa Ross Reviewed-by: sterni --- users/sterni/nixpkgs-crate-holes/default.nix | 18 ++++++++++++++++-- .../sterni/nixpkgs-crate-holes/format-audit-result.jq | 4 +++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/users/sterni/nixpkgs-crate-holes/default.nix b/users/sterni/nixpkgs-crate-holes/default.nix index 9ca72e5463b3..d2557d4bd5c7 100644 --- a/users/sterni/nixpkgs-crate-holes/default.nix +++ b/users/sterni/nixpkgs-crate-holes/default.nix @@ -24,6 +24,15 @@ let eprintf = depot.tools.eprintf; }; + # list of maintainers we may @mention on GitHub + maintainerWhitelist = builtins.attrValues { + inherit (lib.maintainers) + sternenseemann + qyliss + jk + ; + }; + # buildRustPackage handling /* Predicate by which we identify rust packages we are interested in, @@ -98,9 +107,12 @@ let # Report generation and formatting - reportFor = { attr, lock, ... }: let + reportFor = { attr, lock, maintainers ? [] }: let # naïve attribute path to Nix syntax conversion strAttr = lib.concatStringsSep "." attr; + strMaintainers = lib.concatMapStringsSep " " (m: "@${m.github}") ( + builtins.filter (x: builtins.elem x maintainerWhitelist) maintainers + ); in if lock == null then pkgs.emptyFile @@ -113,7 +125,9 @@ let ] "importas" "out" "out" "redirfd" "-w" "1" "$out" - bins.jq "-rj" "-f" ./format-audit-result.jq "--arg" "attr" strAttr + bins.jq "-rj" "-f" ./format-audit-result.jq + "--arg" "attr" strAttr + "--arg" "maintainers" strMaintainers ]; # GHMF in issues splits paragraphs on newlines diff --git a/users/sterni/nixpkgs-crate-holes/format-audit-result.jq b/users/sterni/nixpkgs-crate-holes/format-audit-result.jq index c527bc4da9ec..e3147b8016c1 100644 --- a/users/sterni/nixpkgs-crate-holes/format-audit-result.jq +++ b/users/sterni/nixpkgs-crate-holes/format-audit-result.jq @@ -53,7 +53,9 @@ else ([ "- [ ] " , "`", $attr, "`: " , (.vulnerabilities.count | tostring) - , " vulnerabilities in Cargo.lock\n" + , " vulnerabilities in Cargo.lock" + , if $maintainers != "" then " (cc " + $maintainers + ")" else "" end + , "\n" ] + (.vulnerabilities.list | map(format_vulnerability)) ) | add end -- cgit 1.4.1