From bf18e657190e6f1c6fa0d5969b6efc45a3599258 Mon Sep 17 00:00:00 2001
From: sterni <sternenseemann@systemli.org>
Date: Sun, 6 Feb 2022 13:07:56 +0100
Subject: refactor(rust-crates-advisory): redo the buildkite report in bash

I've elected to split the check-all-our-lock-files script into two new
scripts: One very simple script which generates the report by invoking
lock-file-report on the fake lock file for //third_party/rust-crates and
all lock files in depot, and one which executes this and adds it as a
buildkite annotation if there are any warnings (which is reported by the
report generating script using a non zero exit code).

The latter script could become the basis for generalizing buildkite
annotations, a slight attempt at making it easily reusable in the future
has been made. So far we expect a report generating script to exit non
zero if a report should be made and to print commonmark to stdout. In
the future we may want to use a JSON format for generating the report,
allowing us to filter it by buildkite target (using the drvmap to
exclude certain reports, potentially).

Change-Id: I1df9e440509d69adff5b8e6304105a45dc62c018
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5260
Reviewed-by: kn <klemens@posteo.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
---
 tools/rust-crates-advisory/default.nix | 81 +++++++++++++++++-----------------
 1 file changed, 41 insertions(+), 40 deletions(-)

diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix
index d33e78c442..5285a766d5 100644
--- a/tools/rust-crates-advisory/default.nix
+++ b/tools/rust-crates-advisory/default.nix
@@ -120,44 +120,43 @@ let
     exit $status
   '';
 
-  check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
-    "backtick"
-    "-EI"
-    "report"
-    [
-      "foreground"
-      [
-        lock-file-report
-        "//third_party/rust-crates"
-        our-crates-lock-file
-        "false"
-      ]
-      tree-lock-file-report
-      "."
-    ]
-    "ifelse"
-    [
-      bins.s6-test
-      "-z"
-      "$report"
-    ]
-    [
-      "exit"
-      "0"
-    ]
-    "pipeline"
-    [
-      "printf"
-      "%s"
-      "$report"
-    ]
-    "buildkite-agent"
-    "annotate"
-    "--style"
-    "warning"
-    "--context"
-    "check-all-our-lock-files"
-  ];
+  depot-rust-crates-advisory-report = pkgs.writers.writeBash "depot-advisory-report" ''
+    set -eu
+    status=0
+
+    "${lock-file-report}" "//third_party/rust-crates" "${our-crates-lock-file}" || status=1
+    "${tree-lock-file-report}" || status=1
+
+    exit $status
+  '';
+
+  buildkiteReportStep =
+    { command
+    , context ? null
+    , style ? "warning"
+    }:
+    let
+      commandName = depot.nix.utils.storePathName (builtins.head command);
+    in
+
+    pkgs.writers.writeBash "buildkite-report-${commandName}" ''
+      set -uo pipefail
+
+      report="$(${lib.escapeShellArgs command})"
+
+      if test $? -ne 0; then
+         printf "%s" "$report" | \
+         buildkite-agent annotate ${
+           lib.escapeShellArgs ([
+             "--style"
+             style
+           ] ++ lib.optionals (context != null) [
+             "--context"
+             context
+           ])
+         }
+      fi
+    '';
 
 in
 depot.nix.readTree.drvTargets {
@@ -167,12 +166,14 @@ depot.nix.readTree.drvTargets {
     lock-file-report
     ;
 
-
   tree-lock-file-report = tree-lock-file-report // {
     meta.ci.extraSteps.run = {
       label = "Check all crates used in depot for advisories";
       alwaysRun = true;
-      command = check-all-our-lock-files;
+      command = buildkiteReportStep {
+        command = [ depot-rust-crates-advisory-report ];
+        style = "warning";
+      };
     };
   };
 }
-- 
cgit 1.4.1