From 7923fbf8c9dc6dc74027d5d8d9954e5e41d8c1bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 25 Jun 2024 17:24:53 +0200 Subject: [PATCH 01/68] ci: Add initial CI --- .github/pipeline.yaml | 23 +++ .gitlab/.gitignore | 1 + .gitlab/container/Containerfile | 37 +++++ .gitlab/pipeline.yaml | 44 ++++++ .gitlab/scripts/before-script.sh | 11 ++ .gitlab/scripts/upload-images.sh | 39 +++++ justfile | 19 ++- tools/format-rust.sh | 15 ++ tools/general.sh | 186 +++++++++++++++++++++++ tools/lint-rust.sh | 23 +++ {nix => tools/nix}/flake.lock | 0 {nix => tools/nix}/flake.nix | 4 +- tools/start-gitlab-runner-docker.sh | 155 +++++++++++++++++++ tools/start-gitlab-runner-podman.sh | 223 ++++++++++++++++++++++++++++ 14 files changed, 774 insertions(+), 6 deletions(-) create mode 100644 .github/pipeline.yaml create mode 100644 .gitlab/.gitignore create mode 100644 .gitlab/container/Containerfile create mode 100644 .gitlab/pipeline.yaml create mode 100755 .gitlab/scripts/before-script.sh create mode 100755 .gitlab/scripts/upload-images.sh create mode 100755 tools/format-rust.sh create mode 100755 tools/general.sh create mode 100755 tools/lint-rust.sh rename {nix => tools/nix}/flake.lock (100%) rename {nix => tools/nix}/flake.nix (94%) create mode 100755 tools/start-gitlab-runner-docker.sh create mode 100755 tools/start-gitlab-runner-podman.sh diff --git a/.github/pipeline.yaml b/.github/pipeline.yaml new file mode 100644 index 0000000..4fe0479 --- /dev/null +++ b/.github/pipeline.yaml @@ -0,0 +1,23 @@ +name: rdf-protect + +on: [push] + +jobs: + trigger-gitlab: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Mirror + Trigger CI + uses: SvanBoxel/gitlab-mirror-and-ci-action@master + with: + args: "https://gitlab.com//" + env: + FOLLOW_TAGS: "false" + FORCE_PUSH: "true" + GITLAB_HOSTNAME: "gitlab.datascience.ch" + GITLAB_USERNAME: ${{ secrets.GITLAB_USERNAME }} + GITLAB_PASSWORD: ${{ secrets.GITLAB_PASSWORD }} + GITLAB_PROJECT_ID: "454" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitlab/.gitignore b/.gitlab/.gitignore new file mode 100644 index 0000000..4083037 --- /dev/null +++ b/.gitlab/.gitignore @@ -0,0 +1 @@ +local diff --git a/.gitlab/container/Containerfile b/.gitlab/container/Containerfile new file mode 100644 index 0000000..79f14c6 --- /dev/null +++ b/.gitlab/container/Containerfile @@ -0,0 +1,37 @@ +# This is a docker image containing docker and a Nix store. +# This enables to either run Docker images inside this one, +# or use `nix develop` to start a sandboxed environment to +# do other non-docker related stuff. + +FROM alpine:latest as base-podman +LABEL org.opencontainers.image.source https://github.com/sdsc-ordes/rdf-protect +LABEL org.opencontainers.image.description "CI container image for rdf-protect" +LABEL org.opencontainers.image.license "Apache" + +RUN apk add findutils coreutils git jq curl bash just parallel podman + +# Nix Image +# =============================================== +FROM base-podman as ci-nix +RUN [ "TARGETPLATFORM" = "linux/amd64" ] || echo "Platform not yet supported." +COPY ./tools /container-setup + +# Install Nix and pre-cache the env. +RUN bash -c ". /container-setup/general.sh && ci_setup_nix" +COPY rust-toolchain.toml /container-setup/ +RUN cd /container-setup && \ + git init && git add . && \ + nix --accept-flake-config \ + build --no-link "./tools/nix#devShells.x86_64-linux.ci" + +# Format image. +# =============================================== +FROM ci-nix as ci-format + +# Lint image. +# =============================================== +FROM ci-nix as ci-lint + +# Build image. +# =============================================== +FROM ci-nix as ci-build diff --git a/.gitlab/pipeline.yaml b/.gitlab/pipeline.yaml new file mode 100644 index 0000000..7ff4d84 --- /dev/null +++ b/.gitlab/pipeline.yaml @@ -0,0 +1,44 @@ +stages: + - lint + - format + - build + +.defaults-rules: &defaults-rules + - if: "$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ /^feature|bugfix/ || + $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH" + when: always + +.main-rules: &main-rules + - if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH" + when: always + +lint: + stage: lint + needs: [] + image: ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 + rules: + - *defaults-rules + script: + - source .gitlab/scripts/before-script.sh + - nix develop .#ci --command just lint + +format: + stage: format + needs: [] + image: ghcr.io/sdsc-order/rdf-protect:ci-format-1.0.0 + rules: + - *defaults-rules + script: + - source .gitlab/scripts/before-script.sh + - nix develop .#ci --command just format-general + - nix develop .#ci --command just format + +build: + stage: build + needs: [] + image: ghcr.io/sdsc-ordes/rdf-protect:ci-build-1.0.0 + rules: + - *defaults-rules + script: + - source .gitlab/scripts/before-script.sh + - nix develop .#ci --command just build diff --git a/.gitlab/scripts/before-script.sh b/.gitlab/scripts/before-script.sh new file mode 100755 index 0000000..8bd981d --- /dev/null +++ b/.gitlab/scripts/before-script.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +# This script is sourced. +set -u + +ROOT_DIR=$(git rev-parse --show-toplevel) +. "$ROOT_DIR/tools/general.sh" + +ci_container_mgr_setup + +unset ROOT_DIR diff --git a/.gitlab/scripts/upload-images.sh b/.gitlab/scripts/upload-images.sh new file mode 100755 index 0000000..18c5f8b --- /dev/null +++ b/.gitlab/scripts/upload-images.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +set -e +set -u + +ROOT_DIR=$(git rev-parse --show-toplevel) +. "$ROOT_DIR/tools/general.sh" + +cd "$ROOT_DIR" + +function build_ci_image() { + local image_type="$1" + local repository="$2" + local tag="$image_type-$3" + + local image_name="$repository:$tag" + + print_info "Building image '$image_name'." + + ci_container_mgr build -f "$container_file" \ + --target "$image_type" \ + -t "$image_name" \ + . || die "Could not build image." + + ci_container_mgr push -f "$image_name" || die "Could not upload image." +} + +repository="${1:-ghcr.io/sdsc-ordes/rdf-protect}" +tag="${2:-1.0.0}" +container_file=".gitlab/container/Containerfile" + +if [ "${CI:-}" = "true" ]; then + ci_container_mgr_login "$DOCKER_REPOSITORY_READ_USERNAME" "$DOCKER_REPOSITORY_READ_TOKEN" +fi + +readarray -t images < <(grep -E "as ci-.*" "$container_file" | sed -E 's@.*as (ci-.*)$@\1@g') +for image in "${images[@]}"; do + build_ci_image "$image" "$repository" "$tag" +done diff --git a/justfile b/justfile index 4b357bb..f80ea28 100644 --- a/justfile +++ b/justfile @@ -9,7 +9,7 @@ container_mgr := "podman" # Enter a Nix development shell. nix-develop: - cd "{{root_dir}}" && nix develop ./nix#default + cd "{{root_dir}}" && nix develop ./tools/nix#default # Build the executable. build *args: @@ -23,7 +23,18 @@ watch: run: cd "{{root_dir}}" && cargo run "${@:1}" -format: +format-general *args: + # Not implemented yet. + true + +format *args: + cd "{{comp_dir}}" && \ + "{{root_dir}}/tools/format-rust.sh" {{args}} + +lint *args: + cd "{{comp_dir}}" && \ + "{{root_dir}}/tools/lint-rust.sh" {{args}} + +upload-ci-images: cd "{{root_dir}}" && \ - {{container_mgr}} run -v "{{root_dir}}:/repo" -v "$(pwd):/workspace" -w "/workspace" \ - instrumentisto/rust:nightly-alpine cargo fmt -- --config-path /repo + .gitlab/scripts/upload-images.sh diff --git a/tools/format-rust.sh b/tools/format-rust.sh new file mode 100755 index 0000000..5e441a9 --- /dev/null +++ b/tools/format-rust.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +set -e +set -u + +ROOT_DIR=$(git rev-parse --show-toplevel) +. "$ROOT_DIR/tools/general.sh" + +cd "$ROOT_DIR" + +print_info "Run Rust format." +ci_wrap_container \ + ghcr.io/sdsc-ordes/rdf-protect:ci-format-1.0.0 \ + nix develop ./tools/nix#ci --command \ + cargo fmt "$@" diff --git a/tools/general.sh b/tools/general.sh new file mode 100755 index 0000000..c716861 --- /dev/null +++ b/tools/general.sh @@ -0,0 +1,186 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +# shellcheck disable=SC2154,SC2086 + +function _print() { + local color="$1" + local flags="$2" + local header="$3" + shift 3 + + local hasColor="0" + if [ "${FORCE_COLOR:-}" != 1 ]; then + [ -t 1 ] && hasColor="1" + else + hasColor="1" + fi + + if [ "$hasColor" = "0" ] || [ "${LOG_COLORS:-}" = "false" ]; then + local msg + msg=$(printf '%b\n' "$@") + msg="${msg//$'\n'/$'\n' }" + echo $flags -e "-- $header$msg" + else + local s=$'\033' e='[0m' + local msg + msg=$(printf "%b\n" "$@") + msg="${msg//$'\n'/$'\n' }" + echo $flags -e "${s}${color}-- $header$msg${s}${e}" + fi +} +function print_info() { + _print "[0;94m" "" "" "$@" +} + +function print_warning() { + _print "[0;31m" "" "WARN: " "$@" >&2 +} + +function print_error() { + _print "[0;31m" "" "ERROR: " "$@" >&2 +} + +function die() { + print_error "$@" + exit 1 +} + +function ci_is_running() { + if [ "${CI:-}" = "true" ]; then + return 0 + fi + + return 1 +} + +function ci_wrap_container() { + local container="$1" + shift 1 + local cmd=("$@") + + if [ "$OSTYPE" = "nixos" ]; then + "${cmd[@]}" + else + ci_container_mgr_run_mounted "$(pwd)" "$container" "${cmd[@]}" + fi +} + +function ci_setup_githooks() { + local installPrefix="${1:-$CI_BUILDS_DIR/githooks}" + mkdir -p "$installPrefix" + + print_info "Install Githooks in '$installPrefix'." + githooks-cli installer --non-interactive --prefix "$installPrefix" + + git hooks config enable-containerized-hooks --global --set + git hooks config container-manager-types --global --set "podman,docker" + + print_info "Pull all shared Githooks repositories." + git hooks shared update + + export CI_GITHOOKS_INSTALL_PREFIX="$installPrefix" +} + +function ci_setup_nix() { + local install_prefix="${1:-/usr/sbin}" + + print_info "Install Nix." + apk add curl bash xz shadow + sh <(curl -L https://nixos.org/nix/install) --daemon --yes + cp /root/.nix-profile/bin/* "$install_prefix/" + + print_info "Enable Features for Nix." + mkdir -p ~/.config/nix + { + echo "experimental-features = nix-command flakes" + echo "accept-flake-config = true" + } >~/.config/nix/nix.conf +} + +# Run the container manager which is defined. +function ci_container_mgr() { + if command -v podman &>/dev/null; then + echo -e "Running podman as:\n$(printf "'%s' " "podman" "$@")" >&2 + podman "$@" + else + echo -e "Running docker as:\n$(printf "'%s' " "docker" "$@")" + docker "$@" + fi +} + +# Define the container id `CI_JOB_CONTAINER_ID` where +# this job runs. Useful to mount same volumes as in +# this container with `ci_run_podman`. +function ci_container_mgr_setup() { + export CONTAINER_HOST="unix://var/run/podman.sock" + print_info "Container host: '$CONTAINER_HOST'" + + job_container_id=$(ci_container_mgr ps \ + --filter "label=com.gitlab.gitlab-runner.type=build" \ + --filter "label=com.gitlab.gitlab-runner.job.id=$CI_JOB_ID" \ + --filter "label=com.gitlab.gitlab-runner.project.id=$CI_PROJECT_ID" \ + --filter "label=com.gitlab.gitlab-runner.pipeline.id=$CI_PIPELINE_ID" \ + --format "{{ .ID }}") || + die "Could not find 'build' container for job id: '$CI_JOB_ID'." + + [ -n "$job_container_id" ] || die "Job id is empty." + + export CI_JOB_CONTAINER_ID="$job_container_id" + print_info "Job container id: '$CI_JOB_CONTAINER_ID'" +} + +function ci_container_mgr_login() { + local user="$1" + local token="$2" + + [ -n "$token" ] || die "Docker login token is empty" + echo "$token" | + ci_container_mgr login --password-stdin --username "$user" || + die "Could not log into docker." +} + +# Run container mgr. In CI with volume mount from the +# current build container `CI_JOB_CONTAINER_ID`. +function ci_container_mgr_run() { + if ci_is_running; then + ci_container_mgr run --volumes-from "$CI_JOB_CONTAINER_ID" "$@" + else + ci_container_mgr run "$@" + fi +} + +function ci_container_mgr_run_mounted() { + local repo workspace_rel in_cmd + repo=$(git rev-parse --show-toplevel) + workspace_rel=$(cd "$1" && pwd) + workspace_rel=$(realpath --relative-to "$repo" "$workspace_rel") + + shift 1 + in_cmd=("$@") + + local mnt_args=() + local cmd=() + + if ! ci_is_running; then + cmd=("${in_cmd[@]}") + mnt_args+=(-v "$repo:/repo") + mnt_args+=(-w "/repo/$workspace_rel") + else + # Not needed to mount anything, since already existing + # under the same path as `repo`. + # + # All `/repo` and `/workspace` paths in + # command given are replaced with correct + # paths to mounted volume in CI + for arg in "${in_cmd[@]}"; do + cmd+=("$(echo "$arg" | + sed -E \ + -e "s@/workspace@$workspace_rel@g" \ + -e "s@/repo@$repo@g")") + done + + mnt_args+=(-w "$repo/$workspace_rel") + fi + + ci_container_mgr_run "${mnt_args[@]}" "${cmd[@]}" +} diff --git a/tools/lint-rust.sh b/tools/lint-rust.sh new file mode 100755 index 0000000..c670387 --- /dev/null +++ b/tools/lint-rust.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +set -e +set -u + +ROOT_DIR=$(git rev-parse --show-toplevel) +. "$ROOT_DIR/tools/general.sh" + +cd "$ROOT_DIR" + +print_info "Run Rust Clippy linter." +ci_wrap_container \ + ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 \ + nix develop ./tools/nix#ci --command \ + cargo clippy --no-deps -- -A clippy::needless_return "$@" || + die "Rust clippy failed." + +print_info "Run Rust Miri to check undefined behaviour." +ci_wrap_container \ + ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 \ + nix develop ./tools/nix#ci --command \ + cargo miri test "$@" || + die "Rust Miri failed." diff --git a/nix/flake.lock b/tools/nix/flake.lock similarity index 100% rename from nix/flake.lock rename to tools/nix/flake.lock diff --git a/nix/flake.nix b/tools/nix/flake.nix similarity index 94% rename from nix/flake.nix rename to tools/nix/flake.nix index 7f42e5e..bbe473b 100644 --- a/nix/flake.nix +++ b/tools/nix/flake.nix @@ -57,7 +57,7 @@ }; # Set the rust toolchain from the `rust-toolchain.toml`. - rustToolchain = pkgs.pkgsBuildHost.rust-bin.fromRustupToolchainFile ../rust-toolchain.toml; + rustToolchain = pkgs.pkgsBuildHost.rust-bin.fromRustupToolchainFile ../../rust-toolchain.toml; # Things needed only at compile-time. nativeBuildInputsBasic = with pkgs; [ @@ -84,7 +84,7 @@ ci = mkShell { inherit buildInputs; - nativeBuildInputs = nativeBuildInputsBasic; + nativeBuildInputs = nativeBuildInputsBasic ++ nativeBuildInputsDev; }; }; } diff --git a/tools/start-gitlab-runner-docker.sh b/tools/start-gitlab-runner-docker.sh new file mode 100755 index 0000000..c52ed8e --- /dev/null +++ b/tools/start-gitlab-runner-docker.sh @@ -0,0 +1,155 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +# +# Create a gitlab runner (docker executor) +# by first visiting `CI/CD Settings` page and +# creating a `linux` runner which gives you a `` needed +# for this script. +# +# This creates a docker container which runs the Gitlab runner +# which will execute jobs over the `docker` executor. +# The running container is not that safe in the sense that the Docker socket +# is mounted into the container (privilege escalation can be done: +# - https://blog.nestybox.com/2020/10/21/gitlab-dind.html +# - https://github.com/stealthcopter/deepce). +# +# TODO: This script should use the runtime `sysbox-runc` for better isolation. +# So far its not available on NixOS. +# https://github.com/NixOS/nixpkgs/issues/271901 +# +# The `gitlab-runner` does not forward the socket to the job containers +# because that would be to risky. Nevertheless, +# docker-in-docker for a job works as shown below. +# +# Usage: +# ```shell +# start-gitlab-runner-docker.sh [--force] [] +# ``` +# Read token from stdin. + +# Usage in Pipeline: +# +# A job which uses `docker` to run/build images. +# the `service`-container `docker:24-dind`. +# +# ```yaml +# docker-run-build: +# image: docker:24 +# # +# # When you use the dind service, you must instruct Docker to talk with +# # the daemon started inside of the service 'docker:*-dind'. +# # The daemon is available with a network connection instead of the default +# # /var/run/docker.sock socket. +# # Docker does this automatically by setting the DOCKER_HOST in +# # https://github.com/docker-library/docker/blob/master/docker-entrypoint.sh#L30 +# # The 'docker' hostname is the alias of the service container as described +# # at https://docs.gitlab.com/ee/ci/services/#accessing-the-services. +# # which is `docker` and then DOCKER_HOST=tcp://docker:2376 +# services: +# - docker:24-dind +# +# script: +# - docker info +# - docker run alpine:latest cat /etc/os-release +# - docker build -f Dockerfile . +# ``` + +set -e +set -u + +ROOT=$(git rev-parse --show-toplevel) +. "$ROOT/tools/general.sh" + +force="false" +max_jobs=4 +config_dir="$ROOT/.gitlab/local/config" +runner_name="gitlab-runner-md2pdf-docker" +cores=$(grep "^cpu\\scores" /proc/cpuinfo | uniq | cut -d ' ' -f 3) + +function modify_config() { + local key="$1" + local value="$2" + local type="${3:-json}" + + docker run --rm -v "$config_dir/config.toml:/config.toml" \ + "ghcr.io/tomwright/dasel" put -f /config.toml \ + -t "$type" \ + -s "$key" \ + -v "$value" || + die "Could not set gitlab runner config key '$key' to '$value'" +} + +function create() { + local token="${1:-}" + + if [ "$token" = "-" ] || [ -z "$token" ]; then + read -rs -p "Enter Gitlab Runner Token: " token || + die "Could not read token from TTY." + fi + + rm -rf "$config_dir" >/dev/null || true + mkdir -p "$config_dir" + + docker run -d \ + --cpus "$cores" \ + --name "$runner_name" \ + --restart always \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v "$config_dir":/etc/gitlab-runner \ + gitlab/gitlab-runner:latest || die "Could not create gitlab-runner" + + docker exec -it "$runner_name" gitlab-runner register \ + --non-interactive \ + --url "https://gitlab.com" \ + --token "$token" \ + --executor docker \ + --description "$runner_name" \ + --docker-image "alpine:latest" \ + --docker-privileged \ + --docker-volumes "/certs/client" || die "Could not start gitlab runner" + + modify_config ".concurrent" "$max_jobs" + modify_config ".runners.first().docker.pull_policy" \ + '["always", "if-not-present"]' + + docker exec -it "$runner_name" gitlab-runner start || die "Could not start runner." +} + +function stop() { + if is_running; then + print_info "Stop runner '$runner_name' ..." + docker stop "$runner_name" + + fi + + if is_exited; then + # shellcheck disable=SC2046 + docker rm $(docker ps -a -q) + fi +} + +function is_running() { + [ "$(docker inspect -f '{{.State.Status}}' "$runner_name" 2>/dev/null || true)" = 'running' ] || return 1 + return 0 +} + +function is_exited() { + [ "$(docker inspect -f '{{.State.Status}}' "$runner_name" 2>/dev/null || true)" = 'exited' ] || return 1 + return 0 +} + +if [ "${1:-}" = "--force" ]; then + force="true" + shift 1 +fi + +if [ "$force" = "true" ]; then + stop +fi + +if ! is_running; then + create "$@" +else + print_info "Gitlab runner '$runner_name' is already running. Restart it." + docker restart "$runner_name" || die "Could not restart gitlab runner" +fi diff --git a/tools/start-gitlab-runner-podman.sh b/tools/start-gitlab-runner-podman.sh new file mode 100755 index 0000000..efc9ae8 --- /dev/null +++ b/tools/start-gitlab-runner-podman.sh @@ -0,0 +1,223 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091,SC2015 +# +# Create a gitlab runner (docker executor) +# by first visiting `CI/CD Settings` page and +# creating a `linux` runner which gives you a `` needed +# for this script. +# +# This creates a container which runs the Gitlab runner +# which will execute jobs over the `podman` executor. +# +# This container is based on [`pipglr`](https://gitlab.com/qontainers/pipglr) +# which uses two container volumes (`pipglr-storage` and `pipglr-cache`) +# which are attached and contains +# `podman` (user `podman`) and `gitlab-runner` (user `runner`) +# to have a rootless container experience which provides much more security. +# The two volumes contain the images created/built by CI. The volumes can safely +# be wiped if space is needed. +# +# The podman socket created inside this container +# will be mounted to each job container the `gitlab-runner` creates. +# This makes also use of caching directly possible which is cool. +# +# Usage: +# ```shell +# start-gitlab-runner-docker.sh [--force] [] +# ``` +# Read token from stdin. +# ```shell +# start-gitlab-runner-docker.sh [--force] - +# +# Usage in Pipeline: +# +# A job which uses `podman` (linked to podman) to run/build images. +# The gitlab-runner cannot serve `services` statements as in the +# `start-gitlab-runner-docker.sh` (uses `docker` +# `--link` which is anyway deprecated) +# +# ```yaml +# podman-remote-run-build: +# image: quay.io/podman/stable:latest +# variables: +# CONTAINER_HOST: unix://var/run/docker.sock +# script: +# - podman info +# - podman run alpine:latest cat /etc/os-release +# - podman build -f Dockerfile . +# ``` +# +# The following (custom build image) also works: +# +# ```yaml +# podman-remote-alpine-run-build: +# image: alpine:latest +# variables: +# CONTAINER_HOST: unix://var/run/docker.sock +# script: +# - apk add podman +# - podman info +# - podman run alpine:latest cat /etc/os-release +# - podman build -f Dockerfile . +# ``` + +set -e +set -u + +ROOT=$(git rev-parse --show-toplevel) +. "$ROOT/tools/general.sh" + +force="false" +max_jobs=4 +config_dir="$ROOT/.gitlab/local/config" +runner_name="gitlab-runner-md2pdf-podman" +cores=$(grep "^cpu\\scores" /proc/cpuinfo | uniq | cut -d ' ' -f 3) +# image="registry.gitlab.com/qontainers/pipglr:latest" +image="pipglr:dev-latest-alpine" + +function clean_up() { + if [ -f "$config_dir/config.toml" ]; then + rm -rf "$config_dir/config.toml" + fi +} + +trap clean_up EXIT +function modify_config() { + local key="$1" + local value="$2" + local type="${3:-json}" + + podman run --rm -v "$config_dir/config.toml:/config.toml" \ + "ghcr.io/tomwright/dasel" put -f /config.toml \ + -t "$type" \ + -s "$key" \ + -v "$value" || + die "Could not set gitlab runner config key '$key' to '$value'" +} + +function register_runner() { + print_info "Registering gitlab-runner ..." + local token="${1:-}" + + if [ "$token" = "-" ] || [ -z "$token" ]; then + read -rs -p "Enter Gitlab Runner Token: " token || + die "Could not read token from stdin." + fi + + podman secret rm REGISTRATION_TOKEN &>/dev/null || true + echo "$token" | podman secret create REGISTRATION_TOKEN - || + die "Could not set registration token secret." + + # Register Gitlab runner. + (cd "$config_dir" && + touch config.toml && + podman container runlabel register "$image") || + die "Could not register gitlab-runner." + + # Modify Gitlab runner config. + modify_config ".concurrent" "$max_jobs" + modify_config ".runners.first().docker.pull_policy" \ + '["always"]' + modify_config ".runners.first().docker.volumes.append()" \ + "/home/runner/podman.sock:/var/run/podman.sock:rw" string + + # Add an auxiliary volume `auxvol`. + modify_config ".runners.first().docker.volumes.append()" \ + "auxvol:/auxvol" string + + modify_config ".runners.first().pre_build_script" \ + "echo 'Prebuild'\\nenv" string + + podman secret rm config.toml &>/dev/null || true + podman secret create config.toml "$config_dir/config.toml" || + die "Could not create config.toml secret." + + print_info "Config file:" \ + "$(sed 's/token\s*=.*/token = ***/g' "$config_dir/config.toml")" + + rm "$config_dir/config.toml" +} + +function assert_volumes() { + print_info "Asserting needed volumes ..." + + local volumes + volumes=$(podman volume list --format="{{ .Name }}") || + die "Could not get volumes" + + if ! echo "$volumes" | grep -q "pipglr-storage"; then + podman container runlabel setupstorage "$image" + fi + + if ! echo "$volumes" | grep -q "pipglr-cache"; then + podman container runlabel setupcache "$image" + fi +} + +function start_runner() { + print_info "Start runner '$runner_name' ..." + + # Run the Gitlab runner. We cannot user `podman container runlabel run "$image"` + # because we need to set some cpu constraints. + podman run -dt --name "$runner_name" \ + --cpus "$cores" \ + --secret config.toml,uid=1001,gid=1001 \ + -v pipglr-storage:/home/podman/.local/share/containers \ + -v pipglr-cache:/cache \ + --systemd true --privileged \ + --device /dev/fuse "$image" + + podman exec -it --user root "$runner_name" \ + bash -c "mkdir -p /etc/containers; + cp /usr/share/containers/seccomp.json /etc/containers/seccomp.json" +} + +function create() { + rm -rf "$config_dir" >/dev/null || true + mkdir -p "$config_dir" + + register_runner "$@" + assert_volumes + + start_runner +} + +function stop() { + if is_running; then + print_info "Stop runner '$runner_name' ..." + podman stop "$runner_name" + + fi + + if is_exited; then + # shellcheck disable=SC2046 + podman rm $(podman ps -a -q) + fi +} + +function is_running() { + [ "$(podman inspect -f '{{.State.Status}}' "$runner_name" 2>/dev/null || true)" = 'running' ] || return 1 + return 0 +} + +function is_exited() { + [ "$(podman inspect -f '{{.State.Status}}' "$runner_name" 2>/dev/null || true)" = 'exited' ] || return 1 + return 0 +} + +if [ "${1:-}" = "--force" ]; then + force="true" + shift 1 +fi + +if [ "$force" = "true" ]; then + stop +fi + +if ! is_running; then + create "$@" +else + print_info "Gitlab runner '$runner_name' is already running. Restart it." + podman restart "$runner_name" || + die "Could not restart gitlab runner '$runner_name'." +fi From cad61c22d3fccd46d35c83a190b6dc62ace5d3c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 25 Jun 2024 17:39:11 +0200 Subject: [PATCH 02/68] chore: Move workflow file --- .github/{ => workflows}/pipeline.yaml | 0 .gitlab/container/Containerfile | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename .github/{ => workflows}/pipeline.yaml (100%) diff --git a/.github/pipeline.yaml b/.github/workflows/pipeline.yaml similarity index 100% rename from .github/pipeline.yaml rename to .github/workflows/pipeline.yaml diff --git a/.gitlab/container/Containerfile b/.gitlab/container/Containerfile index 79f14c6..4803dd9 100644 --- a/.gitlab/container/Containerfile +++ b/.gitlab/container/Containerfile @@ -22,7 +22,7 @@ COPY rust-toolchain.toml /container-setup/ RUN cd /container-setup && \ git init && git add . && \ nix --accept-flake-config \ - build --no-link "./tools/nix#devShells.x86_64-linux.ci" + build --no-link "./nix#devShells.x86_64-linux.ci" # Format image. # =============================================== From 981015e60f3889b4a488f2abe0b57ae9a4a40e58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 25 Jun 2024 17:41:28 +0200 Subject: [PATCH 03/68] ci: Update Github checkout step --- .github/workflows/pipeline.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 4fe0479..9f2a3da 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -5,14 +5,15 @@ on: [push] jobs: trigger-gitlab: runs-on: ubuntu-latest + environment: "CI Gitlab" steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Mirror + Trigger CI uses: SvanBoxel/gitlab-mirror-and-ci-action@master with: - args: "https://gitlab.com//" + args: "https://gitlab.datascience.ch/gabriel.nuetzi/rdf-protect" env: FOLLOW_TAGS: "false" FORCE_PUSH: "true" From f71221a0caed90940f8ccb46c0004eb370a90399 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 25 Jun 2024 18:21:02 +0200 Subject: [PATCH 04/68] ci: Fix shitty github actions... --- .github/workflows/pipeline.yaml | 2 +- .gitlab/container/Containerfile | 6 +++--- .gitlab/scripts/upload-images.sh | 2 +- justfile | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 9f2a3da..9c681ae 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -15,7 +15,7 @@ jobs: with: args: "https://gitlab.datascience.ch/gabriel.nuetzi/rdf-protect" env: - FOLLOW_TAGS: "false" + FOLLOW_TAGS: "true" FORCE_PUSH: "true" GITLAB_HOSTNAME: "gitlab.datascience.ch" GITLAB_USERNAME: ${{ secrets.GITLAB_USERNAME }} diff --git a/.gitlab/container/Containerfile b/.gitlab/container/Containerfile index 4803dd9..d7ea176 100644 --- a/.gitlab/container/Containerfile +++ b/.gitlab/container/Containerfile @@ -14,15 +14,15 @@ RUN apk add findutils coreutils git jq curl bash just parallel podman # =============================================== FROM base-podman as ci-nix RUN [ "TARGETPLATFORM" = "linux/amd64" ] || echo "Platform not yet supported." -COPY ./tools /container-setup +COPY ./tools /container-setup/tools # Install Nix and pre-cache the env. -RUN bash -c ". /container-setup/general.sh && ci_setup_nix" +RUN bash -c ". /container-setup/tools/general.sh && ci_setup_nix" COPY rust-toolchain.toml /container-setup/ RUN cd /container-setup && \ git init && git add . && \ nix --accept-flake-config \ - build --no-link "./nix#devShells.x86_64-linux.ci" + build --no-link "./tools/nix#devShells.x86_64-linux.ci" # Format image. # =============================================== diff --git a/.gitlab/scripts/upload-images.sh b/.gitlab/scripts/upload-images.sh index 18c5f8b..ab256c9 100755 --- a/.gitlab/scripts/upload-images.sh +++ b/.gitlab/scripts/upload-images.sh @@ -22,7 +22,7 @@ function build_ci_image() { -t "$image_name" \ . || die "Could not build image." - ci_container_mgr push -f "$image_name" || die "Could not upload image." + ci_container_mgr push "$image_name" || die "Could not upload image." } repository="${1:-ghcr.io/sdsc-ordes/rdf-protect}" diff --git a/justfile b/justfile index f80ea28..acc66c8 100644 --- a/justfile +++ b/justfile @@ -8,8 +8,8 @@ root_dir := `git rev-parse --show-toplevel` container_mgr := "podman" # Enter a Nix development shell. -nix-develop: - cd "{{root_dir}}" && nix develop ./tools/nix#default +nix-develop shell="zsh": + cd "{{root_dir}}" && nix develop ./tools/nix#default --command zsh # Build the executable. build *args: From 1f318f1972cce8e48f1e0e84a225bd8726938a19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 25 Jun 2024 23:17:38 +0200 Subject: [PATCH 05/68] ci: Fix Github workflows --- .github/workflows/pipeline.yaml | 56 ++++++++++++++++++++------- .github/workflows/trigger-gitlab.yaml | 24 ++++++++++++ .gitlab/container/Containerfile | 4 +- .gitlab/pipeline.yaml | 20 +++++----- .gitlab/scripts/before-script.sh | 3 +- justfile | 17 ++++++-- 6 files changed, 93 insertions(+), 31 deletions(-) create mode 100644 .github/workflows/trigger-gitlab.yaml diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 9c681ae..0a3a140 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,24 +1,50 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: rdf-protect -on: [push] +on: + push: + branches: + - main + - "feat/*" + - "fix/*" + + pull_request: + branches: + - main jobs: - trigger-gitlab: + format: + runs-on: ubuntu-latest + container: + image: ghcr.io/sdsc-ordes/rdf-protect:ci-format-1.0.0 + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: 1 - format + run: | + source .gitlab/scripts/before-script.sh + just nix-develop-ci just format + + lint: runs-on: ubuntu-latest - environment: "CI Gitlab" + container: + image: ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 steps: - name: Checkout uses: actions/checkout@v4 + - name: 2 - lint + run: | + source .gitlab/scripts/before-script.sh && + just nix-develop-ci just lint - - name: Mirror + Trigger CI - uses: SvanBoxel/gitlab-mirror-and-ci-action@master - with: - args: "https://gitlab.datascience.ch/gabriel.nuetzi/rdf-protect" - env: - FOLLOW_TAGS: "true" - FORCE_PUSH: "true" - GITLAB_HOSTNAME: "gitlab.datascience.ch" - GITLAB_USERNAME: ${{ secrets.GITLAB_USERNAME }} - GITLAB_PASSWORD: ${{ secrets.GITLAB_PASSWORD }} - GITLAB_PROJECT_ID: "454" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + build: + runs-on: ubuntu-latest + container: + image: ghcr.io/sdsc-ordes/rdf-protect:ci-build-1.0.0 + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: 3 - build + run: | + source .gitlab/scripts/before-script.sh && + just nix-develop-ci just build diff --git a/.github/workflows/trigger-gitlab.yaml b/.github/workflows/trigger-gitlab.yaml new file mode 100644 index 0000000..9c681ae --- /dev/null +++ b/.github/workflows/trigger-gitlab.yaml @@ -0,0 +1,24 @@ +name: rdf-protect + +on: [push] + +jobs: + trigger-gitlab: + runs-on: ubuntu-latest + environment: "CI Gitlab" + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Mirror + Trigger CI + uses: SvanBoxel/gitlab-mirror-and-ci-action@master + with: + args: "https://gitlab.datascience.ch/gabriel.nuetzi/rdf-protect" + env: + FOLLOW_TAGS: "true" + FORCE_PUSH: "true" + GITLAB_HOSTNAME: "gitlab.datascience.ch" + GITLAB_USERNAME: ${{ secrets.GITLAB_USERNAME }} + GITLAB_PASSWORD: ${{ secrets.GITLAB_PASSWORD }} + GITLAB_PROJECT_ID: "454" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitlab/container/Containerfile b/.gitlab/container/Containerfile index d7ea176..b19801e 100644 --- a/.gitlab/container/Containerfile +++ b/.gitlab/container/Containerfile @@ -22,7 +22,9 @@ COPY rust-toolchain.toml /container-setup/ RUN cd /container-setup && \ git init && git add . && \ nix --accept-flake-config \ - build --no-link "./tools/nix#devShells.x86_64-linux.ci" + build --no-link "./tools/nix#devShells.x86_64-linux.ci" && \ + nix store gc && \ + nix store optimise # Format image. # =============================================== diff --git a/.gitlab/pipeline.yaml b/.gitlab/pipeline.yaml index 7ff4d84..0c549b0 100644 --- a/.gitlab/pipeline.yaml +++ b/.gitlab/pipeline.yaml @@ -12,26 +12,26 @@ stages: - if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH" when: always -lint: - stage: lint +format: + stage: format needs: [] - image: ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 + image: ghcr.io/sdsc-order/rdf-protect:ci-format-1.0.0 rules: - *defaults-rules script: - source .gitlab/scripts/before-script.sh - - nix develop .#ci --command just lint + - just nix-develop-ci just format-general + - just nix-develop-ci just format -format: - stage: format +lint: + stage: lint needs: [] - image: ghcr.io/sdsc-order/rdf-protect:ci-format-1.0.0 + image: ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 rules: - *defaults-rules script: - source .gitlab/scripts/before-script.sh - - nix develop .#ci --command just format-general - - nix develop .#ci --command just format + - just nix-develop-ci just lint build: stage: build @@ -41,4 +41,4 @@ build: - *defaults-rules script: - source .gitlab/scripts/before-script.sh - - nix develop .#ci --command just build + - just nix-develop-ci just build diff --git a/.gitlab/scripts/before-script.sh b/.gitlab/scripts/before-script.sh index 8bd981d..00ecb42 100755 --- a/.gitlab/scripts/before-script.sh +++ b/.gitlab/scripts/before-script.sh @@ -6,6 +6,7 @@ set -u ROOT_DIR=$(git rev-parse --show-toplevel) . "$ROOT_DIR/tools/general.sh" -ci_container_mgr_setup +git config --global safe.directory "*" +# ci_container_mgr_setup unset ROOT_DIR diff --git a/justfile b/justfile index acc66c8..07a633b 100644 --- a/justfile +++ b/justfile @@ -11,6 +11,7 @@ container_mgr := "podman" nix-develop shell="zsh": cd "{{root_dir}}" && nix develop ./tools/nix#default --command zsh + # Build the executable. build *args: cd "{{root_dir}}" && cargo build "${@:1}" @@ -23,18 +24,26 @@ watch: run: cd "{{root_dir}}" && cargo run "${@:1}" -format-general *args: - # Not implemented yet. - true - +# Format the code. format *args: cd "{{comp_dir}}" && \ "{{root_dir}}/tools/format-rust.sh" {{args}} +# Format all files other files. +format-general *args: + # Not implemented yet. + true + +# Lint all code. lint *args: cd "{{comp_dir}}" && \ "{{root_dir}}/tools/lint-rust.sh" {{args}} +# Upload all images for CI. upload-ci-images: cd "{{root_dir}}" && \ .gitlab/scripts/upload-images.sh + +# Enter a Nix development shell for CI. +nix-develop-ci: + cd "{{root_dir}}" && nix develop ./tools/nix#default --command "$@" From 3707104ab7e5b7bad942a28f74c0d27d57dea622 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Wed, 26 Jun 2024 07:22:38 +0200 Subject: [PATCH 06/68] fix: WIP --- .gitlab/{container => images}/Containerfile | 1 - .gitlab/scripts/upload-images.sh | 2 +- tools/nix/flake.nix | 33 ++++++++++++++------- tools/nix/images/ci.nix | 16 ++++++++++ 4 files changed, 40 insertions(+), 12 deletions(-) rename .gitlab/{container => images}/Containerfile (98%) create mode 100644 tools/nix/images/ci.nix diff --git a/.gitlab/container/Containerfile b/.gitlab/images/Containerfile similarity index 98% rename from .gitlab/container/Containerfile rename to .gitlab/images/Containerfile index b19801e..3d80d30 100644 --- a/.gitlab/container/Containerfile +++ b/.gitlab/images/Containerfile @@ -23,7 +23,6 @@ RUN cd /container-setup && \ git init && git add . && \ nix --accept-flake-config \ build --no-link "./tools/nix#devShells.x86_64-linux.ci" && \ - nix store gc && \ nix store optimise # Format image. diff --git a/.gitlab/scripts/upload-images.sh b/.gitlab/scripts/upload-images.sh index ab256c9..2920bea 100755 --- a/.gitlab/scripts/upload-images.sh +++ b/.gitlab/scripts/upload-images.sh @@ -27,7 +27,7 @@ function build_ci_image() { repository="${1:-ghcr.io/sdsc-ordes/rdf-protect}" tag="${2:-1.0.0}" -container_file=".gitlab/container/Containerfile" +container_file=".gitlab/images/Containerfile" if [ "${CI:-}" = "true" ]; then ci_container_mgr_login "$DOCKER_REPOSITORY_READ_USERNAME" "$DOCKER_REPOSITORY_READ_TOKEN" diff --git a/tools/nix/flake.nix b/tools/nix/flake.nix index bbe473b..c8158e8 100644 --- a/tools/nix/flake.nix +++ b/tools/nix/flake.nix @@ -61,30 +61,43 @@ # Things needed only at compile-time. nativeBuildInputsBasic = with pkgs; [ - rustToolchain - cargo-watch + findutils + coreutils + bash + zsh + curl + git + jq - just - parallel podman ]; # Things needed only at compile-time. - nativeBuildInputsDev = []; + nativeBuildInputsDev = with pkgs; [ + rustToolchain + cargo-watch + just + ]; # Things needed at runtime. buildInputs = []; in - with pkgs; { - devShells = { + with pkgs; rec { + devShells = rec { default = mkShell { inherit buildInputs; nativeBuildInputs = nativeBuildInputsBasic ++ nativeBuildInputsDev; }; - ci = mkShell { - inherit buildInputs; - nativeBuildInputs = nativeBuildInputsBasic ++ nativeBuildInputsDev; + ci = default; + }; + + packages = { + images = { + ci = (import ./images/ci.nix) { + inherit pkgs; + devShellDrv = devShells.ci; + }; }; }; } diff --git a/tools/nix/images/ci.nix b/tools/nix/images/ci.nix new file mode 100644 index 0000000..b1c7c35 --- /dev/null +++ b/tools/nix/images/ci.nix @@ -0,0 +1,16 @@ +{ + pkgs, + devShellDrv, + ... +}: rec { + # The base image. + base = pkgs.dockerTools.buildNixShellImage { + name = "ghcr.io/sdsc-order/rdf-protect"; + tag = "ci-nix-1.0.0"; + drv = devShellDrv; + }; + + format = base.override {tag = "ci-format-1.0.0";}; + lint = base.override {tag = "ci-lint-1.0.0";}; + build = base.override {tag = "ci-build-1.0.0";}; +} From 0948d07675a43177ffbf8e8b9321c15c50407cbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Thu, 27 Jun 2024 07:28:18 +0200 Subject: [PATCH 07/68] feat: Improve Github workflow --- .github/workflows/pipeline.yaml | 5 +++++ .gitlab/images/Containerfile | 2 ++ .gitlab/scripts/before-script.sh | 1 - 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 0a3a140..bf10d1b 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -48,3 +48,8 @@ jobs: run: | source .gitlab/scripts/before-script.sh && just nix-develop-ci just build + + deploy: + runs-on: ubuntu-latest + container: + image: ghcr.io/sdsc-ordes/rdf-protect:ci-build-1.0.0 diff --git a/.gitlab/images/Containerfile b/.gitlab/images/Containerfile index 3d80d30..1d60204 100644 --- a/.gitlab/images/Containerfile +++ b/.gitlab/images/Containerfile @@ -25,6 +25,8 @@ RUN cd /container-setup && \ build --no-link "./tools/nix#devShells.x86_64-linux.ci" && \ nix store optimise +RUN git config --global safe.directory "*" + # Format image. # =============================================== FROM ci-nix as ci-format diff --git a/.gitlab/scripts/before-script.sh b/.gitlab/scripts/before-script.sh index 00ecb42..0d6c06f 100755 --- a/.gitlab/scripts/before-script.sh +++ b/.gitlab/scripts/before-script.sh @@ -6,7 +6,6 @@ set -u ROOT_DIR=$(git rev-parse --show-toplevel) . "$ROOT_DIR/tools/general.sh" -git config --global safe.directory "*" # ci_container_mgr_setup unset ROOT_DIR From 18c52012dcc0c611a680f7ae2a4c11a9e19c0688 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Thu, 27 Jun 2024 07:28:39 +0200 Subject: [PATCH 08/68] feat: WIP pacakge with Nix --- tools/nix/flake.nix | 18 +++++++++++- tools/nix/pkgs/rdf-protect.nix | 54 ++++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 tools/nix/pkgs/rdf-protect.nix diff --git a/tools/nix/flake.nix b/tools/nix/flake.nix index c8158e8..cab80f2 100644 --- a/tools/nix/flake.nix +++ b/tools/nix/flake.nix @@ -34,6 +34,14 @@ flake-utils.follows = "flake-utils"; }; }; + + # The library to build the rust package. + crane = { + url = "https://github.com/ipetkov/crane"; + inputs = { + nixpkgs.follows = "nixpkgs"; + }; + }; }; outputs = { @@ -42,8 +50,11 @@ nixpkgsStable, flake-utils, rust-overlay, + crane, ... - } @ inputs: + } @ inputs: let + rootDir = "./" + "../../"; + in flake-utils.lib.eachDefaultSystem # Creates an attribute map `{ devShells..default = ...}` # by calling this function: @@ -93,6 +104,11 @@ }; packages = { + rdf-protect = (import pkgs/rdf-protect) { + inherit crane; + inherit rootDir; + }; + images = { ci = (import ./images/ci.nix) { inherit pkgs; diff --git a/tools/nix/pkgs/rdf-protect.nix b/tools/nix/pkgs/rdf-protect.nix new file mode 100644 index 0000000..6e5ca2a --- /dev/null +++ b/tools/nix/pkgs/rdf-protect.nix @@ -0,0 +1,54 @@ +{pkgs, lib, rustPlatform, rootDir}: + rustPlatform.buildRustPackage rec { + inherit buildInputs nativeBuildInputs; + + name = "rdf-protect"; + src = rootDir; + version = "1.0.0"; + + cargoLock = { + lockFile = "${rootDir}/Cargo.lock"; + allowBuiltinFetchGit = true; + }; + + preConfigure = '' + ''; + + postPatch = '' + ''; + + preFixup = lib.optionalString stdenv.isLinux '' + patchelf \ + --add-needed "${pkgs.libGL}/lib/libEGL.so.1" \ + --add-needed "${pkgs.vulkan-loader}/lib/libvulkan.so.1" \ + $out/bin/wezterm-gui + ''; + + postInstall = '' + mkdir -p $out/nix-support + echo "${passthru.terminfo}" >> $out/nix-support/propagated-user-env-packages + + install -Dm644 assets/icon/terminal.png $out/share/icons/hicolor/128x128/apps/org.wezfurlong.wezterm.png + install -Dm644 assets/wezterm.desktop $out/share/applications/org.wezfurlong.wezterm.desktop + install -Dm644 assets/wezterm.appdata.xml $out/share/metainfo/org.wezfurlong.wezterm.appdata.xml + + install -Dm644 assets/shell-integration/wezterm.sh -t $out/etc/profile.d + installShellCompletion --cmd wezterm \ + --bash assets/shell-completion/bash \ + --fish assets/shell-completion/fish \ + --zsh assets/shell-completion/zsh + + install -Dm644 assets/wezterm-nautilus.py -t $out/share/nautilus-python/extensions + ''; + + passthru = { + terminfo = + pkgs.runCommand "wezterm-terminfo" + { + nativeBuildInputs = [pkgs.ncurses]; + } '' + mkdir -p $out/share/terminfo $out/nix-support + tic -x -o $out/share/terminfo ${src}/termwiz/data/wezterm.terminfo + ''; + }; + }; From 9e312019630f9f518ef792d9d6541f9e44814484 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 18:16:33 +0200 Subject: [PATCH 09/68] feat: Add Nix packaging and more CI --- .github/workflows/pipeline.yaml | 28 ++++++++++- .gitignore | 9 +++- .gitlab/images/Containerfile | 8 ++++ justfile | 30 ++++++++++-- tools/nix/flake.lock | 21 ++++----- tools/nix/flake.nix | 18 ++------ tools/nix/pkgs/rdf-protect.nix | 82 +++++++++++---------------------- 7 files changed, 108 insertions(+), 88 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index bf10d1b..462424f 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,4 +1,5 @@ # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json +--- name: rdf-protect on: @@ -48,8 +49,31 @@ jobs: run: | source .gitlab/scripts/before-script.sh && just nix-develop-ci just build + # - name: 3.1 - tests + # run: | + # source .gitlab/scripts/before-script.sh && + # just nix-develop-ci just test - deploy: + test: runs-on: ubuntu-latest container: - image: ghcr.io/sdsc-ordes/rdf-protect:ci-build-1.0.0 + image: ghcr.io/sdsc-ordes/rdf-protect:ci-test-1.0.0 + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: 4 - test + run: | + source .gitlab/scripts/before-script.sh && + just nix-develop-ci just test + + package: + runs-on: ubuntu-latest + container: + image: ghcr.io/sdsc-ordes/rdf-protect:ci-package-1.0.0 + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: 5 - package (nix) + run: | + source .gitlab/scripts/before-script.sh && + just build-package diff --git a/.gitignore b/.gitignore index 2d5df85..1900fa5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,9 @@ -/target +# Tooling .direnv + +# Rust +/target + +# Nix +result +package diff --git a/.gitlab/images/Containerfile b/.gitlab/images/Containerfile index 1d60204..1336682 100644 --- a/.gitlab/images/Containerfile +++ b/.gitlab/images/Containerfile @@ -38,3 +38,11 @@ FROM ci-nix as ci-lint # Build image. # =============================================== FROM ci-nix as ci-build + +# Test image. +# =============================================== +FROM ci-nix as ci-test + +# Package image. +# =============================================== +FROM ci-nix as ci-package diff --git a/justfile b/justfile index 07a633b..cd28e5e 100644 --- a/justfile +++ b/justfile @@ -7,11 +7,15 @@ root_dir := `git rev-parse --show-toplevel` # You can chose either "podman" or "docker". container_mgr := "podman" +# Default recipe to list all recipes. +default: + just --list + # Enter a Nix development shell. nix-develop shell="zsh": cd "{{root_dir}}" && nix develop ./tools/nix#default --command zsh - +## Standard stuff ============================================================= # Build the executable. build *args: cd "{{root_dir}}" && cargo build "${@:1}" @@ -24,6 +28,10 @@ watch: run: cd "{{root_dir}}" && cargo run "${@:1}" +# Run the tests. +test: + cd "{{root_dir}}" && cargo test "${@:1}" + # Format the code. format *args: cd "{{comp_dir}}" && \ @@ -38,12 +46,24 @@ format-general *args: lint *args: cd "{{comp_dir}}" && \ "{{root_dir}}/tools/lint-rust.sh" {{args}} +## ============================================================================ -# Upload all images for CI. -upload-ci-images: - cd "{{root_dir}}" && \ - .gitlab/scripts/upload-images.sh +## CI stuff =================================================================== # Enter a Nix development shell for CI. nix-develop-ci: cd "{{root_dir}}" && nix develop ./tools/nix#default --command "$@" + +# Build the nix package into the folder `package` (first argument). +nix-package *args: + dir="${1:-package}" && \ + cd "{{root_dir}}" && \ + nix build "./tools/nix#rdf-protect" \ + --out-link "$dir" \ + "${@:2}" + +# Upload all images for CI. +upload-ci-images: + cd "{{root_dir}}" && \ + .gitlab/scripts/upload-images.sh +## ============================================================================ diff --git a/tools/nix/flake.lock b/tools/nix/flake.lock index bec525e..14cc310 100644 --- a/tools/nix/flake.lock +++ b/tools/nix/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1718318537, - "narHash": "sha256-4Zu0RYRcAY/VWuu6awwq4opuiD//ahpc2aFHg2CWqFY=", + "lastModified": 1719254875, + "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e9ee548d90ff586a6471b4ae80ae9cfcbceb3420", + "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60", "type": "github" }, "original": { @@ -36,11 +36,11 @@ }, "nixpkgsStable": { "locked": { - "lastModified": 1718229064, - "narHash": "sha256-ZFav8A9zPNfjZg/wrxh1uZeMJHELRfRgFP+meq01XYk=", + "lastModified": 1719234068, + "narHash": "sha256-1AjSIedDC/aERt24KsCUftLpVppW61S7awfjGe7bMio=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5c2ec3a5c2ee9909904f860dadc19bc12cd9cc44", + "rev": "90bd1b26e23760742fdcb6152369919098f05417", "type": "github" }, "original": { @@ -60,19 +60,16 @@ }, "rust-overlay": { "inputs": { - "flake-utils": [ - "flake-utils" - ], "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1718590793, - "narHash": "sha256-92OO8XrQTvdvDtRi0BAkjTaoZXW5ORuvqdk677wW7ko=", + "lastModified": 1719541143, + "narHash": "sha256-YdHqW6EM5pXMwXHhC+KniBv3aquXuJrFar2XXaV7x+c=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "5265b8a1e1d2e370e8b45b557326b691aec7d163", + "rev": "ed12832f267ab223cd085b0bd6ee3432caa69067", "type": "github" }, "original": { diff --git a/tools/nix/flake.nix b/tools/nix/flake.nix index cab80f2..1208885 100644 --- a/tools/nix/flake.nix +++ b/tools/nix/flake.nix @@ -29,15 +29,6 @@ # The Rust overlay to include the latest toolchain. rust-overlay = { url = "github:oxalica/rust-overlay"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-utils.follows = "flake-utils"; - }; - }; - - # The library to build the rust package. - crane = { - url = "https://github.com/ipetkov/crane"; inputs = { nixpkgs.follows = "nixpkgs"; }; @@ -50,10 +41,9 @@ nixpkgsStable, flake-utils, rust-overlay, - crane, ... } @ inputs: let - rootDir = "./" + "../../"; + rootDir = ./. + "../../.."; in flake-utils.lib.eachDefaultSystem # Creates an attribute map `{ devShells..default = ...}` @@ -63,6 +53,7 @@ overlays = [(import rust-overlay)]; # Import nixpkgs and load it into pkgs. + # Overlay the rust toolchain pkgs = import nixpkgs { inherit system overlays; }; @@ -104,9 +95,8 @@ }; packages = { - rdf-protect = (import pkgs/rdf-protect) { - inherit crane; - inherit rootDir; + rdf-protect = (import ./pkgs/rdf-protect.nix) { + inherit rootDir rustToolchain pkgs lib; }; images = { diff --git a/tools/nix/pkgs/rdf-protect.nix b/tools/nix/pkgs/rdf-protect.nix index 6e5ca2a..99813e7 100644 --- a/tools/nix/pkgs/rdf-protect.nix +++ b/tools/nix/pkgs/rdf-protect.nix @@ -1,54 +1,28 @@ -{pkgs, lib, rustPlatform, rootDir}: - rustPlatform.buildRustPackage rec { - inherit buildInputs nativeBuildInputs; - - name = "rdf-protect"; - src = rootDir; - version = "1.0.0"; - - cargoLock = { - lockFile = "${rootDir}/Cargo.lock"; - allowBuiltinFetchGit = true; - }; - - preConfigure = '' - ''; - - postPatch = '' - ''; - - preFixup = lib.optionalString stdenv.isLinux '' - patchelf \ - --add-needed "${pkgs.libGL}/lib/libEGL.so.1" \ - --add-needed "${pkgs.vulkan-loader}/lib/libvulkan.so.1" \ - $out/bin/wezterm-gui - ''; - - postInstall = '' - mkdir -p $out/nix-support - echo "${passthru.terminfo}" >> $out/nix-support/propagated-user-env-packages - - install -Dm644 assets/icon/terminal.png $out/share/icons/hicolor/128x128/apps/org.wezfurlong.wezterm.png - install -Dm644 assets/wezterm.desktop $out/share/applications/org.wezfurlong.wezterm.desktop - install -Dm644 assets/wezterm.appdata.xml $out/share/metainfo/org.wezfurlong.wezterm.appdata.xml - - install -Dm644 assets/shell-integration/wezterm.sh -t $out/etc/profile.d - installShellCompletion --cmd wezterm \ - --bash assets/shell-completion/bash \ - --fish assets/shell-completion/fish \ - --zsh assets/shell-completion/zsh - - install -Dm644 assets/wezterm-nautilus.py -t $out/share/nautilus-python/extensions - ''; - - passthru = { - terminfo = - pkgs.runCommand "wezterm-terminfo" - { - nativeBuildInputs = [pkgs.ncurses]; - } '' - mkdir -p $out/share/terminfo $out/nix-support - tic -x -o $out/share/terminfo ${src}/termwiz/data/wezterm.terminfo - ''; - }; - }; +{ + pkgs, + lib, + rustToolchain, + rootDir, + ... +}: let + rustPlatform = pkgs.makeRustPlatform { + cargo = rustToolchain; + rustc = rustToolchain; + }; +in + rustPlatform.buildRustPackage { + name = "rdf-protect"; + src = rootDir; + version = "1.0.0"; + + cargoLock = { + lockFile = rootDir + "/Cargo.lock"; + }; + + meta = { + description = "A simple Rust CLI tool to protect sensitive values in RDF triples through pseudonymization"; + homepage = "https://github.com/sdsc-ordes/rdf-protect"; + license = lib.licenses.asl20; + maintainers = ["gabyx" "cmdoret"]; + }; + } From 416e4f3830078d75aaa85c64eb9499956e09a4e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 19:14:40 +0200 Subject: [PATCH 10/68] fix: CI --- .github/workflows/pipeline.yaml | 125 +++++++++++++++----------- .github/workflows/trigger-gitlab.yaml | 24 ----- .gitlab/images/Containerfile | 30 +++++-- .gitlab/scripts/before-script.sh | 7 ++ tools/format-rust.sh | 8 +- 5 files changed, 109 insertions(+), 85 deletions(-) delete mode 100644 .github/workflows/trigger-gitlab.yaml diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 462424f..6321e56 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,7 +1,27 @@ # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json ---- +# +# This a demonstration pipeline which uses Nix in a container to drive the toolchain. +# +# - The Nix container (with cached toolchain) are quite big (~ 2Gb) and with no caching makes the +# pull up to 2min at the start. +# - Without caching they result in ~500mb which is better but the toolchain needs to be installed +# during the `nix develop` call. +# +# Remedies: Either to use own runners with proper image caching or do some Github trickery +# (not sure if they work), use the action/cache to cache docker layers and in the next step use +# a step with `uses: docker://...` but then `run:` does not work, how stupid ... +# (need to write an own action in the repo, 💩) +# name: rdf-protect +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +defaults: + run: + shell: bash + on: push: branches: @@ -23,57 +43,58 @@ jobs: uses: actions/checkout@v4 - name: 1 - format run: | + cat /etc/os-release source .gitlab/scripts/before-script.sh just nix-develop-ci just format - lint: - runs-on: ubuntu-latest - container: - image: ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: 2 - lint - run: | - source .gitlab/scripts/before-script.sh && - just nix-develop-ci just lint - - build: - runs-on: ubuntu-latest - container: - image: ghcr.io/sdsc-ordes/rdf-protect:ci-build-1.0.0 - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: 3 - build - run: | - source .gitlab/scripts/before-script.sh && - just nix-develop-ci just build - # - name: 3.1 - tests - # run: | - # source .gitlab/scripts/before-script.sh && - # just nix-develop-ci just test - - test: - runs-on: ubuntu-latest - container: - image: ghcr.io/sdsc-ordes/rdf-protect:ci-test-1.0.0 - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: 4 - test - run: | - source .gitlab/scripts/before-script.sh && - just nix-develop-ci just test - - package: - runs-on: ubuntu-latest - container: - image: ghcr.io/sdsc-ordes/rdf-protect:ci-package-1.0.0 - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: 5 - package (nix) - run: | - source .gitlab/scripts/before-script.sh && - just build-package + # lint: + # runs-on: ubuntu-latest + # container: + # image: ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 + # steps: + # - name: Checkout + # uses: actions/checkout@v4 + # - name: 2 - lint + # run: | + # source .gitlab/scripts/before-script.sh && + # just nix-develop-ci just lint + # + # build: + # runs-on: ubuntu-latest + # container: + # image: ghcr.io/sdsc-ordes/rdf-protect:ci-build-1.0.0 + # steps: + # - name: Checkout + # uses: actions/checkout@v4 + # - name: 3 - build + # run: | + # source .gitlab/scripts/before-script.sh && + # just nix-develop-ci just build + # # - name: 3.1 - tests + # # run: | + # # source .gitlab/scripts/before-script.sh && + # # just nix-develop-ci just test + # + # test: + # runs-on: ubuntu-latest + # container: + # image: ghcr.io/sdsc-ordes/rdf-protect:ci-test-1.0.0 + # steps: + # - name: Checkout + # uses: actions/checkout@v4 + # - name: 4 - test + # run: | + # source .gitlab/scripts/before-script.sh && + # just nix-develop-ci just test + # + # package: + # runs-on: ubuntu-latest + # container: + # image: ghcr.io/sdsc-ordes/rdf-protect:ci-package-1.0.0 + # steps: + # - name: Checkout + # uses: actions/checkout@v4 + # - name: 5 - package (nix) + # run: | + # source .gitlab/scripts/before-script.sh && + # just build-package diff --git a/.github/workflows/trigger-gitlab.yaml b/.github/workflows/trigger-gitlab.yaml deleted file mode 100644 index 9c681ae..0000000 --- a/.github/workflows/trigger-gitlab.yaml +++ /dev/null @@ -1,24 +0,0 @@ -name: rdf-protect - -on: [push] - -jobs: - trigger-gitlab: - runs-on: ubuntu-latest - environment: "CI Gitlab" - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Mirror + Trigger CI - uses: SvanBoxel/gitlab-mirror-and-ci-action@master - with: - args: "https://gitlab.datascience.ch/gabriel.nuetzi/rdf-protect" - env: - FOLLOW_TAGS: "true" - FORCE_PUSH: "true" - GITLAB_HOSTNAME: "gitlab.datascience.ch" - GITLAB_USERNAME: ${{ secrets.GITLAB_USERNAME }} - GITLAB_PASSWORD: ${{ secrets.GITLAB_PASSWORD }} - GITLAB_PROJECT_ID: "454" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitlab/images/Containerfile b/.gitlab/images/Containerfile index 1336682..77f38c4 100644 --- a/.gitlab/images/Containerfile +++ b/.gitlab/images/Containerfile @@ -13,19 +13,33 @@ RUN apk add findutils coreutils git jq curl bash just parallel podman # Nix Image # =============================================== FROM base-podman as ci-nix +ARG USER_NAME=ci +ARG USER_UID=1000 +ARG USER_GID=1000 +# ARG USER_HOME="/github/home" + RUN [ "TARGETPLATFORM" = "linux/amd64" ] || echo "Platform not yet supported." COPY ./tools /container-setup/tools # Install Nix and pre-cache the env. RUN bash -c ". /container-setup/tools/general.sh && ci_setup_nix" -COPY rust-toolchain.toml /container-setup/ -RUN cd /container-setup && \ - git init && git add . && \ - nix --accept-flake-config \ - build --no-link "./tools/nix#devShells.x86_64-linux.ci" && \ - nix store optimise - -RUN git config --global safe.directory "*" + +# Create user. +# RUN mkdir -p "$USER_HOME" && \ +# adduser "$USER_NAME" -s /bin/zsh -D -u "$USER_UID" -g "$USER_GID" -h "$USER_HOME/$USER_NAME" && \ +# mkdir -p /etc/sudoers.d && \ +# echo "$USER_NAME ALL=(root) NOPASSWD:ALL" > "/etc/sudoers.d/$USER_NAME" && \ +# chmod 0440 "/etc/sudoers.d/$USER_NAME" && \ +# chown -R "$USER_NAME:$USER_NAME" /home /container-setup +# USER "$USER_NAME" + +# COPY rust-toolchain.toml /container-setup/ +# RUN cd /container-setup && \ +# git init && git add . && \ +# nix --accept-flake-config \ +# build --no-link "./tools/nix#devShells.x86_64-linux.ci" && \ +# nix store optimise + # Format image. # =============================================== diff --git a/.gitlab/scripts/before-script.sh b/.gitlab/scripts/before-script.sh index 0d6c06f..fdbb27e 100755 --- a/.gitlab/scripts/before-script.sh +++ b/.gitlab/scripts/before-script.sh @@ -3,9 +3,16 @@ # This script is sourced. set -u +git config --global safe.directory "*" || { + echo "Could not overwrite safe.directory in Git config." >&2 + exit 1 +} + ROOT_DIR=$(git rev-parse --show-toplevel) . "$ROOT_DIR/tools/general.sh" +print_info "Running as user: $(id)" + # ci_container_mgr_setup unset ROOT_DIR diff --git a/tools/format-rust.sh b/tools/format-rust.sh index 5e441a9..f6c084e 100755 --- a/tools/format-rust.sh +++ b/tools/format-rust.sh @@ -9,7 +9,13 @@ ROOT_DIR=$(git rev-parse --show-toplevel) cd "$ROOT_DIR" print_info "Run Rust format." + +fmt_args=() +if ci_is_running; then + fmt_args+=("--check") +fi + ci_wrap_container \ ghcr.io/sdsc-ordes/rdf-protect:ci-format-1.0.0 \ nix develop ./tools/nix#ci --command \ - cargo fmt "$@" + cargo fmt "${fmt_args[@]}" "$@" From 77e9a8d10bea3d1cafe88d5698a703eca1401e8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 21:08:44 +0200 Subject: [PATCH 11/68] fix: CI --- .github/workflows/pipeline.yaml | 1 - .gitlab/images/Containerfile | 15 ++++++++------- .gitlab/scripts/before-script.sh | 2 ++ 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 6321e56..525511b 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -43,7 +43,6 @@ jobs: uses: actions/checkout@v4 - name: 1 - format run: | - cat /etc/os-release source .gitlab/scripts/before-script.sh just nix-develop-ci just format diff --git a/.gitlab/images/Containerfile b/.gitlab/images/Containerfile index 77f38c4..4c7656a 100644 --- a/.gitlab/images/Containerfile +++ b/.gitlab/images/Containerfile @@ -16,6 +16,7 @@ FROM base-podman as ci-nix ARG USER_NAME=ci ARG USER_UID=1000 ARG USER_GID=1000 +ARG CACHE_TOOLCHAIN=false # ARG USER_HOME="/github/home" RUN [ "TARGETPLATFORM" = "linux/amd64" ] || echo "Platform not yet supported." @@ -24,7 +25,7 @@ COPY ./tools /container-setup/tools # Install Nix and pre-cache the env. RUN bash -c ". /container-setup/tools/general.sh && ci_setup_nix" -# Create user. +# Create user (does not work because action/checkout uses `root` in its own container ... 💩) # RUN mkdir -p "$USER_HOME" && \ # adduser "$USER_NAME" -s /bin/zsh -D -u "$USER_UID" -g "$USER_GID" -h "$USER_HOME/$USER_NAME" && \ # mkdir -p /etc/sudoers.d && \ @@ -33,12 +34,12 @@ RUN bash -c ". /container-setup/tools/general.sh && ci_setup_nix" # chown -R "$USER_NAME:$USER_NAME" /home /container-setup # USER "$USER_NAME" -# COPY rust-toolchain.toml /container-setup/ -# RUN cd /container-setup && \ -# git init && git add . && \ -# nix --accept-flake-config \ -# build --no-link "./tools/nix#devShells.x86_64-linux.ci" && \ -# nix store optimise +COPY rust-toolchain.toml /container-setup/ +RUN [ "${CACHE_TOOLCHAIN}" = "false" ] || { cd /container-setup && \ + git init && git add . && \ + nix --accept-flake-config \ + build --no-link "./tools/nix#devShells.x86_64-linux.ci" && \ + nix store optimise } # Format image. diff --git a/.gitlab/scripts/before-script.sh b/.gitlab/scripts/before-script.sh index fdbb27e..be80a6c 100755 --- a/.gitlab/scripts/before-script.sh +++ b/.gitlab/scripts/before-script.sh @@ -11,8 +11,10 @@ git config --global safe.directory "*" || { ROOT_DIR=$(git rev-parse --show-toplevel) . "$ROOT_DIR/tools/general.sh" +print_info "Current dir: '$(pwd)'" print_info "Running as user: $(id)" # ci_container_mgr_setup +# unset ROOT_DIR From 7a8534b703c2cf95c24a3beb3f1d2049d962cc60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 21:16:01 +0200 Subject: [PATCH 12/68] fix: ci --- .github/workflows/pipeline.yaml | 102 ++++++++++++++++---------------- justfile | 7 ++- 2 files changed, 56 insertions(+), 53 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 525511b..fe81269 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -46,54 +46,54 @@ jobs: source .gitlab/scripts/before-script.sh just nix-develop-ci just format - # lint: - # runs-on: ubuntu-latest - # container: - # image: ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 - # steps: - # - name: Checkout - # uses: actions/checkout@v4 - # - name: 2 - lint - # run: | - # source .gitlab/scripts/before-script.sh && - # just nix-develop-ci just lint - # - # build: - # runs-on: ubuntu-latest - # container: - # image: ghcr.io/sdsc-ordes/rdf-protect:ci-build-1.0.0 - # steps: - # - name: Checkout - # uses: actions/checkout@v4 - # - name: 3 - build - # run: | - # source .gitlab/scripts/before-script.sh && - # just nix-develop-ci just build - # # - name: 3.1 - tests - # # run: | - # # source .gitlab/scripts/before-script.sh && - # # just nix-develop-ci just test - # - # test: - # runs-on: ubuntu-latest - # container: - # image: ghcr.io/sdsc-ordes/rdf-protect:ci-test-1.0.0 - # steps: - # - name: Checkout - # uses: actions/checkout@v4 - # - name: 4 - test - # run: | - # source .gitlab/scripts/before-script.sh && - # just nix-develop-ci just test - # - # package: - # runs-on: ubuntu-latest - # container: - # image: ghcr.io/sdsc-ordes/rdf-protect:ci-package-1.0.0 - # steps: - # - name: Checkout - # uses: actions/checkout@v4 - # - name: 5 - package (nix) - # run: | - # source .gitlab/scripts/before-script.sh && - # just build-package + lint: + runs-on: ubuntu-latest + container: + image: ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: 2 - lint + run: | + source .gitlab/scripts/before-script.sh && + just nix-develop-ci just lint + + build: + runs-on: ubuntu-latest + container: + image: ghcr.io/sdsc-ordes/rdf-protect:ci-build-1.0.0 + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: 3 - build + run: | + source .gitlab/scripts/before-script.sh && + just nix-develop-ci just build + # - name: 3.1 - tests + # run: | + # source .gitlab/scripts/before-script.sh && + # just nix-develop-ci just test + + test: + runs-on: ubuntu-latest + container: + image: ghcr.io/sdsc-ordes/rdf-protect:ci-test-1.0.0 + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: 4 - test + run: | + source .gitlab/scripts/before-script.sh && + just nix-develop-ci just test + + package: + runs-on: ubuntu-latest + container: + image: ghcr.io/sdsc-ordes/rdf-protect:ci-package-1.0.0 + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: 5 - package (nix) + run: | + source .gitlab/scripts/before-script.sh && + just build-package diff --git a/justfile b/justfile index cd28e5e..840c609 100644 --- a/justfile +++ b/justfile @@ -12,8 +12,11 @@ default: just --list # Enter a Nix development shell. -nix-develop shell="zsh": - cd "{{root_dir}}" && nix develop ./tools/nix#default --command zsh +nix-develop *args: + cd "{{root_dir}}" && \ + cmd=("$@") && \ + { [ -n "${cmd:-}" ] || cmd=("zsh"); } && \ + nix develop ./tools/nix#default --command "${cmd[@]}" ## Standard stuff ============================================================= # Build the executable. From fd7392289ca3461e197c89beb11d1bfb3578f7a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 21:21:40 +0200 Subject: [PATCH 13/68] fix: Ci --- .github/workflows/pipeline.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index fe81269..ab20011 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -44,6 +44,7 @@ jobs: - name: 1 - format run: | source .gitlab/scripts/before-script.sh + cat justfile just nix-develop-ci just format lint: From 3727efb5abdb03e50a7333c1a58d7663b2de16ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 21:29:57 +0200 Subject: [PATCH 14/68] fix: ci --- .github/workflows/pipeline.yaml | 14 +++++++------- justfile | 5 ++++- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index ab20011..88326d3 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -43,9 +43,9 @@ jobs: uses: actions/checkout@v4 - name: 1 - format run: | - source .gitlab/scripts/before-script.sh - cat justfile - just nix-develop-ci just format + source .gitlab/scripts/before-script.sh && + cat justfile && + just nix-develop just format lint: runs-on: ubuntu-latest @@ -57,7 +57,7 @@ jobs: - name: 2 - lint run: | source .gitlab/scripts/before-script.sh && - just nix-develop-ci just lint + just nix-develop just lint build: runs-on: ubuntu-latest @@ -69,11 +69,11 @@ jobs: - name: 3 - build run: | source .gitlab/scripts/before-script.sh && - just nix-develop-ci just build + just nix-develop just build # - name: 3.1 - tests # run: | # source .gitlab/scripts/before-script.sh && - # just nix-develop-ci just test + # just nix-develop just test test: runs-on: ubuntu-latest @@ -85,7 +85,7 @@ jobs: - name: 4 - test run: | source .gitlab/scripts/before-script.sh && - just nix-develop-ci just test + just nix-develop just test package: runs-on: ubuntu-latest diff --git a/justfile b/justfile index 840c609..702ce14 100644 --- a/justfile +++ b/justfile @@ -55,7 +55,10 @@ lint *args: ## CI stuff =================================================================== # Enter a Nix development shell for CI. nix-develop-ci: - cd "{{root_dir}}" && nix develop ./tools/nix#default --command "$@" + cd "{{root_dir}}" && \ + cmd=("$@") && \ + { [ -n "${cmd:-}" ] || cmd=("zsh"); } && \ + cd "{{root_dir}}" && nix develop ./tools/nix#ci --command "$@" # Build the nix package into the folder `package` (first argument). nix-package *args: From d8a3e00ce9e29a593281b623684aa9832e2bc646 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 22:01:24 +0200 Subject: [PATCH 15/68] fix: ci --- .github/workflows/pipeline.yaml | 8 ++++---- justfile | 20 +++++++++----------- tools/format-rust.sh | 5 +---- tools/general.sh | 12 ++++++++---- tools/lint-rust.sh | 10 ++-------- 5 files changed, 24 insertions(+), 31 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 88326d3..c96afa4 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -70,10 +70,10 @@ jobs: run: | source .gitlab/scripts/before-script.sh && just nix-develop just build - # - name: 3.1 - tests - # run: | - # source .gitlab/scripts/before-script.sh && - # just nix-develop just test + - name: 3.1 - tests + run: | + source .gitlab/scripts/before-script.sh && + just nix-develop just test test: runs-on: ubuntu-latest diff --git a/justfile b/justfile index 702ce14..abd87b4 100644 --- a/justfile +++ b/justfile @@ -1,12 +1,15 @@ set positional-arguments set shell := ["bash", "-cue"] -comp_dir := justfile_directory() root_dir := `git rev-parse --show-toplevel` # General Variables: # You can chose either "podman" or "docker". container_mgr := "podman" +# Deterministic steps such as `lint`, `format` +# will run +use_container := "" + # Default recipe to list all recipes. default: just --list @@ -37,29 +40,24 @@ test: # Format the code. format *args: - cd "{{comp_dir}}" && \ + cd "{{root_dir}}" && \ "{{root_dir}}/tools/format-rust.sh" {{args}} -# Format all files other files. +# Format all files. format-general *args: # Not implemented yet. + # That should run all hooks which are configured by Githooks. true # Lint all code. lint *args: - cd "{{comp_dir}}" && \ + cd "{{root_dir}}" && \ "{{root_dir}}/tools/lint-rust.sh" {{args}} + ## ============================================================================ ## CI stuff =================================================================== -# Enter a Nix development shell for CI. -nix-develop-ci: - cd "{{root_dir}}" && \ - cmd=("$@") && \ - { [ -n "${cmd:-}" ] || cmd=("zsh"); } && \ - cd "{{root_dir}}" && nix develop ./tools/nix#ci --command "$@" - # Build the nix package into the folder `package` (first argument). nix-package *args: dir="${1:-package}" && \ diff --git a/tools/format-rust.sh b/tools/format-rust.sh index f6c084e..333e886 100755 --- a/tools/format-rust.sh +++ b/tools/format-rust.sh @@ -15,7 +15,4 @@ if ci_is_running; then fmt_args+=("--check") fi -ci_wrap_container \ - ghcr.io/sdsc-ordes/rdf-protect:ci-format-1.0.0 \ - nix develop ./tools/nix#ci --command \ - cargo fmt "${fmt_args[@]}" "$@" +cargo fmt "${fmt_args[@]}" "$@" diff --git a/tools/general.sh b/tools/general.sh index c716861..15f45d0 100755 --- a/tools/general.sh +++ b/tools/general.sh @@ -55,13 +55,17 @@ function ci_is_running() { function ci_wrap_container() { local container="$1" - shift 1 + local nix_shell="$2" + shift 2 local cmd=("$@") - if [ "$OSTYPE" = "nixos" ]; then - "${cmd[@]}" + if command -v nix &>/dev/null; then + # Nix available, wrap over Nix shell. + nix develop "$nix_shell" --command "${cmd[@]}" else - ci_container_mgr_run_mounted "$(pwd)" "$container" "${cmd[@]}" + # No Nix available, wrap over Nix container + ci_container_mgr_run_mounted "$(pwd)" "$container" \ + nix develop "$nix_shell" --command "${cmd[@]}" fi } diff --git a/tools/lint-rust.sh b/tools/lint-rust.sh index c670387..fec8d8e 100755 --- a/tools/lint-rust.sh +++ b/tools/lint-rust.sh @@ -9,15 +9,9 @@ ROOT_DIR=$(git rev-parse --show-toplevel) cd "$ROOT_DIR" print_info "Run Rust Clippy linter." -ci_wrap_container \ - ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 \ - nix develop ./tools/nix#ci --command \ - cargo clippy --no-deps -- -A clippy::needless_return "$@" || +cargo clippy --no-deps -- -A clippy::needless_return "$@" || die "Rust clippy failed." print_info "Run Rust Miri to check undefined behaviour." -ci_wrap_container \ - ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 \ - nix develop ./tools/nix#ci --command \ - cargo miri test "$@" || +cargo miri test "$@" || die "Rust Miri failed." From abbf88d9af1d15c6fc7dad721b295c12789fb21e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 22:05:49 +0200 Subject: [PATCH 16/68] fix: ci --- tools/format-rust.sh | 3 +++ tools/lint-rust.sh | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/tools/format-rust.sh b/tools/format-rust.sh index 333e886..3e8955e 100755 --- a/tools/format-rust.sh +++ b/tools/format-rust.sh @@ -15,4 +15,7 @@ if ci_is_running; then fmt_args+=("--check") fi +cargo --version +cargo fmt --version + cargo fmt "${fmt_args[@]}" "$@" diff --git a/tools/lint-rust.sh b/tools/lint-rust.sh index fec8d8e..e39c1a2 100755 --- a/tools/lint-rust.sh +++ b/tools/lint-rust.sh @@ -8,6 +8,10 @@ ROOT_DIR=$(git rev-parse --show-toplevel) cd "$ROOT_DIR" +cargo --version +cargo clippy --version +cargo miri --version + print_info "Run Rust Clippy linter." cargo clippy --no-deps -- -A clippy::needless_return "$@" || die "Rust clippy failed." From 4a3ff69f6a81fb6ee23841e14e3afddb6e684d45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 22:07:51 +0200 Subject: [PATCH 17/68] fix: ci --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index c96afa4..c4dc0b1 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -97,4 +97,4 @@ jobs: - name: 5 - package (nix) run: | source .gitlab/scripts/before-script.sh && - just build-package + just nix-package From 8b6dec1584f35cdc5c76aa3cce53cc5fc459a0de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 22:13:10 +0200 Subject: [PATCH 18/68] fix: ci --- .github/workflows/pipeline.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index c4dc0b1..f10bc48 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -57,7 +57,11 @@ jobs: - name: 2 - lint run: | source .gitlab/scripts/before-script.sh && - just nix-develop just lint + just nix-develop just l + continue-on-error: true + - name: 2 - allow to fail + if: failure() + run: echo "Lint failed -> continue." build: runs-on: ubuntu-latest From 7a2cfebd226315e814000840942bb6c662c219e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 22:14:42 +0200 Subject: [PATCH 19/68] fix: ci --- .github/workflows/pipeline.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index f10bc48..b8d484c 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -41,7 +41,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - - name: 1 - format + - name: format run: | source .gitlab/scripts/before-script.sh && cat justfile && @@ -54,12 +54,12 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - - name: 2 - lint + - name: lint run: | source .gitlab/scripts/before-script.sh && just nix-develop just l continue-on-error: true - - name: 2 - allow to fail + - name: allow to fail if: failure() run: echo "Lint failed -> continue." @@ -70,11 +70,11 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - - name: 3 - build + - name: build run: | source .gitlab/scripts/before-script.sh && just nix-develop just build - - name: 3.1 - tests + - name: tests run: | source .gitlab/scripts/before-script.sh && just nix-develop just test @@ -86,7 +86,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - - name: 4 - test + - name: test run: | source .gitlab/scripts/before-script.sh && just nix-develop just test @@ -98,7 +98,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - - name: 5 - package (nix) + - name: package (nix) run: | source .gitlab/scripts/before-script.sh && just nix-package From 84496f7734b6602452f8d77765a1991b3a456f47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 22:22:01 +0200 Subject: [PATCH 20/68] fix: lint --- .github/workflows/pipeline.yaml | 16 +++++++++++++--- justfile | 5 +++++ tools/lint-rust.sh | 7 ++----- tools/lint-ub-rust.sh | 16 ++++++++++++++++ 4 files changed, 36 insertions(+), 8 deletions(-) create mode 100755 tools/lint-ub-rust.sh diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index b8d484c..3c9b46c 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -41,6 +41,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + - name: format run: | source .gitlab/scripts/before-script.sh && @@ -54,14 +55,20 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + - name: lint run: | source .gitlab/scripts/before-script.sh && - just nix-develop just l - continue-on-error: true + just nix-develop just lint + + - name: lint-undefined-behavior + run: | + source .gitlab/scripts/before-script.sh && + just nix-develop just lint-ub + - name: allow to fail if: failure() - run: echo "Lint failed -> continue." + run: echo "lint-up failed -> continue." build: runs-on: ubuntu-latest @@ -70,6 +77,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + - name: build run: | source .gitlab/scripts/before-script.sh && @@ -86,6 +94,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + - name: test run: | source .gitlab/scripts/before-script.sh && @@ -98,6 +107,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + - name: package (nix) run: | source .gitlab/scripts/before-script.sh && diff --git a/justfile b/justfile index abd87b4..f5a43a7 100644 --- a/justfile +++ b/justfile @@ -54,6 +54,11 @@ lint *args: cd "{{root_dir}}" && \ "{{root_dir}}/tools/lint-rust.sh" {{args}} +# Lint all code (undefined behavior). +lint-ub *args: + cd "{{root_dir}}" && \ + "{{root_dir}}/tools/lint-ub-rust.sh" {{args}} + ## ============================================================================ diff --git a/tools/lint-rust.sh b/tools/lint-rust.sh index e39c1a2..a8bc70e 100755 --- a/tools/lint-rust.sh +++ b/tools/lint-rust.sh @@ -10,12 +10,9 @@ cd "$ROOT_DIR" cargo --version cargo clippy --version -cargo miri --version print_info "Run Rust Clippy linter." +print_warning "Currently warnings are not errors!" + cargo clippy --no-deps -- -A clippy::needless_return "$@" || die "Rust clippy failed." - -print_info "Run Rust Miri to check undefined behaviour." -cargo miri test "$@" || - die "Rust Miri failed." diff --git a/tools/lint-ub-rust.sh b/tools/lint-ub-rust.sh new file mode 100755 index 0000000..d2aaab9 --- /dev/null +++ b/tools/lint-ub-rust.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +set -e +set -u + +ROOT_DIR=$(git rev-parse --show-toplevel) +. "$ROOT_DIR/tools/general.sh" + +cd "$ROOT_DIR" + +cargo --version +cargo miri --version + +print_info "Run Rust Miri to check undefined behaviour." +cargo miri test "$@" || + die "Rust Miri failed." From 21a30580febf69ed4138a5ec2a803ae59d41703a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 22:25:11 +0200 Subject: [PATCH 21/68] fix: CI --- .github/workflows/pipeline.yaml | 2 -- tools/format-rust.sh | 5 +++-- tools/lint-rust.sh | 7 ++++++- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 3c9b46c..3ee6b3f 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -26,8 +26,6 @@ on: push: branches: - main - - "feat/*" - - "fix/*" pull_request: branches: diff --git a/tools/format-rust.sh b/tools/format-rust.sh index 3e8955e..c2a8d8f 100755 --- a/tools/format-rust.sh +++ b/tools/format-rust.sh @@ -8,8 +8,6 @@ ROOT_DIR=$(git rev-parse --show-toplevel) cd "$ROOT_DIR" -print_info "Run Rust format." - fmt_args=() if ci_is_running; then fmt_args+=("--check") @@ -18,4 +16,7 @@ fi cargo --version cargo fmt --version +print_info "Run Rust format." cargo fmt "${fmt_args[@]}" "$@" + +print_info "Done." diff --git a/tools/lint-rust.sh b/tools/lint-rust.sh index a8bc70e..2a89c39 100755 --- a/tools/lint-rust.sh +++ b/tools/lint-rust.sh @@ -15,4 +15,9 @@ print_info "Run Rust Clippy linter." print_warning "Currently warnings are not errors!" cargo clippy --no-deps -- -A clippy::needless_return "$@" || - die "Rust clippy failed." + { + die "Rust clippy failed." + git diff --name-status || true + } + +print_info "Done." From 3e93415b8578d013c1b5e3b2a1582d8f09929257 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 22:52:36 +0200 Subject: [PATCH 22/68] fix: ci --- .github/workflows/pipeline.yaml | 15 ++++++++++++++- .gitignore | 2 +- justfile | 9 ++++++++- tools/lint-ub-rust.sh | 2 ++ tools/nix/flake.nix | 18 ++++++++++++++---- tools/nix/images/rdf-protect.nix | 12 ++++++++++++ tools/nix/pkgs/rdf-protect.nix | 3 ++- 7 files changed, 53 insertions(+), 8 deletions(-) create mode 100644 tools/nix/images/rdf-protect.nix diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 3ee6b3f..f3ddd31 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -106,7 +106,20 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: package (nix) + - name: build derivation with nix run: | source .gitlab/scripts/before-script.sh && just nix-package + + deploy: + runs-on: ubuntu-latest + container: + image: ghcr.io/sdsc-ordes/rdf-protect:ci-deploy-1.0.0 + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: build container image (nix) + run: | + source .gitlab/scripts/before-script.sh && + just nix-image diff --git a/.gitignore b/.gitignore index 1900fa5..0354501 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,4 @@ # Nix result -package +build diff --git a/justfile b/justfile index f5a43a7..cf638bf 100644 --- a/justfile +++ b/justfile @@ -65,12 +65,19 @@ lint-ub *args: ## CI stuff =================================================================== # Build the nix package into the folder `package` (first argument). nix-package *args: - dir="${1:-package}" && \ + dir="${1:-build/package}" && \ cd "{{root_dir}}" && \ nix build "./tools/nix#rdf-protect" \ --out-link "$dir" \ "${@:2}" +nix-image *args: + dir="${1:-build/image}" && \ + cd "{{root_dir}}" && \ + nix build "./tools/nix#images.rdf-protect" \ + --out-link "$dir" \ + "${@:2}" + # Upload all images for CI. upload-ci-images: cd "{{root_dir}}" && \ diff --git a/tools/lint-ub-rust.sh b/tools/lint-ub-rust.sh index d2aaab9..71c1725 100755 --- a/tools/lint-ub-rust.sh +++ b/tools/lint-ub-rust.sh @@ -14,3 +14,5 @@ cargo miri --version print_info "Run Rust Miri to check undefined behaviour." cargo miri test "$@" || die "Rust Miri failed." + +print_info "Done." diff --git a/tools/nix/flake.nix b/tools/nix/flake.nix index 1208885..4dd06ef 100644 --- a/tools/nix/flake.nix +++ b/tools/nix/flake.nix @@ -54,6 +54,7 @@ # Import nixpkgs and load it into pkgs. # Overlay the rust toolchain + lib = nixpkgs.lib; pkgs = import nixpkgs { inherit system overlays; }; @@ -83,6 +84,15 @@ # Things needed at runtime. buildInputs = []; + + # The package of this CLI tool. + # The global version for rdf-protect. + # This is gonna get tooled later. + rdf-protect-version = "1.0.0"; + rdf-protect = (import ./pkgs/rdf-protect.nix) { + inherit rootDir rustToolchain pkgs lib; + version = rdf-protect-version; + }; in with pkgs; rec { devShells = rec { @@ -95,15 +105,15 @@ }; packages = { - rdf-protect = (import ./pkgs/rdf-protect.nix) { - inherit rootDir rustToolchain pkgs lib; - }; - images = { ci = (import ./images/ci.nix) { inherit pkgs; devShellDrv = devShells.ci; }; + + rdf-protect = (import ./images/rdf-protect.nix) { + inherit pkgs rdf-protect; + }; }; }; } diff --git a/tools/nix/images/rdf-protect.nix b/tools/nix/images/rdf-protect.nix new file mode 100644 index 0000000..465f2c5 --- /dev/null +++ b/tools/nix/images/rdf-protect.nix @@ -0,0 +1,12 @@ +{ + pkgs, + rdf-protect, +}: +pkgs.dockerTools.buildImage { + name = "ghcr.io/sdsc-order/rdf-protect"; + tag = rdf-protect.version; + + config = { + Cmd = "${rdf-protect}/bin/rdf-protect"; + }; +} diff --git a/tools/nix/pkgs/rdf-protect.nix b/tools/nix/pkgs/rdf-protect.nix index 99813e7..9e50784 100644 --- a/tools/nix/pkgs/rdf-protect.nix +++ b/tools/nix/pkgs/rdf-protect.nix @@ -3,6 +3,7 @@ lib, rustToolchain, rootDir, + version, ... }: let rustPlatform = pkgs.makeRustPlatform { @@ -13,7 +14,7 @@ in rustPlatform.buildRustPackage { name = "rdf-protect"; src = rootDir; - version = "1.0.0"; + inherit version; cargoLock = { lockFile = rootDir + "/Cargo.lock"; From b21ea25c175fe0fa100b20bccc26c65866372122 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 28 Jun 2024 23:08:53 +0200 Subject: [PATCH 23/68] fix: Build image too --- justfile | 2 +- tools/nix/flake.nix | 2 ++ tools/nix/images/rdf-protect.nix | 9 ++++++++- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/justfile b/justfile index cf638bf..998bc34 100644 --- a/justfile +++ b/justfile @@ -72,7 +72,7 @@ nix-package *args: "${@:2}" nix-image *args: - dir="${1:-build/image}" && \ + dir="${1:-build}/image.tar.gz" && \ cd "{{root_dir}}" && \ nix build "./tools/nix#images.rdf-protect" \ --out-link "$dir" \ diff --git a/tools/nix/flake.nix b/tools/nix/flake.nix index 4dd06ef..d75e07b 100644 --- a/tools/nix/flake.nix +++ b/tools/nix/flake.nix @@ -105,6 +105,8 @@ }; packages = { + inherit rdf-protect; + images = { ci = (import ./images/ci.nix) { inherit pkgs; diff --git a/tools/nix/images/rdf-protect.nix b/tools/nix/images/rdf-protect.nix index 465f2c5..2d921fe 100644 --- a/tools/nix/images/rdf-protect.nix +++ b/tools/nix/images/rdf-protect.nix @@ -6,7 +6,14 @@ pkgs.dockerTools.buildImage { name = "ghcr.io/sdsc-order/rdf-protect"; tag = rdf-protect.version; + copyToRoot = pkgs.buildEnv { + name = "image-root"; + paths = [rdf-protect]; + pathsToLink = ["/bin"]; + }; + config = { - Cmd = "${rdf-protect}/bin/rdf-protect"; + Cmd = ["/bin/rdf-protect"]; + WorkingDir = "/"; }; } From 168083efa9e736b33606318456a17489e282168c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Sat, 29 Jun 2024 21:37:52 +0200 Subject: [PATCH 24/68] fix: correct direnv sourcing --- .envrc | 2 +- tools/nix/flake.nix | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.envrc b/.envrc index 1e8b857..b4232c4 100644 --- a/.envrc +++ b/.envrc @@ -1 +1 @@ -use flake ./nix#default +use flake ./tools/nix#default diff --git a/tools/nix/flake.nix b/tools/nix/flake.nix index d75e07b..7dcf895 100644 --- a/tools/nix/flake.nix +++ b/tools/nix/flake.nix @@ -71,8 +71,6 @@ curl git jq - - podman ]; # Things needed only at compile-time. @@ -80,6 +78,8 @@ rustToolchain cargo-watch just + + skopeo ]; # Things needed at runtime. @@ -100,8 +100,6 @@ inherit buildInputs; nativeBuildInputs = nativeBuildInputsBasic ++ nativeBuildInputsDev; }; - - ci = default; }; packages = { From d9a40a7dec9a5fe717c43677fdd2c0d424ba5f9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Sun, 30 Jun 2024 01:05:18 +0200 Subject: [PATCH 25/68] fix: improve CI with release flow --- .github/workflows/main-and-pr.yaml | 24 ++ .../workflows/{pipeline.yaml => normal.yaml} | 66 ++++-- .github/workflows/release.yaml | 22 ++ .gitlab/images/Containerfile | 6 +- justfile | 22 +- tools/build-image.sh | 61 +++++ tools/build-package.sh | 18 ++ tools/ci/assert-tag.sh | 55 +++++ tools/ci/push-image.sh | 41 ++++ tools/format-rust.sh | 2 + tools/general.sh | 12 + tools/nix/flake.nix | 4 +- tools/nix/images/rdf-protect.nix | 4 +- tools/nix/pkgs/rdf-protect.json | 3 + tools/nix/pkgs/rdf-protect.nix | 4 +- tools/release.sh | 88 +++++++ tools/start-gitlab-runner-docker.sh | 155 ------------ tools/start-gitlab-runner-podman.sh | 223 ------------------ 18 files changed, 399 insertions(+), 411 deletions(-) create mode 100644 .github/workflows/main-and-pr.yaml rename .github/workflows/{pipeline.yaml => normal.yaml} (70%) create mode 100644 .github/workflows/release.yaml create mode 100755 tools/build-image.sh create mode 100755 tools/build-package.sh create mode 100644 tools/ci/assert-tag.sh create mode 100755 tools/ci/push-image.sh create mode 100644 tools/nix/pkgs/rdf-protect.json create mode 100755 tools/release.sh delete mode 100755 tools/start-gitlab-runner-docker.sh delete mode 100755 tools/start-gitlab-runner-podman.sh diff --git a/.github/workflows/main-and-pr.yaml b/.github/workflows/main-and-pr.yaml new file mode 100644 index 0000000..c763e65 --- /dev/null +++ b/.github/workflows/main-and-pr.yaml @@ -0,0 +1,24 @@ +name: Main and PR Pipeline + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +defaults: + run: + shell: bash + +on: + push: + branches: + - main + + pull_request: + branches: + - main + +jobs: + normal: + uses: ./.github/workflows/normal.yaml + with: + is_release: false diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/normal.yaml similarity index 70% rename from .github/workflows/pipeline.yaml rename to .github/workflows/normal.yaml index f3ddd31..b187c9d 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/normal.yaml @@ -12,7 +12,7 @@ # a step with `uses: docker://...` but then `run:` does not work, how stupid ... # (need to write an own action in the repo, 💩) # -name: rdf-protect +name: Normal Pipeline concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} @@ -23,13 +23,11 @@ defaults: shell: bash on: - push: - branches: - - main - - pull_request: - branches: - - main + workflow_call: + inputs: + is_release: + required: true + type: boolean jobs: format: @@ -39,8 +37,10 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + fetch-depth: 0 - - name: format + - name: Format run: | source .gitlab/scripts/before-script.sh && cat justfile && @@ -53,18 +53,21 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + fetch-depth: 0 - - name: lint + - name: Lint run: | source .gitlab/scripts/before-script.sh && just nix-develop just lint - - name: lint-undefined-behavior + - name: Lint Undefined-Behavior + continue-on-error: true run: | source .gitlab/scripts/before-script.sh && just nix-develop just lint-ub - - name: allow to fail + - name: Allow to fail if: failure() run: echo "lint-up failed -> continue." @@ -92,8 +95,10 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + fetch-depth: 0 - - name: test + - name: Test run: | source .gitlab/scripts/before-script.sh && just nix-develop just test @@ -102,24 +107,55 @@ jobs: runs-on: ubuntu-latest container: image: ghcr.io/sdsc-ordes/rdf-protect:ci-package-1.0.0 + + if: ${{ ! input.is_release }} + steps: - name: Checkout uses: actions/checkout@v4 + with: + fetch-depth: 0 - - name: build derivation with nix + - name: Build derivation with nix + run: | + source .gitlab/scripts/before-script.sh && + just nix-package + + - name: Build the image with nix run: | source .gitlab/scripts/before-script.sh && just nix-package deploy: runs-on: ubuntu-latest + needs: [format, lint, build, test] container: image: ghcr.io/sdsc-ordes/rdf-protect:ci-deploy-1.0.0 + + if: ${{ input.is_release }} + steps: - name: Checkout uses: actions/checkout@v4 + with: + fetch-depth: 0 - - name: build container image (nix) + - name: Create version tag (if release) + run: | + source .gitlab/scripts/before-script.sh && + ./tools/ci/assert-tag.sh "$GITHUB_REF" + + - name: Build container image (nix) run: | source .gitlab/scripts/before-script.sh && just nix-image + + - name: Push image (if release) + run: | + source .gitlab/scripts/before-script.sh && + ./tools/ci/push-image.sh + + - name: Push tag (if release) + run: | + source .gitlab/scripts/before-script.sh && + ./tools/ci/assert-tag.sh --push "$GITHUB_REF" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..706a6df --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,22 @@ +name: Main and PR Pipeline + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +defaults: + run: + shell: bash + +on: + push: + tags: + # This is not a real version tag, its just used to trigger + # the release build. Glob pattern: + - "prepare-v[0-9]+.[0-9]+.[0-9]+*" + +jobs: + release: + uses: ./.github/workflows/normal.yaml + with: + is_release: true diff --git a/.gitlab/images/Containerfile b/.gitlab/images/Containerfile index 4c7656a..6c41711 100644 --- a/.gitlab/images/Containerfile +++ b/.gitlab/images/Containerfile @@ -39,7 +39,7 @@ RUN [ "${CACHE_TOOLCHAIN}" = "false" ] || { cd /container-setup && \ git init && git add . && \ nix --accept-flake-config \ build --no-link "./tools/nix#devShells.x86_64-linux.ci" && \ - nix store optimise } + nix store optimise; } # Format image. @@ -61,3 +61,7 @@ FROM ci-nix as ci-test # Package image. # =============================================== FROM ci-nix as ci-package + +# Deploy image. +# =============================================== +FROM ci-nix as ci-deploy diff --git a/justfile b/justfile index 998bc34..7ec31b2 100644 --- a/justfile +++ b/justfile @@ -59,24 +59,26 @@ lint-ub *args: cd "{{root_dir}}" && \ "{{root_dir}}/tools/lint-ub-rust.sh" {{args}} +# Create a new release for version `version` by +# updating the version file and +# triggering the release workflow. +release version: + cd "{{root_dir}}" && \ + "{{root_dir}}/tools/release.sh" "{{version}}" ## ============================================================================ ## CI stuff =================================================================== + # Build the nix package into the folder `package` (first argument). nix-package *args: - dir="${1:-build/package}" && \ - cd "{{root_dir}}" && \ - nix build "./tools/nix#rdf-protect" \ - --out-link "$dir" \ - "${@:2}" + cd "{{root_dir}}" && \ + "./tools/build-package.sh" "$@" +# Build the Docker image with Nix (distroless by default!). nix-image *args: - dir="${1:-build}/image.tar.gz" && \ - cd "{{root_dir}}" && \ - nix build "./tools/nix#images.rdf-protect" \ - --out-link "$dir" \ - "${@:2}" + cd "{{root_dir}}" && \ + "./tools/build-image.sh" "$@" # Upload all images for CI. upload-ci-images: diff --git a/tools/build-image.sh b/tools/build-image.sh new file mode 100755 index 0000000..87ceaf8 --- /dev/null +++ b/tools/build-image.sh @@ -0,0 +1,61 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +# +# Build the Nix container image. + +set -euo pipefail + +ROOT_DIR=$(git rev-parse --show-toplevel) +. "$ROOT_DIR/tools/general.sh" + +VERSION_FILE=$(ci_nix_image_version_file) + +function clean_up() { + if ! ci_is_running; then + # Never change the version file, only + # on explicit `just release`. + print_info "Restoring '$VERSION_FILE'." + git restore "$VERSION_FILE" || true + fi +} + +trap clean_up EXIT + +function main() { + args=("$@") + + if ! ci_is_running || ! ci_is_release; then + # Define the image version from Git SHA + version="0.0.0+$(git rev-parse --short=10 HEAD)" + + # Write the temporary version file (gets restored...) + temp=$(mktemp) + jq ".version |= \"$version\"" "$VERSION_FILE" >"$temp" + mv "$temp" "$VERSION_FILE" + else + # When CI and in Release, the requested version must match. + version=$(jq ".version" "$VERSION_FILE") + + release_version=${GITHUB_REF##*prepare-v} + + if [ "$version" != "$release_version" ]; then + die "The version '$version' in '$VERSION_FILE' does not corresponds" \ + "with the version '$release_version' to build." \ + "Update the version file to align!" \ + "Nix is pure and cannot rely on Git tags to" \ + "get the version from." + fi + fi + + image_name=$(nix eval --raw "./tools/nix#images.rdf-protect.imageName") + image_tag=$(nix eval --raw "./tools/nix#images.rdf-protect.imageTag") + dir="build/image/$image_name|$image_tag.tar.gz" + + cd "$ROOT_DIR" + + print_info "Building image '$dir'." + nix build "./tools/nix#images.rdf-protect" \ + --out-link "$dir" "${args[@]}" +} + +main "$@" diff --git a/tools/build-package.sh b/tools/build-package.sh new file mode 100755 index 0000000..f492709 --- /dev/null +++ b/tools/build-package.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +# +# Build the Nix container image. + +set -euo pipefail + +ROOT_DIR=$(git rev-parse --show-toplevel) +. "$ROOT_DIR/tools/general.sh" + +cd "$ROOT_DIR" + +dir="build/package" + +print_info "Building the package." +nix build "./tools/nix#rdf-protect" \ + --out-link "$dir" \ + "$@" diff --git a/tools/ci/assert-tag.sh b/tools/ci/assert-tag.sh new file mode 100644 index 0000000..9515e52 --- /dev/null +++ b/tools/ci/assert-tag.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +# +# Assert that the release tag exists +# and check that its on main. +# On `--push` do push the tag. + +set -euo pipefail + +ROOT_DIR=$(git rev-parse --show-toplevel) +. "$ROOT_DIR/tools/general.sh" + +cd "$ROOT_DIR" + +RELEASE_BRANCH="main" + +function main() { + local push="false" + [ "$1" = "--push" ] && shift 1 && push="true" + + local prepare_tag="$1" + local release_tag=${prepare_tag##*prepare-} + + if [ "$push" = "true" ]; then + print_info "Pushing tag '$release_tag'." + git push origin "$release_tag" || + die "Could not push tag." + + exit 0 + fi + + # Gets the message on the annotated commit: + deref() { + git for-each-ref "refs/tags/$release_tag" --format="%($1)" + } + + deref contents + + # Creates a new tag with the same message, + # including trailing headers. + git tag -a -m "$(deref contents)" "$release_tag" || + die "Could not create tag." + + # Fetch the branch. + git fetch --depth 50 origin "$RELEASE_BRANCH" + + # Check if its reachable. + if [ -n "$(git rev-list --first-parent \ + --ancestry-path \ + "$release_tag^..origin/$RELEASE_BRANCH")" ]; then + die "Tag is not reachable from '$RELEASE_BRANCH' (--first-parent) !" + fi +} + +main "$@" diff --git a/tools/ci/push-image.sh b/tools/ci/push-image.sh new file mode 100755 index 0000000..85e36a7 --- /dev/null +++ b/tools/ci/push-image.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +# +# Push image to the registry. + +set -euo pipefail + +ROOT_DIR=$(git rev-parse --show-toplevel) +. "$ROOT_DIR/tools/general.sh" + +cd "$ROOT_DIR" + +function main() { + if ! ci_is_running; then + die "This script should only be executed in CI" + fi + + local image_names=() + readarray -t image_names < <(cd build/image && find ./ -name "*.tar.gz") + + for image_name in "${image_names[@]}"; do + + image_path="$ROOT_DIR/build/image/$image_name" + image_name=${image_name%.tar.gz} # Split `.tar.gz` from end. + image_name=${image_name#./} # Split `./` from front. + image_name=${image_name/|/:} # Replace `|` with `:`. + + print_info "Uploading image: '$image_name' in '$image_path'." + + print_info "Upload the build image from Nix to the registry" + skopeo \ + --insecure-policy \ + copy \ + --dest-authfile "$HOME/.docker/config.json" \ + "docker-archive://$image_path" \ + "docker://$image_name" + + done +} + +main "$@" diff --git a/tools/format-rust.sh b/tools/format-rust.sh index c2a8d8f..467e803 100755 --- a/tools/format-rust.sh +++ b/tools/format-rust.sh @@ -16,6 +16,8 @@ fi cargo --version cargo fmt --version +git diff --name-status + print_info "Run Rust format." cargo fmt "${fmt_args[@]}" "$@" diff --git a/tools/general.sh b/tools/general.sh index 15f45d0..09e02e6 100755 --- a/tools/general.sh +++ b/tools/general.sh @@ -53,6 +53,18 @@ function ci_is_running() { return 1 } +function ci_is_release() { + if [ "${CI_IS_RELEASE:-}" = "true" ]; then + return 0 + fi + + return 1 +} + +function ci_nix_image_version_file() { + echo "tools/nix/pkgs/rdf-protect.json" +} + function ci_wrap_container() { local container="$1" local nix_shell="$2" diff --git a/tools/nix/flake.nix b/tools/nix/flake.nix index 7dcf895..5162e6b 100644 --- a/tools/nix/flake.nix +++ b/tools/nix/flake.nix @@ -88,14 +88,12 @@ # The package of this CLI tool. # The global version for rdf-protect. # This is gonna get tooled later. - rdf-protect-version = "1.0.0"; rdf-protect = (import ./pkgs/rdf-protect.nix) { inherit rootDir rustToolchain pkgs lib; - version = rdf-protect-version; }; in with pkgs; rec { - devShells = rec { + devShells = { default = mkShell { inherit buildInputs; nativeBuildInputs = nativeBuildInputsBasic ++ nativeBuildInputsDev; diff --git a/tools/nix/images/rdf-protect.nix b/tools/nix/images/rdf-protect.nix index 2d921fe..deb31d4 100644 --- a/tools/nix/images/rdf-protect.nix +++ b/tools/nix/images/rdf-protect.nix @@ -3,7 +3,7 @@ rdf-protect, }: pkgs.dockerTools.buildImage { - name = "ghcr.io/sdsc-order/rdf-protect"; + name = "ghcr.io/sdsc-ordes/rdf-protect"; tag = rdf-protect.version; copyToRoot = pkgs.buildEnv { @@ -13,7 +13,7 @@ pkgs.dockerTools.buildImage { }; config = { - Cmd = ["/bin/rdf-protect"]; + Entrypoint = ["/bin/rdf-protect"]; WorkingDir = "/"; }; } diff --git a/tools/nix/pkgs/rdf-protect.json b/tools/nix/pkgs/rdf-protect.json new file mode 100644 index 0000000..64d7fb8 --- /dev/null +++ b/tools/nix/pkgs/rdf-protect.json @@ -0,0 +1,3 @@ +{ + "version": "0.0.1" +} diff --git a/tools/nix/pkgs/rdf-protect.nix b/tools/nix/pkgs/rdf-protect.nix index 9e50784..8d74626 100644 --- a/tools/nix/pkgs/rdf-protect.nix +++ b/tools/nix/pkgs/rdf-protect.nix @@ -3,7 +3,6 @@ lib, rustToolchain, rootDir, - version, ... }: let rustPlatform = pkgs.makeRustPlatform { @@ -14,7 +13,8 @@ in rustPlatform.buildRustPackage { name = "rdf-protect"; src = rootDir; - inherit version; + + version = (lib.importJSON ./rdf-protect.json).version; cargoLock = { lockFile = rootDir + "/Cargo.lock"; diff --git a/tools/release.sh b/tools/release.sh new file mode 100755 index 0000000..e0285c7 --- /dev/null +++ b/tools/release.sh @@ -0,0 +1,88 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +# +# Creating a prepare tag to trigger the release process on the +# Github workflow. Can only be called on `main`. +# +# Usage: release.sh "1.2.0" + +set -euo pipefail + +ROOT_DIR=$(git rev-parse --show-toplevel) +. "$ROOT_DIR/tools/general.sh" + +function delete_prepare_tags() { + readarray -t prepareTag < <(git tag --list "prepare-*") + + for tag in "${prepareTag[@]}"; do + print_info "Deleting prepare tag '$tag'." + git push -f origin ":${tag}" || true + git tag -d "$tag" + done +} + +function commit_version_file() { + local version="$1" + print_info "Writing new version file... (for Nix)" + + temp=$(mktemp) + jq ".version |= \"$version\"" "$VERSION_FILE" >"$temp" + mv "$temp" "$VERSION_FILE" + + if ! git diff --quiet --exit-code; then + git add "$VERSION_FILE" + git commit -m "chore: update Nix package version to '$version'" + fi +} + +function create_tag() { + tag="v$version" + if git tag --list "v*" | grep -qE "^$tag$"; then + print_info "Git tag '$tag' already exists." + exit 1 + fi + + if git ls-remote "refs/tags/v*" | grep -qE "^$tag$"; then + print_info "Git tag '$tag' already exists." + exit 1 + fi + + print_info "Tagging..." + git tag -a -m "Version $tag" "prepare-$tag" + + print_info "Tag contains:" + git cat-file -p "prepare-$tag" +} + +function trigger_build() { + printf "Do you want to trigger the build? [y|n]: " + read -r answer + if [ "$answer" != "y" ]; then + die "Do not trigger build -> abort." + fi + + print_info "Pushing tag 'prepare-$tag'." + git push -f origin --no-follow-tags "$branch" "prepare-$tag" +} + +function main() { + cd "$ROOT_DIR" + + version="$1" + branch=$(git branch --show-current) + + if [ "$branch" != "main" ]; then + die "Can only tag on 'main'." + fi + + if ! git diff --quiet --exit-code; then + die "You have changes on this branch." + fi + + delete_prepare_tags + commit_version_file "$version" + create_tag + trigger_build +} + +main "$@" diff --git a/tools/start-gitlab-runner-docker.sh b/tools/start-gitlab-runner-docker.sh deleted file mode 100755 index c52ed8e..0000000 --- a/tools/start-gitlab-runner-docker.sh +++ /dev/null @@ -1,155 +0,0 @@ -#!/usr/bin/env bash -# shellcheck disable=SC1090,SC1091 -# -# Create a gitlab runner (docker executor) -# by first visiting `CI/CD Settings` page and -# creating a `linux` runner which gives you a `` needed -# for this script. -# -# This creates a docker container which runs the Gitlab runner -# which will execute jobs over the `docker` executor. -# The running container is not that safe in the sense that the Docker socket -# is mounted into the container (privilege escalation can be done: -# - https://blog.nestybox.com/2020/10/21/gitlab-dind.html -# - https://github.com/stealthcopter/deepce). -# -# TODO: This script should use the runtime `sysbox-runc` for better isolation. -# So far its not available on NixOS. -# https://github.com/NixOS/nixpkgs/issues/271901 -# -# The `gitlab-runner` does not forward the socket to the job containers -# because that would be to risky. Nevertheless, -# docker-in-docker for a job works as shown below. -# -# Usage: -# ```shell -# start-gitlab-runner-docker.sh [--force] [] -# ``` -# Read token from stdin. - -# Usage in Pipeline: -# -# A job which uses `docker` to run/build images. -# the `service`-container `docker:24-dind`. -# -# ```yaml -# docker-run-build: -# image: docker:24 -# # -# # When you use the dind service, you must instruct Docker to talk with -# # the daemon started inside of the service 'docker:*-dind'. -# # The daemon is available with a network connection instead of the default -# # /var/run/docker.sock socket. -# # Docker does this automatically by setting the DOCKER_HOST in -# # https://github.com/docker-library/docker/blob/master/docker-entrypoint.sh#L30 -# # The 'docker' hostname is the alias of the service container as described -# # at https://docs.gitlab.com/ee/ci/services/#accessing-the-services. -# # which is `docker` and then DOCKER_HOST=tcp://docker:2376 -# services: -# - docker:24-dind -# -# script: -# - docker info -# - docker run alpine:latest cat /etc/os-release -# - docker build -f Dockerfile . -# ``` - -set -e -set -u - -ROOT=$(git rev-parse --show-toplevel) -. "$ROOT/tools/general.sh" - -force="false" -max_jobs=4 -config_dir="$ROOT/.gitlab/local/config" -runner_name="gitlab-runner-md2pdf-docker" -cores=$(grep "^cpu\\scores" /proc/cpuinfo | uniq | cut -d ' ' -f 3) - -function modify_config() { - local key="$1" - local value="$2" - local type="${3:-json}" - - docker run --rm -v "$config_dir/config.toml:/config.toml" \ - "ghcr.io/tomwright/dasel" put -f /config.toml \ - -t "$type" \ - -s "$key" \ - -v "$value" || - die "Could not set gitlab runner config key '$key' to '$value'" -} - -function create() { - local token="${1:-}" - - if [ "$token" = "-" ] || [ -z "$token" ]; then - read -rs -p "Enter Gitlab Runner Token: " token || - die "Could not read token from TTY." - fi - - rm -rf "$config_dir" >/dev/null || true - mkdir -p "$config_dir" - - docker run -d \ - --cpus "$cores" \ - --name "$runner_name" \ - --restart always \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$config_dir":/etc/gitlab-runner \ - gitlab/gitlab-runner:latest || die "Could not create gitlab-runner" - - docker exec -it "$runner_name" gitlab-runner register \ - --non-interactive \ - --url "https://gitlab.com" \ - --token "$token" \ - --executor docker \ - --description "$runner_name" \ - --docker-image "alpine:latest" \ - --docker-privileged \ - --docker-volumes "/certs/client" || die "Could not start gitlab runner" - - modify_config ".concurrent" "$max_jobs" - modify_config ".runners.first().docker.pull_policy" \ - '["always", "if-not-present"]' - - docker exec -it "$runner_name" gitlab-runner start || die "Could not start runner." -} - -function stop() { - if is_running; then - print_info "Stop runner '$runner_name' ..." - docker stop "$runner_name" - - fi - - if is_exited; then - # shellcheck disable=SC2046 - docker rm $(docker ps -a -q) - fi -} - -function is_running() { - [ "$(docker inspect -f '{{.State.Status}}' "$runner_name" 2>/dev/null || true)" = 'running' ] || return 1 - return 0 -} - -function is_exited() { - [ "$(docker inspect -f '{{.State.Status}}' "$runner_name" 2>/dev/null || true)" = 'exited' ] || return 1 - return 0 -} - -if [ "${1:-}" = "--force" ]; then - force="true" - shift 1 -fi - -if [ "$force" = "true" ]; then - stop -fi - -if ! is_running; then - create "$@" -else - print_info "Gitlab runner '$runner_name' is already running. Restart it." - docker restart "$runner_name" || die "Could not restart gitlab runner" -fi diff --git a/tools/start-gitlab-runner-podman.sh b/tools/start-gitlab-runner-podman.sh deleted file mode 100755 index efc9ae8..0000000 --- a/tools/start-gitlab-runner-podman.sh +++ /dev/null @@ -1,223 +0,0 @@ -#!/usr/bin/env bash -# shellcheck disable=SC1090,SC1091,SC2015 -# -# Create a gitlab runner (docker executor) -# by first visiting `CI/CD Settings` page and -# creating a `linux` runner which gives you a `` needed -# for this script. -# -# This creates a container which runs the Gitlab runner -# which will execute jobs over the `podman` executor. -# -# This container is based on [`pipglr`](https://gitlab.com/qontainers/pipglr) -# which uses two container volumes (`pipglr-storage` and `pipglr-cache`) -# which are attached and contains -# `podman` (user `podman`) and `gitlab-runner` (user `runner`) -# to have a rootless container experience which provides much more security. -# The two volumes contain the images created/built by CI. The volumes can safely -# be wiped if space is needed. -# -# The podman socket created inside this container -# will be mounted to each job container the `gitlab-runner` creates. -# This makes also use of caching directly possible which is cool. -# -# Usage: -# ```shell -# start-gitlab-runner-docker.sh [--force] [] -# ``` -# Read token from stdin. -# ```shell -# start-gitlab-runner-docker.sh [--force] - -# -# Usage in Pipeline: -# -# A job which uses `podman` (linked to podman) to run/build images. -# The gitlab-runner cannot serve `services` statements as in the -# `start-gitlab-runner-docker.sh` (uses `docker` -# `--link` which is anyway deprecated) -# -# ```yaml -# podman-remote-run-build: -# image: quay.io/podman/stable:latest -# variables: -# CONTAINER_HOST: unix://var/run/docker.sock -# script: -# - podman info -# - podman run alpine:latest cat /etc/os-release -# - podman build -f Dockerfile . -# ``` -# -# The following (custom build image) also works: -# -# ```yaml -# podman-remote-alpine-run-build: -# image: alpine:latest -# variables: -# CONTAINER_HOST: unix://var/run/docker.sock -# script: -# - apk add podman -# - podman info -# - podman run alpine:latest cat /etc/os-release -# - podman build -f Dockerfile . -# ``` - -set -e -set -u - -ROOT=$(git rev-parse --show-toplevel) -. "$ROOT/tools/general.sh" - -force="false" -max_jobs=4 -config_dir="$ROOT/.gitlab/local/config" -runner_name="gitlab-runner-md2pdf-podman" -cores=$(grep "^cpu\\scores" /proc/cpuinfo | uniq | cut -d ' ' -f 3) -# image="registry.gitlab.com/qontainers/pipglr:latest" -image="pipglr:dev-latest-alpine" - -function clean_up() { - if [ -f "$config_dir/config.toml" ]; then - rm -rf "$config_dir/config.toml" - fi -} - -trap clean_up EXIT -function modify_config() { - local key="$1" - local value="$2" - local type="${3:-json}" - - podman run --rm -v "$config_dir/config.toml:/config.toml" \ - "ghcr.io/tomwright/dasel" put -f /config.toml \ - -t "$type" \ - -s "$key" \ - -v "$value" || - die "Could not set gitlab runner config key '$key' to '$value'" -} - -function register_runner() { - print_info "Registering gitlab-runner ..." - local token="${1:-}" - - if [ "$token" = "-" ] || [ -z "$token" ]; then - read -rs -p "Enter Gitlab Runner Token: " token || - die "Could not read token from stdin." - fi - - podman secret rm REGISTRATION_TOKEN &>/dev/null || true - echo "$token" | podman secret create REGISTRATION_TOKEN - || - die "Could not set registration token secret." - - # Register Gitlab runner. - (cd "$config_dir" && - touch config.toml && - podman container runlabel register "$image") || - die "Could not register gitlab-runner." - - # Modify Gitlab runner config. - modify_config ".concurrent" "$max_jobs" - modify_config ".runners.first().docker.pull_policy" \ - '["always"]' - modify_config ".runners.first().docker.volumes.append()" \ - "/home/runner/podman.sock:/var/run/podman.sock:rw" string - - # Add an auxiliary volume `auxvol`. - modify_config ".runners.first().docker.volumes.append()" \ - "auxvol:/auxvol" string - - modify_config ".runners.first().pre_build_script" \ - "echo 'Prebuild'\\nenv" string - - podman secret rm config.toml &>/dev/null || true - podman secret create config.toml "$config_dir/config.toml" || - die "Could not create config.toml secret." - - print_info "Config file:" \ - "$(sed 's/token\s*=.*/token = ***/g' "$config_dir/config.toml")" - - rm "$config_dir/config.toml" -} - -function assert_volumes() { - print_info "Asserting needed volumes ..." - - local volumes - volumes=$(podman volume list --format="{{ .Name }}") || - die "Could not get volumes" - - if ! echo "$volumes" | grep -q "pipglr-storage"; then - podman container runlabel setupstorage "$image" - fi - - if ! echo "$volumes" | grep -q "pipglr-cache"; then - podman container runlabel setupcache "$image" - fi -} - -function start_runner() { - print_info "Start runner '$runner_name' ..." - - # Run the Gitlab runner. We cannot user `podman container runlabel run "$image"` - # because we need to set some cpu constraints. - podman run -dt --name "$runner_name" \ - --cpus "$cores" \ - --secret config.toml,uid=1001,gid=1001 \ - -v pipglr-storage:/home/podman/.local/share/containers \ - -v pipglr-cache:/cache \ - --systemd true --privileged \ - --device /dev/fuse "$image" - - podman exec -it --user root "$runner_name" \ - bash -c "mkdir -p /etc/containers; - cp /usr/share/containers/seccomp.json /etc/containers/seccomp.json" -} - -function create() { - rm -rf "$config_dir" >/dev/null || true - mkdir -p "$config_dir" - - register_runner "$@" - assert_volumes - - start_runner -} - -function stop() { - if is_running; then - print_info "Stop runner '$runner_name' ..." - podman stop "$runner_name" - - fi - - if is_exited; then - # shellcheck disable=SC2046 - podman rm $(podman ps -a -q) - fi -} - -function is_running() { - [ "$(podman inspect -f '{{.State.Status}}' "$runner_name" 2>/dev/null || true)" = 'running' ] || return 1 - return 0 -} - -function is_exited() { - [ "$(podman inspect -f '{{.State.Status}}' "$runner_name" 2>/dev/null || true)" = 'exited' ] || return 1 - return 0 -} - -if [ "${1:-}" = "--force" ]; then - force="true" - shift 1 -fi - -if [ "$force" = "true" ]; then - stop -fi - -if ! is_running; then - create "$@" -else - print_info "Gitlab runner '$runner_name' is already running. Restart it." - podman restart "$runner_name" || - die "Could not restart gitlab runner '$runner_name'." -fi From 3179fa7dba62b5d365367880f818258b42a78fe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Wed, 3 Jul 2024 12:55:52 +0200 Subject: [PATCH 26/68] fix: cleanup all unused shit --- {.gitlab => .github}/images/Containerfile | 3 +- {.gitlab => .github}/scripts/before-script.sh | 0 {.gitlab => .github}/scripts/upload-images.sh | 6 +- .github/workflows/normal.yaml | 24 ++-- .gitlab/.gitignore | 1 - .gitlab/pipeline.yaml | 44 -------- justfile | 2 +- src/rdf_types.rs | 9 ++ tools/build-image.sh | 8 +- tools/general.sh | 103 ------------------ tools/lint-rust.sh | 2 +- tools/nix/flake.nix | 8 +- tools/nix/images/ci.nix | 26 +++-- tools/nix/images/rdf-protect.nix | 10 +- tools/nix/pkgs/rdf-protect.json | 3 - tools/nix/pkgs/rdf-protect.nix | 7 +- 16 files changed, 59 insertions(+), 197 deletions(-) rename {.gitlab => .github}/images/Containerfile (96%) rename {.gitlab => .github}/scripts/before-script.sh (100%) rename {.gitlab => .github}/scripts/upload-images.sh (85%) delete mode 100644 .gitlab/.gitignore delete mode 100644 .gitlab/pipeline.yaml create mode 100644 src/rdf_types.rs delete mode 100644 tools/nix/pkgs/rdf-protect.json diff --git a/.gitlab/images/Containerfile b/.github/images/Containerfile similarity index 96% rename from .gitlab/images/Containerfile rename to .github/images/Containerfile index 6c41711..0473bc4 100644 --- a/.gitlab/images/Containerfile +++ b/.github/images/Containerfile @@ -17,7 +17,7 @@ ARG USER_NAME=ci ARG USER_UID=1000 ARG USER_GID=1000 ARG CACHE_TOOLCHAIN=false -# ARG USER_HOME="/github/home" +ARG USER_HOME="/github/home" RUN [ "TARGETPLATFORM" = "linux/amd64" ] || echo "Platform not yet supported." COPY ./tools /container-setup/tools @@ -26,6 +26,7 @@ COPY ./tools /container-setup/tools RUN bash -c ". /container-setup/tools/general.sh && ci_setup_nix" # Create user (does not work because action/checkout uses `root` in its own container ... 💩) +# Leave this code here for a reference: # RUN mkdir -p "$USER_HOME" && \ # adduser "$USER_NAME" -s /bin/zsh -D -u "$USER_UID" -g "$USER_GID" -h "$USER_HOME/$USER_NAME" && \ # mkdir -p /etc/sudoers.d && \ diff --git a/.gitlab/scripts/before-script.sh b/.github/scripts/before-script.sh similarity index 100% rename from .gitlab/scripts/before-script.sh rename to .github/scripts/before-script.sh diff --git a/.gitlab/scripts/upload-images.sh b/.github/scripts/upload-images.sh similarity index 85% rename from .gitlab/scripts/upload-images.sh rename to .github/scripts/upload-images.sh index 2920bea..3edbbd0 100755 --- a/.gitlab/scripts/upload-images.sh +++ b/.github/scripts/upload-images.sh @@ -3,6 +3,7 @@ set -e set -u +DIR=$(cd -- "$(dirname -- "$0")" &>/dev/null && pwd) ROOT_DIR=$(git rev-parse --show-toplevel) . "$ROOT_DIR/tools/general.sh" @@ -11,7 +12,8 @@ cd "$ROOT_DIR" function build_ci_image() { local image_type="$1" local repository="$2" - local tag="$image_type-$3" + local version="$3" + local tag="$image_type-$version" local image_name="$repository:$tag" @@ -27,7 +29,7 @@ function build_ci_image() { repository="${1:-ghcr.io/sdsc-ordes/rdf-protect}" tag="${2:-1.0.0}" -container_file=".gitlab/images/Containerfile" +container_file="$DIR/../images/Containerfile" if [ "${CI:-}" = "true" ]; then ci_container_mgr_login "$DOCKER_REPOSITORY_READ_USERNAME" "$DOCKER_REPOSITORY_READ_TOKEN" diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index b187c9d..d8e09b1 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -42,7 +42,7 @@ jobs: - name: Format run: | - source .gitlab/scripts/before-script.sh && + source .github/scripts/before-script.sh && cat justfile && just nix-develop just format @@ -58,13 +58,13 @@ jobs: - name: Lint run: | - source .gitlab/scripts/before-script.sh && + source .github/scripts/before-script.sh && just nix-develop just lint - name: Lint Undefined-Behavior continue-on-error: true run: | - source .gitlab/scripts/before-script.sh && + source .github/scripts/before-script.sh && just nix-develop just lint-ub - name: Allow to fail @@ -81,11 +81,11 @@ jobs: - name: build run: | - source .gitlab/scripts/before-script.sh && + source .github/scripts/before-script.sh && just nix-develop just build - name: tests run: | - source .gitlab/scripts/before-script.sh && + source .github/scripts/before-script.sh && just nix-develop just test test: @@ -100,7 +100,7 @@ jobs: - name: Test run: | - source .gitlab/scripts/before-script.sh && + source .github/scripts/before-script.sh && just nix-develop just test package: @@ -118,12 +118,12 @@ jobs: - name: Build derivation with nix run: | - source .gitlab/scripts/before-script.sh && + source .github/scripts/before-script.sh && just nix-package - name: Build the image with nix run: | - source .gitlab/scripts/before-script.sh && + source .github/scripts/before-script.sh && just nix-package deploy: @@ -142,20 +142,20 @@ jobs: - name: Create version tag (if release) run: | - source .gitlab/scripts/before-script.sh && + source .github/scripts/before-script.sh && ./tools/ci/assert-tag.sh "$GITHUB_REF" - name: Build container image (nix) run: | - source .gitlab/scripts/before-script.sh && + source .github/scripts/before-script.sh && just nix-image - name: Push image (if release) run: | - source .gitlab/scripts/before-script.sh && + source .github/scripts/before-script.sh && ./tools/ci/push-image.sh - name: Push tag (if release) run: | - source .gitlab/scripts/before-script.sh && + source .github/scripts/before-script.sh && ./tools/ci/assert-tag.sh --push "$GITHUB_REF" diff --git a/.gitlab/.gitignore b/.gitlab/.gitignore deleted file mode 100644 index 4083037..0000000 --- a/.gitlab/.gitignore +++ /dev/null @@ -1 +0,0 @@ -local diff --git a/.gitlab/pipeline.yaml b/.gitlab/pipeline.yaml deleted file mode 100644 index 0c549b0..0000000 --- a/.gitlab/pipeline.yaml +++ /dev/null @@ -1,44 +0,0 @@ -stages: - - lint - - format - - build - -.defaults-rules: &defaults-rules - - if: "$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ /^feature|bugfix/ || - $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH" - when: always - -.main-rules: &main-rules - - if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH" - when: always - -format: - stage: format - needs: [] - image: ghcr.io/sdsc-order/rdf-protect:ci-format-1.0.0 - rules: - - *defaults-rules - script: - - source .gitlab/scripts/before-script.sh - - just nix-develop-ci just format-general - - just nix-develop-ci just format - -lint: - stage: lint - needs: [] - image: ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 - rules: - - *defaults-rules - script: - - source .gitlab/scripts/before-script.sh - - just nix-develop-ci just lint - -build: - stage: build - needs: [] - image: ghcr.io/sdsc-ordes/rdf-protect:ci-build-1.0.0 - rules: - - *defaults-rules - script: - - source .gitlab/scripts/before-script.sh - - just nix-develop-ci just build diff --git a/justfile b/justfile index 7ec31b2..4aad53e 100644 --- a/justfile +++ b/justfile @@ -83,5 +83,5 @@ nix-image *args: # Upload all images for CI. upload-ci-images: cd "{{root_dir}}" && \ - .gitlab/scripts/upload-images.sh + .github/scripts/upload-images.sh ## ============================================================================ diff --git a/src/rdf_types.rs b/src/rdf_types.rs new file mode 100644 index 0000000..0dfa4de --- /dev/null +++ b/src/rdf_types.rs @@ -0,0 +1,9 @@ +use rio_api; + +#[derive(Eq, PartialEq, Ord, PartialOrd, Debug, Clone, Copy, Hash)] +pub struct NamedNode { + /// The [IRI](https://www.w3.org/TR/rdf11-concepts/#dfn-iri) itself. + pub iri: String, +} + +type NamedNodeView<'a> = rio_api::model::NamedNode<'a>; diff --git a/tools/build-image.sh b/tools/build-image.sh index 87ceaf8..284b70a 100755 --- a/tools/build-image.sh +++ b/tools/build-image.sh @@ -8,7 +8,7 @@ set -euo pipefail ROOT_DIR=$(git rev-parse --show-toplevel) . "$ROOT_DIR/tools/general.sh" -VERSION_FILE=$(ci_nix_image_version_file) +VERSION_FILE=$("$ROOT_DIR/Cargo.toml") function clean_up() { if ! ci_is_running; then @@ -29,12 +29,10 @@ function main() { version="0.0.0+$(git rev-parse --short=10 HEAD)" # Write the temporary version file (gets restored...) - temp=$(mktemp) - jq ".version |= \"$version\"" "$VERSION_FILE" >"$temp" - mv "$temp" "$VERSION_FILE" + dasel put -r toml -f "$VERSION_FILE" -t string -v "$version" .package.version else # When CI and in Release, the requested version must match. - version=$(jq ".version" "$VERSION_FILE") + version=$(dasel get -f "$VERSION_FILE" .package.version -w yaml) release_version=${GITHUB_REF##*prepare-v} diff --git a/tools/general.sh b/tools/general.sh index 09e02e6..a075815 100755 --- a/tools/general.sh +++ b/tools/general.sh @@ -61,42 +61,6 @@ function ci_is_release() { return 1 } -function ci_nix_image_version_file() { - echo "tools/nix/pkgs/rdf-protect.json" -} - -function ci_wrap_container() { - local container="$1" - local nix_shell="$2" - shift 2 - local cmd=("$@") - - if command -v nix &>/dev/null; then - # Nix available, wrap over Nix shell. - nix develop "$nix_shell" --command "${cmd[@]}" - else - # No Nix available, wrap over Nix container - ci_container_mgr_run_mounted "$(pwd)" "$container" \ - nix develop "$nix_shell" --command "${cmd[@]}" - fi -} - -function ci_setup_githooks() { - local installPrefix="${1:-$CI_BUILDS_DIR/githooks}" - mkdir -p "$installPrefix" - - print_info "Install Githooks in '$installPrefix'." - githooks-cli installer --non-interactive --prefix "$installPrefix" - - git hooks config enable-containerized-hooks --global --set - git hooks config container-manager-types --global --set "podman,docker" - - print_info "Pull all shared Githooks repositories." - git hooks shared update - - export CI_GITHOOKS_INSTALL_PREFIX="$installPrefix" -} - function ci_setup_nix() { local install_prefix="${1:-/usr/sbin}" @@ -124,27 +88,6 @@ function ci_container_mgr() { fi } -# Define the container id `CI_JOB_CONTAINER_ID` where -# this job runs. Useful to mount same volumes as in -# this container with `ci_run_podman`. -function ci_container_mgr_setup() { - export CONTAINER_HOST="unix://var/run/podman.sock" - print_info "Container host: '$CONTAINER_HOST'" - - job_container_id=$(ci_container_mgr ps \ - --filter "label=com.gitlab.gitlab-runner.type=build" \ - --filter "label=com.gitlab.gitlab-runner.job.id=$CI_JOB_ID" \ - --filter "label=com.gitlab.gitlab-runner.project.id=$CI_PROJECT_ID" \ - --filter "label=com.gitlab.gitlab-runner.pipeline.id=$CI_PIPELINE_ID" \ - --format "{{ .ID }}") || - die "Could not find 'build' container for job id: '$CI_JOB_ID'." - - [ -n "$job_container_id" ] || die "Job id is empty." - - export CI_JOB_CONTAINER_ID="$job_container_id" - print_info "Job container id: '$CI_JOB_CONTAINER_ID'" -} - function ci_container_mgr_login() { local user="$1" local token="$2" @@ -154,49 +97,3 @@ function ci_container_mgr_login() { ci_container_mgr login --password-stdin --username "$user" || die "Could not log into docker." } - -# Run container mgr. In CI with volume mount from the -# current build container `CI_JOB_CONTAINER_ID`. -function ci_container_mgr_run() { - if ci_is_running; then - ci_container_mgr run --volumes-from "$CI_JOB_CONTAINER_ID" "$@" - else - ci_container_mgr run "$@" - fi -} - -function ci_container_mgr_run_mounted() { - local repo workspace_rel in_cmd - repo=$(git rev-parse --show-toplevel) - workspace_rel=$(cd "$1" && pwd) - workspace_rel=$(realpath --relative-to "$repo" "$workspace_rel") - - shift 1 - in_cmd=("$@") - - local mnt_args=() - local cmd=() - - if ! ci_is_running; then - cmd=("${in_cmd[@]}") - mnt_args+=(-v "$repo:/repo") - mnt_args+=(-w "/repo/$workspace_rel") - else - # Not needed to mount anything, since already existing - # under the same path as `repo`. - # - # All `/repo` and `/workspace` paths in - # command given are replaced with correct - # paths to mounted volume in CI - for arg in "${in_cmd[@]}"; do - cmd+=("$(echo "$arg" | - sed -E \ - -e "s@/workspace@$workspace_rel@g" \ - -e "s@/repo@$repo@g")") - done - - mnt_args+=(-w "$repo/$workspace_rel") - fi - - ci_container_mgr_run "${mnt_args[@]}" "${cmd[@]}" -} diff --git a/tools/lint-rust.sh b/tools/lint-rust.sh index 2a89c39..d81569f 100755 --- a/tools/lint-rust.sh +++ b/tools/lint-rust.sh @@ -16,8 +16,8 @@ print_warning "Currently warnings are not errors!" cargo clippy --no-deps -- -A clippy::needless_return "$@" || { - die "Rust clippy failed." git diff --name-status || true + die "Rust clippy failed." } print_info "Done." diff --git a/tools/nix/flake.nix b/tools/nix/flake.nix index 5162e6b..9e11f09 100644 --- a/tools/nix/flake.nix +++ b/tools/nix/flake.nix @@ -36,13 +36,11 @@ }; outputs = { - self, nixpkgs, - nixpkgsStable, flake-utils, rust-overlay, ... - } @ inputs: let + }: let rootDir = ./. + "../../.."; in flake-utils.lib.eachDefaultSystem @@ -101,12 +99,12 @@ }; packages = { - inherit rdf-protect; + rdf-protect = rdf-protect; images = { ci = (import ./images/ci.nix) { inherit pkgs; - devShellDrv = devShells.ci; + devShellDrv = devShells.default; }; rdf-protect = (import ./images/rdf-protect.nix) { diff --git a/tools/nix/images/ci.nix b/tools/nix/images/ci.nix index b1c7c35..43ded7a 100644 --- a/tools/nix/images/ci.nix +++ b/tools/nix/images/ci.nix @@ -2,15 +2,21 @@ pkgs, devShellDrv, ... -}: rec { - # The base image. - base = pkgs.dockerTools.buildNixShellImage { - name = "ghcr.io/sdsc-order/rdf-protect"; - tag = "ci-nix-1.0.0"; - drv = devShellDrv; - }; +}: let + version = "1.0.0"; # The version of these CI images. + image_name = "ghcr.io/sdsc-order/rdf-protect"; - format = base.override {tag = "ci-format-1.0.0";}; - lint = base.override {tag = "ci-lint-1.0.0";}; - build = base.override {tag = "ci-build-1.0.0";}; + buildImage = type: + pkgs.dockerTools.buildNixShellImage { + name = image_name; + tag = "ci-${type}-${version}"; + drv = devShellDrv; + }; +in rec { + format = buildImage "format"; + lint = buildImage "lint"; + build = buildImage "build"; + test = buildImage "test"; + package = buildImage "package"; + deploy = buildImage "deploy"; } diff --git a/tools/nix/images/rdf-protect.nix b/tools/nix/images/rdf-protect.nix index deb31d4..7b5304e 100644 --- a/tools/nix/images/rdf-protect.nix +++ b/tools/nix/images/rdf-protect.nix @@ -2,18 +2,14 @@ pkgs, rdf-protect, }: -pkgs.dockerTools.buildImage { +pkgs.dockerTools.buildLayeredImage { name = "ghcr.io/sdsc-ordes/rdf-protect"; tag = rdf-protect.version; - copyToRoot = pkgs.buildEnv { - name = "image-root"; - paths = [rdf-protect]; - pathsToLink = ["/bin"]; - }; + contents = [rdf-protect]; config = { - Entrypoint = ["/bin/rdf-protect"]; + Entrypoint = ["rdf-protect"]; WorkingDir = "/"; }; } diff --git a/tools/nix/pkgs/rdf-protect.json b/tools/nix/pkgs/rdf-protect.json deleted file mode 100644 index 64d7fb8..0000000 --- a/tools/nix/pkgs/rdf-protect.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "version": "0.0.1" -} diff --git a/tools/nix/pkgs/rdf-protect.nix b/tools/nix/pkgs/rdf-protect.nix index 8d74626..d7204c2 100644 --- a/tools/nix/pkgs/rdf-protect.nix +++ b/tools/nix/pkgs/rdf-protect.nix @@ -9,15 +9,18 @@ cargo = rustToolchain; rustc = rustToolchain; }; + + cargoFile = rootDir + "/Cargo.toml"; + lockFile = rootDir + "/Cargo.lock"; in rustPlatform.buildRustPackage { name = "rdf-protect"; src = rootDir; - version = (lib.importJSON ./rdf-protect.json).version; + version = (lib.importTOML cargoFile).package.version; cargoLock = { - lockFile = rootDir + "/Cargo.lock"; + inherit lockFile; }; meta = { From f5ca3342178fa6a1e6cd1b66768ec55bb3011430 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Thu, 4 Jul 2024 12:14:27 +0200 Subject: [PATCH 27/68] fix: review changes --- .github/workflows/normal.yaml | 2 +- justfile | 46 ++++++++----------- tools/build-image.sh | 8 ++-- .../scripts => tools/ci}/before-script.sh | 0 {.github => tools/ci}/images/Containerfile | 0 .../ci/upload-ci-images.sh | 0 tools/ci/{push-image.sh => upload-image.sh} | 4 +- tools/nix/flake.nix | 1 + tools/release.sh | 26 ++++++----- 9 files changed, 42 insertions(+), 45 deletions(-) rename {.github/scripts => tools/ci}/before-script.sh (100%) rename {.github => tools/ci}/images/Containerfile (100%) rename .github/scripts/upload-images.sh => tools/ci/upload-ci-images.sh (100%) rename tools/ci/{push-image.sh => upload-image.sh} (89%) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index d8e09b1..991ad15 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -153,7 +153,7 @@ jobs: - name: Push image (if release) run: | source .github/scripts/before-script.sh && - ./tools/ci/push-image.sh + tools/ci/upload-image.sh - name: Push tag (if release) run: | diff --git a/justfile b/justfile index 4aad53e..422a326 100644 --- a/justfile +++ b/justfile @@ -22,10 +22,26 @@ nix-develop *args: nix develop ./tools/nix#default --command "${cmd[@]}" ## Standard stuff ============================================================= +# Format the code. +format *args: + cd "{{root_dir}}" && \ + "{{root_dir}}/tools/format-rust.sh" {{args}} + +# Lint all code. +lint *args: + cd "{{root_dir}}" && \ + "{{root_dir}}/tools/lint-rust.sh" {{args}} + # Build the executable. build *args: cd "{{root_dir}}" && cargo build "${@:1}" +# Run the tests. +test: + cd "{{root_dir}}" && cargo test "${@:1}" + + +## Development functionality ================================================== # Watch source and continuously build the executable. watch: cd "{{root_dir}}" && cargo watch -x 'build' @@ -34,31 +50,6 @@ watch: run: cd "{{root_dir}}" && cargo run "${@:1}" -# Run the tests. -test: - cd "{{root_dir}}" && cargo test "${@:1}" - -# Format the code. -format *args: - cd "{{root_dir}}" && \ - "{{root_dir}}/tools/format-rust.sh" {{args}} - -# Format all files. -format-general *args: - # Not implemented yet. - # That should run all hooks which are configured by Githooks. - true - -# Lint all code. -lint *args: - cd "{{root_dir}}" && \ - "{{root_dir}}/tools/lint-rust.sh" {{args}} - -# Lint all code (undefined behavior). -lint-ub *args: - cd "{{root_dir}}" && \ - "{{root_dir}}/tools/lint-ub-rust.sh" {{args}} - # Create a new release for version `version` by # updating the version file and # triggering the release workflow. @@ -69,7 +60,6 @@ release version: ## CI stuff =================================================================== - # Build the nix package into the folder `package` (first argument). nix-package *args: cd "{{root_dir}}" && \ @@ -80,8 +70,8 @@ nix-image *args: cd "{{root_dir}}" && \ "./tools/build-image.sh" "$@" -# Upload all images for CI. +# Upload all images for CI (local machine) upload-ci-images: cd "{{root_dir}}" && \ - .github/scripts/upload-images.sh + tools/ci/upload-ci-images.sh ## ============================================================================ diff --git a/tools/build-image.sh b/tools/build-image.sh index 284b70a..7746829 100755 --- a/tools/build-image.sh +++ b/tools/build-image.sh @@ -8,7 +8,7 @@ set -euo pipefail ROOT_DIR=$(git rev-parse --show-toplevel) . "$ROOT_DIR/tools/general.sh" -VERSION_FILE=$("$ROOT_DIR/Cargo.toml") +VERSION_FILE="$ROOT_DIR/Cargo.toml" function clean_up() { if ! ci_is_running; then @@ -25,8 +25,10 @@ function main() { args=("$@") if ! ci_is_running || ! ci_is_release; then + print_info "Building image for development." + # Define the image version from Git SHA - version="0.0.0+$(git rev-parse --short=10 HEAD)" + version="0.0.0-dev.$(git rev-parse --short=7 HEAD)" # Write the temporary version file (gets restored...) dasel put -r toml -f "$VERSION_FILE" -t string -v "$version" .package.version @@ -47,7 +49,7 @@ function main() { image_name=$(nix eval --raw "./tools/nix#images.rdf-protect.imageName") image_tag=$(nix eval --raw "./tools/nix#images.rdf-protect.imageTag") - dir="build/image/$image_name|$image_tag.tar.gz" + dir="build/image/$image_name:$image_tag.tar.gz" cd "$ROOT_DIR" diff --git a/.github/scripts/before-script.sh b/tools/ci/before-script.sh similarity index 100% rename from .github/scripts/before-script.sh rename to tools/ci/before-script.sh diff --git a/.github/images/Containerfile b/tools/ci/images/Containerfile similarity index 100% rename from .github/images/Containerfile rename to tools/ci/images/Containerfile diff --git a/.github/scripts/upload-images.sh b/tools/ci/upload-ci-images.sh similarity index 100% rename from .github/scripts/upload-images.sh rename to tools/ci/upload-ci-images.sh diff --git a/tools/ci/push-image.sh b/tools/ci/upload-image.sh similarity index 89% rename from tools/ci/push-image.sh rename to tools/ci/upload-image.sh index 85e36a7..13b873c 100755 --- a/tools/ci/push-image.sh +++ b/tools/ci/upload-image.sh @@ -27,7 +27,9 @@ function main() { print_info "Uploading image: '$image_name' in '$image_path'." - print_info "Upload the build image from Nix to the registry" + print_info "Read the image from file '$image_path' and " \ + "directly push to registry '$image_name'." + skopeo \ --insecure-policy \ copy \ diff --git a/tools/nix/flake.nix b/tools/nix/flake.nix index 9e11f09..604bc4a 100644 --- a/tools/nix/flake.nix +++ b/tools/nix/flake.nix @@ -78,6 +78,7 @@ just skopeo + dasel ]; # Things needed at runtime. diff --git a/tools/release.sh b/tools/release.sh index e0285c7..6901911 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -11,6 +11,9 @@ set -euo pipefail ROOT_DIR=$(git rev-parse --show-toplevel) . "$ROOT_DIR/tools/general.sh" +RELEASE_BRANCH="${RELEASE_BRANCH:-main}" +VERSION_FILE=$("$ROOT_DIR/Cargo.toml") + function delete_prepare_tags() { readarray -t prepareTag < <(git tag --list "prepare-*") @@ -25,17 +28,13 @@ function commit_version_file() { local version="$1" print_info "Writing new version file... (for Nix)" - temp=$(mktemp) - jq ".version |= \"$version\"" "$VERSION_FILE" >"$temp" - mv "$temp" "$VERSION_FILE" + dasel put -r toml -f "$VERSION_FILE" -t string -v "$version" .package.version - if ! git diff --quiet --exit-code; then - git add "$VERSION_FILE" - git commit -m "chore: update Nix package version to '$version'" - fi + git add "$VERSION_FILE" + git commit -m "chore: release '$version'" } -function create_tag() { +function create_prepare_tag() { tag="v$version" if git tag --list "v*" | grep -qE "^$tag$"; then print_info "Git tag '$tag' already exists." @@ -55,6 +54,7 @@ function create_tag() { } function trigger_build() { + local branch="$1" printf "Do you want to trigger the build? [y|n]: " read -r answer if [ "$answer" != "y" ]; then @@ -68,10 +68,12 @@ function trigger_build() { function main() { cd "$ROOT_DIR" - version="$1" + local version="$1" + + local branch branch=$(git branch --show-current) - if [ "$branch" != "main" ]; then + if [ "$branch" != "$RELEASE_BRANCH" ]; then die "Can only tag on 'main'." fi @@ -81,8 +83,8 @@ function main() { delete_prepare_tags commit_version_file "$version" - create_tag - trigger_build + create_prepare_tag + trigger_build "$branch" } main "$@" From a01ffcd0a743d19f9738448563fb93ab9f014af3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 08:51:14 +0200 Subject: [PATCH 28/68] fix: remove all unnecessary images --- .github/workflows/normal.yaml | 12 ++++++------ tools/ci/images/Containerfile | 25 ------------------------- 2 files changed, 6 insertions(+), 31 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 991ad15..acfb4f6 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -33,7 +33,7 @@ jobs: format: runs-on: ubuntu-latest container: - image: ghcr.io/sdsc-ordes/rdf-protect:ci-format-1.0.0 + image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 steps: - name: Checkout uses: actions/checkout@v4 @@ -49,7 +49,7 @@ jobs: lint: runs-on: ubuntu-latest container: - image: ghcr.io/sdsc-ordes/rdf-protect:ci-lint-1.0.0 + image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 steps: - name: Checkout uses: actions/checkout@v4 @@ -74,7 +74,7 @@ jobs: build: runs-on: ubuntu-latest container: - image: ghcr.io/sdsc-ordes/rdf-protect:ci-build-1.0.0 + image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 steps: - name: Checkout uses: actions/checkout@v4 @@ -91,7 +91,7 @@ jobs: test: runs-on: ubuntu-latest container: - image: ghcr.io/sdsc-ordes/rdf-protect:ci-test-1.0.0 + image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 steps: - name: Checkout uses: actions/checkout@v4 @@ -106,7 +106,7 @@ jobs: package: runs-on: ubuntu-latest container: - image: ghcr.io/sdsc-ordes/rdf-protect:ci-package-1.0.0 + image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 if: ${{ ! input.is_release }} @@ -130,7 +130,7 @@ jobs: runs-on: ubuntu-latest needs: [format, lint, build, test] container: - image: ghcr.io/sdsc-ordes/rdf-protect:ci-deploy-1.0.0 + image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 if: ${{ input.is_release }} diff --git a/tools/ci/images/Containerfile b/tools/ci/images/Containerfile index 0473bc4..0b00737 100644 --- a/tools/ci/images/Containerfile +++ b/tools/ci/images/Containerfile @@ -41,28 +41,3 @@ RUN [ "${CACHE_TOOLCHAIN}" = "false" ] || { cd /container-setup && \ nix --accept-flake-config \ build --no-link "./tools/nix#devShells.x86_64-linux.ci" && \ nix store optimise; } - - -# Format image. -# =============================================== -FROM ci-nix as ci-format - -# Lint image. -# =============================================== -FROM ci-nix as ci-lint - -# Build image. -# =============================================== -FROM ci-nix as ci-build - -# Test image. -# =============================================== -FROM ci-nix as ci-test - -# Package image. -# =============================================== -FROM ci-nix as ci-package - -# Deploy image. -# =============================================== -FROM ci-nix as ci-deploy From 4884f63b82aa322ead56ee7cc895637871d61d1a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 09:24:54 +0200 Subject: [PATCH 29/68] fix: CI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 28 ++++++++++++++-------------- justfile | 5 +---- src/main.rs | 1 - src/pass_first.rs | 11 +++++------ src/pass_second.rs | 6 ++++-- tools/ci/before-script.sh | 5 +---- tools/format-rust.sh | 2 -- tools/general.sh | 10 +++++++--- 8 files changed, 32 insertions(+), 36 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index acfb4f6..6872d5b 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -42,7 +42,7 @@ jobs: - name: Format run: | - source .github/scripts/before-script.sh && + source tools/ci/before-script.sh && cat justfile && just nix-develop just format @@ -58,13 +58,13 @@ jobs: - name: Lint run: | - source .github/scripts/before-script.sh && + source tools/ci/before-script.sh && just nix-develop just lint - name: Lint Undefined-Behavior continue-on-error: true run: | - source .github/scripts/before-script.sh && + source tools/ci/before-script.sh && just nix-develop just lint-ub - name: Allow to fail @@ -81,11 +81,11 @@ jobs: - name: build run: | - source .github/scripts/before-script.sh && + source tools/ci/before-script.sh && just nix-develop just build - name: tests run: | - source .github/scripts/before-script.sh && + source tools/ci/before-script.sh && just nix-develop just test test: @@ -100,7 +100,7 @@ jobs: - name: Test run: | - source .github/scripts/before-script.sh && + source tools/ci/before-script.sh && just nix-develop just test package: @@ -108,7 +108,7 @@ jobs: container: image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 - if: ${{ ! input.is_release }} + if: ${{ ! inputs.is_release }} steps: - name: Checkout @@ -118,12 +118,12 @@ jobs: - name: Build derivation with nix run: | - source .github/scripts/before-script.sh && + source tools/ci/before-script.sh && just nix-package - name: Build the image with nix run: | - source .github/scripts/before-script.sh && + source tools/ci/before-script.sh && just nix-package deploy: @@ -132,7 +132,7 @@ jobs: container: image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 - if: ${{ input.is_release }} + if: ${{ inputs.is_release }} steps: - name: Checkout @@ -142,20 +142,20 @@ jobs: - name: Create version tag (if release) run: | - source .github/scripts/before-script.sh && + source tools/ci/before-script.sh && ./tools/ci/assert-tag.sh "$GITHUB_REF" - name: Build container image (nix) run: | - source .github/scripts/before-script.sh && + source tools/ci/before-script.sh && just nix-image - name: Push image (if release) run: | - source .github/scripts/before-script.sh && + source tools/ci/before-script.sh && tools/ci/upload-image.sh - name: Push tag (if release) run: | - source .github/scripts/before-script.sh && + source tools/ci/before-script.sh && ./tools/ci/assert-tag.sh --push "$GITHUB_REF" diff --git a/justfile b/justfile index 422a326..c48be72 100644 --- a/justfile +++ b/justfile @@ -6,10 +6,6 @@ root_dir := `git rev-parse --show-toplevel` # You can chose either "podman" or "docker". container_mgr := "podman" -# Deterministic steps such as `lint`, `format` -# will run -use_container := "" - # Default recipe to list all recipes. default: just --list @@ -73,5 +69,6 @@ nix-image *args: # Upload all images for CI (local machine) upload-ci-images: cd "{{root_dir}}" && \ + CONTAINER_MGR="$container_mgr" \ tools/ci/upload-ci-images.sh ## ============================================================================ diff --git a/src/main.rs b/src/main.rs index 023439e..a24b009 100644 --- a/src/main.rs +++ b/src/main.rs @@ -86,7 +86,6 @@ fn main() { Subcommands::Pseudo(args) => { info!(log, "Args: {:?}", args); pseudonymize_graph(&log, &args.input, &args.config, &args.output, &args.index) - } } } diff --git a/src/pass_first.rs b/src/pass_first.rs index fb378e2..148db6d 100644 --- a/src/pass_first.rs +++ b/src/pass_first.rs @@ -1,10 +1,9 @@ -use std::path::Path; -use std::io::{BufRead, BufReader, stdin, Write}; -use rio_api::{ - parser::TriplesParser, - model::Triple, -}; +use rio_api::{model::Triple, parser::TriplesParser}; use rio_turtle::TurtleError; +use std::{ + io::{stdin, BufRead, BufReader, Write}, + path::Path, +}; use crate::io; diff --git a/src/pass_second.rs b/src/pass_second.rs index 6d366c2..54afdbd 100644 --- a/src/pass_second.rs +++ b/src/pass_second.rs @@ -1,7 +1,9 @@ use rio_api::{model::Triple, parser::TriplesParser}; use rio_turtle::TurtleError; use std::{ - collections::HashMap, io::{BufRead, Write}, path::Path + collections::HashMap, + io::{BufRead, Write}, + path::Path, }; use crate::{ @@ -12,7 +14,7 @@ use crate::{ }; fn mask_triple(triple: &Triple) -> TripleMask { - return TripleMask::SUBJECT + return TripleMask::SUBJECT; } // mask and encode input triple diff --git a/tools/ci/before-script.sh b/tools/ci/before-script.sh index be80a6c..cd8cf80 100755 --- a/tools/ci/before-script.sh +++ b/tools/ci/before-script.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash # shellcheck disable=SC1090,SC1091 -# This script is sourced. +# This script is sourced in each step. set -u git config --global safe.directory "*" || { @@ -14,7 +14,4 @@ ROOT_DIR=$(git rev-parse --show-toplevel) print_info "Current dir: '$(pwd)'" print_info "Running as user: $(id)" -# ci_container_mgr_setup -# - unset ROOT_DIR diff --git a/tools/format-rust.sh b/tools/format-rust.sh index 467e803..c2a8d8f 100755 --- a/tools/format-rust.sh +++ b/tools/format-rust.sh @@ -16,8 +16,6 @@ fi cargo --version cargo fmt --version -git diff --name-status - print_info "Run Rust format." cargo fmt "${fmt_args[@]}" "$@" diff --git a/tools/general.sh b/tools/general.sh index a075815..8e82f7d 100755 --- a/tools/general.sh +++ b/tools/general.sh @@ -78,10 +78,14 @@ function ci_setup_nix() { } # Run the container manager which is defined. +# in env. variable `CONTAINER_MGR` +# (by default `podman` if existing). function ci_container_mgr() { - if command -v podman &>/dev/null; then - echo -e "Running podman as:\n$(printf "'%s' " "podman" "$@")" >&2 - podman "$@" + local mgr="${CONTAINER_MGR:-podman}" + + if command -v "$mgr" &>/dev/null; then + echo -e "Running '$mgr' as:\n$(printf "'%s' " "podman" "$@")" >&2 + "$mgr" "$@" else echo -e "Running docker as:\n$(printf "'%s' " "docker" "$@")" docker "$@" From 7dbf8b4c5a378856b900b7b416c343483497de64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 10:50:31 +0200 Subject: [PATCH 30/68] fix: Correct release script --- Cargo.lock | 2 +- Cargo.toml | 39 +++++++++++----------- README.md | 64 ++++++++++++++++++++++++++++++------ justfile | 12 ++++--- tools/ci/upload-ci-images.sh | 4 +-- tools/release.sh | 63 +++++++++++++++++++++++++++-------- 6 files changed, 134 insertions(+), 50 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 1c01368..3a22d02 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -351,7 +351,7 @@ dependencies = [ [[package]] name = "rdf-protect" -version = "0.1.0" +version = "0.0.1" dependencies = [ "bitflags", "clap", diff --git a/Cargo.toml b/Cargo.toml index 33b985f..9218930 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,22 +1,23 @@ -[package] -name = "rdf-protect" -version = "0.1.0" -edition = "2021" +[dependencies] + bitflags = '2.5.0' + io-enum = '1.1.3' + rio_api = '0.8.4' + rio_turtle = '0.8.4' + serde_yml = '0.0.10' + slog = '2.7.0' + slog-async = '2.8.0' + slog-term = '2.9.0' + tempfile = '3.10.1' -# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + [dependencies.clap] + features = ['derive'] + version = '4.5.7' -[dependencies] -# Good logging library. -slog = "2.7.0" -slog-term = "2.9.0" -slog-async = "2.8.0" + [dependencies.serde] + features = ['derive'] + version = '1.0' -# Popular serialization library. -serde = { version = "1.0", features = ['derive']} -clap = { version = "4.5.7", features = ["derive"] } -rio_turtle = "0.8.4" -rio_api = "0.8.4" -bitflags = "2.5.0" -io-enum = "1.1.3" -serde_yml = "0.0.10" -tempfile = "3.10.1" +[package] + edition = '2021' + name = 'rdf-protect' + version = '0.0.1' diff --git a/README.md b/README.md index 90c276a..bcd6f12 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,12 @@ The general command-line interface outlines the two main steps of the tool, indexing and pseudonymization: ```shell -$ rdf-protect --help +rdf-protect --help +``` + +which outputs + +```text A tool to pseudonymize URIs and values in RDF graphs. Usage: rdf-protect @@ -74,17 +79,16 @@ Options: Indexing only requires an RDF file as input: ```shell -$ rdf-protect index input.nt > index.nt +rdf-protect index input.nt > index.nt ``` Pseudonomyzation requires an RDF file, index and config as input: ```shell -$ rdf-protect pseudo --index index.nt --config rules.yaml input.nt > output.nt +rdf-protect pseudo --index index.nt --config rules.yaml input.nt > output.nt ``` -> [!TIP] -> For each subcommand, you can use `--help` to see all options. +> [!TIP] For each subcommand, you can use `--help` to see all options. In both subcommands, the input defaults to stdin and the output to stdout, allowing to pipe both up- and downstream `rdf-protect` (see next section). @@ -113,12 +117,12 @@ There are three possible ways to pseudonymize RDF triples: 2. Pseudonymize values for specific subject-predicate combinations. 3. Pseudonymize any value for a given predicate. - By using all three ways together, we're able to get an RDF file with sensitive information: +
Click to show input - + ```ntriples . . @@ -137,7 +141,7 @@ secret information while keeping the rest as is:
Click to show output - + ``` . . @@ -158,7 +162,7 @@ better understand how they operate.
Click to show - + Given the following config: ```yaml @@ -245,6 +249,7 @@ Would become: . "38a3dd71" . ``` +
## Development @@ -271,7 +276,7 @@ If you have the package manager enter a development setup easily with ```shell -nix develop ./nix#default +nix ./tools/nix#default ``` or `just nix-develop` or automatically when [`direnv`](https://direnv.net) is @@ -312,3 +317,42 @@ To run the tests do ```shell just test ``` + +### Build the Package & Image + +To build the package with Nix run: + +```shell +just nix-package +``` + +To build the image with Nix run: + +```shell +just nix-image +``` + +### Upload CI Images + +CI is run with some container images which can be updated with: + +```shell +just upload-ci-images [] [] +``` + +where the `` should be a semantic version. **Note: By default it will +upload and overwrite the current version.** + +### Prepare a Release + +To prepare a release you can execute: + +```shell +just release [patch|minor|major] +``` + +It will: + +- Update the `Cargo.toml` and make a commit on `main`. + +- Push a prepare tag `prepare-v` where diff --git a/justfile b/justfile index c48be72..0a98fcc 100644 --- a/justfile +++ b/justfile @@ -46,11 +46,15 @@ watch: run: cd "{{root_dir}}" && cargo run "${@:1}" -# Create a new release for version `version` by -# updating the version file and -# triggering the release workflow. +# Create a new release by version bumping. +# Usage: +# ```shell +# just release +# ``` +# by updating the version file and triggering the release workflow. release version: cd "{{root_dir}}" && \ + CONTAINER_MGR="{{container_mgr}}" \ "{{root_dir}}/tools/release.sh" "{{version}}" ## ============================================================================ @@ -69,6 +73,6 @@ nix-image *args: # Upload all images for CI (local machine) upload-ci-images: cd "{{root_dir}}" && \ - CONTAINER_MGR="$container_mgr" \ + CONTAINER_MGR="{{container_mgr}}" \ tools/ci/upload-ci-images.sh ## ============================================================================ diff --git a/tools/ci/upload-ci-images.sh b/tools/ci/upload-ci-images.sh index 3edbbd0..56c04fe 100755 --- a/tools/ci/upload-ci-images.sh +++ b/tools/ci/upload-ci-images.sh @@ -27,8 +27,8 @@ function build_ci_image() { ci_container_mgr push "$image_name" || die "Could not upload image." } -repository="${1:-ghcr.io/sdsc-ordes/rdf-protect}" -tag="${2:-1.0.0}" +tag="${1:-1.0.0}" +repository="${2:-ghcr.io/sdsc-ordes/rdf-protect}" container_file="$DIR/../images/Containerfile" if [ "${CI:-}" = "true" ]; then diff --git a/tools/release.sh b/tools/release.sh index 6901911..0fad4d9 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -12,7 +12,7 @@ ROOT_DIR=$(git rev-parse --show-toplevel) . "$ROOT_DIR/tools/general.sh" RELEASE_BRANCH="${RELEASE_BRANCH:-main}" -VERSION_FILE=$("$ROOT_DIR/Cargo.toml") +VERSION_FILE="$ROOT_DIR/Cargo.toml" function delete_prepare_tags() { readarray -t prepareTag < <(git tag --list "prepare-*") @@ -30,21 +30,15 @@ function commit_version_file() { dasel put -r toml -f "$VERSION_FILE" -t string -v "$version" .package.version - git add "$VERSION_FILE" - git commit -m "chore: release '$version'" + if ! git diff --exit-code --quiet; then + # Commit if we have change. + git add "$VERSION_FILE" + git commit -m "chore: release '$version'" + fi } function create_prepare_tag() { tag="v$version" - if git tag --list "v*" | grep -qE "^$tag$"; then - print_info "Git tag '$tag' already exists." - exit 1 - fi - - if git ls-remote "refs/tags/v*" | grep -qE "^$tag$"; then - print_info "Git tag '$tag' already exists." - exit 1 - fi print_info "Tagging..." git tag -a -m "Version $tag" "prepare-$tag" @@ -65,6 +59,43 @@ function trigger_build() { git push -f origin --no-follow-tags "$branch" "prepare-$tag" } +function check_new_version() { + local new_version="$1" # Reference to parent scoped variable. + + # Check that is a version. + if [ "$(ci_container_mgr run --rm alpine/semver semver "$new_version" | tail -1)" != "$new_version" ]; then + die "Your version '$new_version' is not sem. version compliant." + fi + + if git tag --list "v*" | grep -qE "^v$new_version$"; then + die "Git tag '$tag' already exists locally." + fi + + # Get all remote versions. + local remote_versions=() + readarray -t remote_versions < \ + <(git ls-remote origin "regs/tags/v*" | cut -f 2 | sed "s@/refs/tags/v@@g") + + # shellcheck disable=SC2128 + if [ "${#remote_versions[@]}" = "0" ]; then + # No version tags yet. Its ok. + return 0 + fi + + if echo "${remote_versions[@]}" | grep "$new_version"; then + die "Remote already contains version tag 'v$new_version'". + fi + + # Sort the versions. + # The top version must be the new one! + latest=$(ci_container_mgr run --rm alpine/semver semver "${remote_versions[@]}" "$new_version" | tail -1) + + if [ "$latest" != "$new_version" ]; then + die "Your version '$new_version' is not newer than the remote ones:" \ + "${remote_versions[@]}" + fi +} + function main() { cd "$ROOT_DIR" @@ -73,8 +104,8 @@ function main() { local branch branch=$(git branch --show-current) - if [ "$branch" != "$RELEASE_BRANCH" ]; then - die "Can only tag on 'main'." + if [ "$branch" != "$RELEASE_BRANCH" ] && [ "${FORCE_RELEASE:-}" != "true" ]; then + die "Can only tag on 'main'. Use 'FORCE_RELEASE=true'." fi if ! git diff --quiet --exit-code; then @@ -82,8 +113,12 @@ function main() { fi delete_prepare_tags + + check_new_version "$version" + commit_version_file "$version" create_prepare_tag + trigger_build "$branch" } From 448320fcaceb69f017173c408fd4cfd585bc485d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 11:30:42 +0200 Subject: [PATCH 31/68] fix: no concurrency for prepare tagging --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 706a6df..382c3fd 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,7 +1,7 @@ name: Main and PR Pipeline concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + group: ${{ github.ref }} cancel-in-progress: true defaults: From 6d5e5534caf29ad50ba5ef2ffc0aae82d89dde39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 11:35:26 +0200 Subject: [PATCH 32/68] fix: permissions and readme --- README.md | 8 ++++++-- tools/ci/assert-tag.sh | 0 2 files changed, 6 insertions(+), 2 deletions(-) mode change 100644 => 100755 tools/ci/assert-tag.sh diff --git a/README.md b/README.md index bcd6f12..1fdec2f 100644 --- a/README.md +++ b/README.md @@ -348,11 +348,15 @@ upload and overwrite the current version.** To prepare a release you can execute: ```shell -just release [patch|minor|major] +just release ``` It will: +- Check that the version is sem. version and the version does not exists (local + and remote) and it is newer then all remote version. + - Update the `Cargo.toml` and make a commit on `main`. -- Push a prepare tag `prepare-v` where +- Push a prepare tag `prepare-v` which triggers the + [`release.yaml`](.github/workflows/release.yaml) pipeline. diff --git a/tools/ci/assert-tag.sh b/tools/ci/assert-tag.sh old mode 100644 new mode 100755 From a26f21c0cab5fdc6af2acf4d880418776fe6bba7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 11:41:44 +0200 Subject: [PATCH 33/68] fix: setting Git user/email address --- .github/workflows/normal.yaml | 2 +- tools/ci/before-script.sh | 2 ++ tools/general.sh | 5 +++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 6872d5b..70a48a4 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -128,7 +128,7 @@ jobs: deploy: runs-on: ubuntu-latest - needs: [format, lint, build, test] + # needs: [format, lint, build, test] container: image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 diff --git a/tools/ci/before-script.sh b/tools/ci/before-script.sh index cd8cf80..5d2b1ea 100755 --- a/tools/ci/before-script.sh +++ b/tools/ci/before-script.sh @@ -14,4 +14,6 @@ ROOT_DIR=$(git rev-parse --show-toplevel) print_info "Current dir: '$(pwd)'" print_info "Running as user: $(id)" +ci_setup_git + unset ROOT_DIR diff --git a/tools/general.sh b/tools/general.sh index 8e82f7d..068bcd7 100755 --- a/tools/general.sh +++ b/tools/general.sh @@ -61,6 +61,11 @@ function ci_is_release() { return 1 } +function ci_setup_git() { + git config --global user.name "SDSC CI" + git config --global user.email "ci@sdsc.ethz.ch" +} + function ci_setup_nix() { local install_prefix="${1:-/usr/sbin}" From 0955303c60e26c56b865fca84e55f87caeeddd9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 11:58:46 +0200 Subject: [PATCH 34/68] fix: remove before script --- .github/workflows/normal.yaml | 51 ++++++++++++--------- README.md | 3 ++ tools/ci/{before-script.sh => setup-git.sh} | 5 -- 3 files changed, 33 insertions(+), 26 deletions(-) rename tools/ci/{before-script.sh => setup-git.sh} (78%) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 70a48a4..7c51518 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -40,10 +40,12 @@ jobs: with: fetch-depth: 0 + - name: Setup Git + run: | + just nix-develop ./tools/ci/setup-git.sh + - name: Format run: | - source tools/ci/before-script.sh && - cat justfile && just nix-develop just format lint: @@ -56,15 +58,17 @@ jobs: with: fetch-depth: 0 + - name: Setup Git + run: | + just nix-develop ./tools/ci/setup-git.sh + - name: Lint run: | - source tools/ci/before-script.sh && just nix-develop just lint - name: Lint Undefined-Behavior continue-on-error: true run: | - source tools/ci/before-script.sh && just nix-develop just lint-ub - name: Allow to fail @@ -78,14 +82,18 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Git + run: | + just nix-develop ./tools/ci/setup-git.sh - name: build run: | - source tools/ci/before-script.sh && just nix-develop just build - name: tests run: | - source tools/ci/before-script.sh && just nix-develop just test test: @@ -98,9 +106,12 @@ jobs: with: fetch-depth: 0 + - name: Setup Git + run: | + just nix-develop ./tools/ci/setup-git.sh + - name: Test run: | - source tools/ci/before-script.sh && just nix-develop just test package: @@ -116,15 +127,13 @@ jobs: with: fetch-depth: 0 - - name: Build derivation with nix + - name: Setup Git run: | - source tools/ci/before-script.sh && - just nix-package + just nix-develop ./tools/ci/setup-git.sh - - name: Build the image with nix + - name: Build derivation with nix run: | - source tools/ci/before-script.sh && - just nix-package + just nix-develop just nix-package deploy: runs-on: ubuntu-latest @@ -140,22 +149,22 @@ jobs: with: fetch-depth: 0 + - name: Setup Git + run: | + just nix-develop ./tools/ci/setup-git.sh + - name: Create version tag (if release) run: | - source tools/ci/before-script.sh && - ./tools/ci/assert-tag.sh "$GITHUB_REF" + just nix-develop ./tools/ci/assert-tag.sh "$GITHUB_REF" - name: Build container image (nix) run: | - source tools/ci/before-script.sh && - just nix-image + just nix-develop just nix-image - name: Push image (if release) run: | - source tools/ci/before-script.sh && - tools/ci/upload-image.sh + just nix-develop tools/ci/upload-image.sh - name: Push tag (if release) run: | - source tools/ci/before-script.sh && - ./tools/ci/assert-tag.sh --push "$GITHUB_REF" + just nix-develop ./tools/ci/assert-tag.sh --push "$GITHUB_REF" diff --git a/README.md b/README.md index 1fdec2f..54792d7 100644 --- a/README.md +++ b/README.md @@ -360,3 +360,6 @@ It will: - Push a prepare tag `prepare-v` which triggers the [`release.yaml`](.github/workflows/release.yaml) pipeline. + +**Note: If the release pipeline fails, you can just run this same command again. +Also rerun it when you made a mistake, it will cancel the current release.** diff --git a/tools/ci/before-script.sh b/tools/ci/setup-git.sh similarity index 78% rename from tools/ci/before-script.sh rename to tools/ci/setup-git.sh index 5d2b1ea..20f1f85 100755 --- a/tools/ci/before-script.sh +++ b/tools/ci/setup-git.sh @@ -11,9 +11,4 @@ git config --global safe.directory "*" || { ROOT_DIR=$(git rev-parse --show-toplevel) . "$ROOT_DIR/tools/general.sh" -print_info "Current dir: '$(pwd)'" -print_info "Running as user: $(id)" - ci_setup_git - -unset ROOT_DIR From 6edb881b86e92541538af578b560036ba367b24b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 12:04:20 +0200 Subject: [PATCH 35/68] fix: git troubles --- .github/workflows/normal.yaml | 12 ++++++------ README.md | 3 ++- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 7c51518..1c00e07 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -42,7 +42,7 @@ jobs: - name: Setup Git run: | - just nix-develop ./tools/ci/setup-git.sh + ./tools/ci/setup-git.sh - name: Format run: | @@ -60,7 +60,7 @@ jobs: - name: Setup Git run: | - just nix-develop ./tools/ci/setup-git.sh + ./tools/ci/setup-git.sh - name: Lint run: | @@ -87,7 +87,7 @@ jobs: - name: Setup Git run: | - just nix-develop ./tools/ci/setup-git.sh + ./tools/ci/setup-git.sh - name: build run: | @@ -108,7 +108,7 @@ jobs: - name: Setup Git run: | - just nix-develop ./tools/ci/setup-git.sh + ./tools/ci/setup-git.sh - name: Test run: | @@ -129,7 +129,7 @@ jobs: - name: Setup Git run: | - just nix-develop ./tools/ci/setup-git.sh + ./tools/ci/setup-git.sh - name: Build derivation with nix run: | @@ -151,7 +151,7 @@ jobs: - name: Setup Git run: | - just nix-develop ./tools/ci/setup-git.sh + ./tools/ci/setup-git.sh - name: Create version tag (if release) run: | diff --git a/README.md b/README.md index 54792d7..52e2b4e 100644 --- a/README.md +++ b/README.md @@ -362,4 +362,5 @@ It will: [`release.yaml`](.github/workflows/release.yaml) pipeline. **Note: If the release pipeline fails, you can just run this same command again. -Also rerun it when you made a mistake, it will cancel the current release.** +Also rerun it when you made a mistake, it will cancel the current release (works +also when `--amend`ing on the current commit)** From 3e50ef3063b9dff21a3715acd50e23981b1c6138 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 12:09:10 +0200 Subject: [PATCH 36/68] fix: pre-cache nix store --- .github/workflows/normal.yaml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 1c00e07..3e59baf 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -40,9 +40,10 @@ jobs: with: fetch-depth: 0 - - name: Setup Git + - name: Setup Git & Cache Nix run: | ./tools/ci/setup-git.sh + just nix-develop git --version - name: Format run: | @@ -58,9 +59,10 @@ jobs: with: fetch-depth: 0 - - name: Setup Git + - name: Setup Git & Cache Nix run: | ./tools/ci/setup-git.sh + just nix-develop git --version - name: Lint run: | @@ -85,9 +87,10 @@ jobs: with: fetch-depth: 0 - - name: Setup Git + - name: Setup Git & Cache Nix run: | ./tools/ci/setup-git.sh + just nix-develop git --version - name: build run: | @@ -106,9 +109,10 @@ jobs: with: fetch-depth: 0 - - name: Setup Git + - name: Setup Git & Cache Nix run: | ./tools/ci/setup-git.sh + just nix-develop git --version - name: Test run: | @@ -130,6 +134,7 @@ jobs: - name: Setup Git run: | ./tools/ci/setup-git.sh + just nix-develop git --version - name: Build derivation with nix run: | @@ -149,9 +154,10 @@ jobs: with: fetch-depth: 0 - - name: Setup Git + - name: Setup Git & Cache run: | ./tools/ci/setup-git.sh + just nix-develop git --version - name: Create version tag (if release) run: | From 4bacf871fc85d91e506ec477249196c3842ea13f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 12:18:57 +0200 Subject: [PATCH 37/68] fix: path/string issues in Nix --- .github/workflows/normal.yaml | 9 +++++++-- tools/build-image.sh | 2 +- tools/build-package.sh | 3 ++- tools/nix/flake.nix | 3 ++- tools/nix/pkgs/rdf-protect.nix | 6 +++--- 5 files changed, 15 insertions(+), 8 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 3e59baf..13a5115 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -136,12 +136,17 @@ jobs: ./tools/ci/setup-git.sh just nix-develop git --version - - name: Build derivation with nix + - name: Build package (nix) run: | just nix-develop just nix-package + - name: Build container image (nix) + run: | + just nix-develop just nix-image + deploy: runs-on: ubuntu-latest + # TODO: uncomment this # needs: [format, lint, build, test] container: image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 @@ -154,7 +159,7 @@ jobs: with: fetch-depth: 0 - - name: Setup Git & Cache + - name: Setup Git & Nix Cache run: | ./tools/ci/setup-git.sh just nix-develop git --version diff --git a/tools/build-image.sh b/tools/build-image.sh index 7746829..09b13fd 100755 --- a/tools/build-image.sh +++ b/tools/build-image.sh @@ -54,7 +54,7 @@ function main() { cd "$ROOT_DIR" print_info "Building image '$dir'." - nix build "./tools/nix#images.rdf-protect" \ + nix build -L "./tools/nix#images.rdf-protect" \ --out-link "$dir" "${args[@]}" } diff --git a/tools/build-package.sh b/tools/build-package.sh index f492709..499fdbd 100755 --- a/tools/build-package.sh +++ b/tools/build-package.sh @@ -13,6 +13,7 @@ cd "$ROOT_DIR" dir="build/package" print_info "Building the package." -nix build "./tools/nix#rdf-protect" \ +nix --version +nix build -L "./tools/nix#rdf-protect" \ --out-link "$dir" \ "$@" diff --git a/tools/nix/flake.nix b/tools/nix/flake.nix index 604bc4a..8f502a0 100644 --- a/tools/nix/flake.nix +++ b/tools/nix/flake.nix @@ -41,7 +41,8 @@ rust-overlay, ... }: let - rootDir = ./. + "../../.."; + # This is string (without toString it would be a `path` which is put into the store) + rootDir = toString ./. + "../../.."; in flake-utils.lib.eachDefaultSystem # Creates an attribute map `{ devShells..default = ...}` diff --git a/tools/nix/pkgs/rdf-protect.nix b/tools/nix/pkgs/rdf-protect.nix index d7204c2..fbb6aff 100644 --- a/tools/nix/pkgs/rdf-protect.nix +++ b/tools/nix/pkgs/rdf-protect.nix @@ -10,12 +10,12 @@ rustc = rustToolchain; }; - cargoFile = rootDir + "/Cargo.toml"; - lockFile = rootDir + "/Cargo.lock"; + cargoFile = /. + rootDir + "/Cargo.toml"; + lockFile = /. + rootDir + "/Cargo.lock"; in rustPlatform.buildRustPackage { name = "rdf-protect"; - src = rootDir; + src = /. + rootDir; version = (lib.importTOML cargoFile).package.version; From d49246f4c83e80cb2a97f774f75d322716659fb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 12:28:01 +0200 Subject: [PATCH 38/68] fix: CI --- tools/build-image.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/build-image.sh b/tools/build-image.sh index 09b13fd..b3c6c7a 100755 --- a/tools/build-image.sh +++ b/tools/build-image.sh @@ -54,6 +54,7 @@ function main() { cd "$ROOT_DIR" print_info "Building image '$dir'." + nix --version nix build -L "./tools/nix#images.rdf-protect" \ --out-link "$dir" "${args[@]}" } From 97a8a869e19e82af25d1a42e542e73a751871d64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 12:38:35 +0200 Subject: [PATCH 39/68] fix: use relative paths (weird Nix 2.23??) - On my machine Nix is 2.18. --- tools/nix/pkgs/rdf-protect.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/nix/pkgs/rdf-protect.nix b/tools/nix/pkgs/rdf-protect.nix index fbb6aff..cca43fc 100644 --- a/tools/nix/pkgs/rdf-protect.nix +++ b/tools/nix/pkgs/rdf-protect.nix @@ -10,12 +10,12 @@ rustc = rustToolchain; }; - cargoFile = /. + rootDir + "/Cargo.toml"; - lockFile = /. + rootDir + "/Cargo.lock"; + cargoFile = ../../../Cargo.toml; + lockFile = ../../../Cargo.lock; in rustPlatform.buildRustPackage { name = "rdf-protect"; - src = /. + rootDir; + src = ../../..; version = (lib.importTOML cargoFile).package.version; From db3354e3f97e54990986c3afbdc3a74c15ec1611 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 12:52:17 +0200 Subject: [PATCH 40/68] fix: try to reproduce Nix weird behaviour --- .github/workflows/normal.yaml | 2 ++ tools/nix/pkgs/rdf-protect.nix | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 13a5115..e451979 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -138,10 +138,12 @@ jobs: - name: Build package (nix) run: | + ./tools/ci/setup-git.sh just nix-develop just nix-package - name: Build container image (nix) run: | + ./tools/ci/setup-git.sh just nix-develop just nix-image deploy: diff --git a/tools/nix/pkgs/rdf-protect.nix b/tools/nix/pkgs/rdf-protect.nix index cca43fc..fbb6aff 100644 --- a/tools/nix/pkgs/rdf-protect.nix +++ b/tools/nix/pkgs/rdf-protect.nix @@ -10,12 +10,12 @@ rustc = rustToolchain; }; - cargoFile = ../../../Cargo.toml; - lockFile = ../../../Cargo.lock; + cargoFile = /. + rootDir + "/Cargo.toml"; + lockFile = /. + rootDir + "/Cargo.lock"; in rustPlatform.buildRustPackage { name = "rdf-protect"; - src = ../../..; + src = /. + rootDir; version = (lib.importTOML cargoFile).package.version; From 2e86370442ed4abd494e5e9b538ca9d1bc8609df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 12:59:42 +0200 Subject: [PATCH 41/68] fix: reproduce what is wrong with `just nix-package` --- .github/workflows/normal.yaml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index e451979..733004c 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -134,17 +134,15 @@ jobs: - name: Setup Git run: | ./tools/ci/setup-git.sh - just nix-develop git --version + just nix-develop git --version - name: Build package (nix) run: | - ./tools/ci/setup-git.sh - just nix-develop just nix-package + just nix-package - - name: Build container image (nix) - run: | - ./tools/ci/setup-git.sh - just nix-develop just nix-image + # - name: Build container image (nix) + # run: | + # just nix-develop just nix-image deploy: runs-on: ubuntu-latest From a86e8fed5d303cfc7a6a154a1ae760c9f3bca221 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 13:04:52 +0200 Subject: [PATCH 42/68] fix: try to build image too... --- .github/workflows/normal.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 733004c..2785ec2 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -140,9 +140,9 @@ jobs: run: | just nix-package - # - name: Build container image (nix) - # run: | - # just nix-develop just nix-image + - name: Build container image (nix) + run: | + just nix-develop just nix-image deploy: runs-on: ubuntu-latest From 53728330dcf54b34af2b1e42d7b1793a8f042e3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Fri, 5 Jul 2024 13:13:14 +0200 Subject: [PATCH 43/68] fix: TODO --- .github/workflows/normal.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 2785ec2..3c33eec 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -43,7 +43,7 @@ jobs: - name: Setup Git & Cache Nix run: | ./tools/ci/setup-git.sh - just nix-develop git --version + just nix-develop echo "Built cache." - name: Format run: | @@ -62,7 +62,7 @@ jobs: - name: Setup Git & Cache Nix run: | ./tools/ci/setup-git.sh - just nix-develop git --version + just nix-develop echo "Built cache." - name: Lint run: | @@ -90,7 +90,7 @@ jobs: - name: Setup Git & Cache Nix run: | ./tools/ci/setup-git.sh - just nix-develop git --version + just nix-develop echo "Built cache." - name: build run: | @@ -134,7 +134,7 @@ jobs: - name: Setup Git run: | ./tools/ci/setup-git.sh - just nix-develop git --version + just nix-develop echo "Built cache." - name: Build package (nix) run: | @@ -142,6 +142,8 @@ jobs: - name: Build container image (nix) run: | + # TODO: This seems to error out into + # rdf-protect-base.json> variable $src or $srcs should point to the source just nix-develop just nix-image deploy: @@ -162,7 +164,7 @@ jobs: - name: Setup Git & Nix Cache run: | ./tools/ci/setup-git.sh - just nix-develop git --version + just nix-develop echo "Built cache." - name: Create version tag (if release) run: | From e2a92c9cfbd183cb26d473125d874b8f201d536b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Sat, 6 Jul 2024 21:43:32 +0200 Subject: [PATCH 44/68] fix: correct weird bug in `nix build` when in `devShell` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 38 +++++++++++++++++------------------ justfile | 6 ++++++ tools/nix/flake.nix | 12 +++++++++++ 3 files changed, 36 insertions(+), 20 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 3c33eec..db8a12c 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -43,11 +43,11 @@ jobs: - name: Setup Git & Cache Nix run: | ./tools/ci/setup-git.sh - just nix-develop echo "Built cache." + just nix-develop-ci echo "Built cache." - name: Format run: | - just nix-develop just format + just nix-develop-ci just format lint: runs-on: ubuntu-latest @@ -62,16 +62,16 @@ jobs: - name: Setup Git & Cache Nix run: | ./tools/ci/setup-git.sh - just nix-develop echo "Built cache." + just nix-develop-ci echo "Built cache." - name: Lint run: | - just nix-develop just lint + just nix-develop-ci just lint - name: Lint Undefined-Behavior continue-on-error: true run: | - just nix-develop just lint-ub + just nix-develop-ci just lint-ub - name: Allow to fail if: failure() @@ -90,14 +90,14 @@ jobs: - name: Setup Git & Cache Nix run: | ./tools/ci/setup-git.sh - just nix-develop echo "Built cache." + just nix-develop-ci echo "Built cache." - name: build run: | - just nix-develop just build + just nix-develop-ci just build - name: tests run: | - just nix-develop just test + just nix-develop-ci just test test: runs-on: ubuntu-latest @@ -112,11 +112,11 @@ jobs: - name: Setup Git & Cache Nix run: | ./tools/ci/setup-git.sh - just nix-develop git --version + just nix-develop-ci git --version - name: Test run: | - just nix-develop just test + just nix-develop-ci just test package: runs-on: ubuntu-latest @@ -134,17 +134,15 @@ jobs: - name: Setup Git run: | ./tools/ci/setup-git.sh - just nix-develop echo "Built cache." + just nix-develop-ci echo "Built cache." - name: Build package (nix) run: | - just nix-package + just nix-develop-ci nix-package - name: Build container image (nix) run: | - # TODO: This seems to error out into - # rdf-protect-base.json> variable $src or $srcs should point to the source - just nix-develop just nix-image + just nix-develop-ci just nix-image deploy: runs-on: ubuntu-latest @@ -164,20 +162,20 @@ jobs: - name: Setup Git & Nix Cache run: | ./tools/ci/setup-git.sh - just nix-develop echo "Built cache." + just nix-develop-ci echo "Built cache." - name: Create version tag (if release) run: | - just nix-develop ./tools/ci/assert-tag.sh "$GITHUB_REF" + just nix-develop-ci ./tools/ci/assert-tag.sh "$GITHUB_REF" - name: Build container image (nix) run: | - just nix-develop just nix-image + just nix-develop-ci just nix-image - name: Push image (if release) run: | - just nix-develop tools/ci/upload-image.sh + just nix-develop-ci tools/ci/upload-image.sh - name: Push tag (if release) run: | - just nix-develop ./tools/ci/assert-tag.sh --push "$GITHUB_REF" + just nix-develop-ci ./tools/ci/assert-tag.sh --push "$GITHUB_REF" diff --git a/justfile b/justfile index 0a98fcc..8cb8b3b 100644 --- a/justfile +++ b/justfile @@ -17,6 +17,12 @@ nix-develop *args: { [ -n "${cmd:-}" ] || cmd=("zsh"); } && \ nix develop ./tools/nix#default --command "${cmd[@]}" +nix-develop-ci *args: + cd "{{root_dir}}" && \ + cmd=("$@") && \ + { [ -n "${cmd:-}" ] || cmd=("zsh"); } && \ + nix develop ./tools/nix#ci --command "${cmd[@]}" + ## Standard stuff ============================================================= # Format the code. format *args: diff --git a/tools/nix/flake.nix b/tools/nix/flake.nix index 8f502a0..7f79357 100644 --- a/tools/nix/flake.nix +++ b/tools/nix/flake.nix @@ -98,6 +98,18 @@ inherit buildInputs; nativeBuildInputs = nativeBuildInputsBasic ++ nativeBuildInputsDev; }; + + ci = mkShell { + inherit buildInputs; + nativeBuildInputs = nativeBuildInputsBasic ++ nativeBuildInputsDev; + + # Due to some weird handling of TMPDIR inside containers: + # https://github.com/NixOS/nix/issues/8355 + # We have to reset the TMPDIR to make `nix build` work inside + # a development shell. + # Without `nix develop` it works. + shellHook = "unset TMPDIR"; + }; }; packages = { From 5446818fcaef5286dbe1e7886127aba2b356d466 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Sat, 6 Jul 2024 21:56:33 +0200 Subject: [PATCH 45/68] fix: build image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 3 +++ tools/build-image.sh | 2 ++ 2 files changed, 5 insertions(+) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index db8a12c..c82ba45 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -153,6 +153,9 @@ jobs: if: ${{ inputs.is_release }} + env: + CI_IS_RELEASE: true + steps: - name: Checkout uses: actions/checkout@v4 diff --git a/tools/build-image.sh b/tools/build-image.sh index b3c6c7a..05fbf22 100755 --- a/tools/build-image.sh +++ b/tools/build-image.sh @@ -33,6 +33,8 @@ function main() { # Write the temporary version file (gets restored...) dasel put -r toml -f "$VERSION_FILE" -t string -v "$version" .package.version else + print_info "Building image for release." + # When CI and in Release, the requested version must match. version=$(dasel get -f "$VERSION_FILE" .package.version -w yaml) From 823534499705cc89b8513a84bd000fb4620a9595 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Sat, 6 Jul 2024 22:00:57 +0200 Subject: [PATCH 46/68] fix: skopeo cannot deal with `:` in image names MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- tools/build-image.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/build-image.sh b/tools/build-image.sh index 05fbf22..3b4dadd 100755 --- a/tools/build-image.sh +++ b/tools/build-image.sh @@ -51,7 +51,11 @@ function main() { image_name=$(nix eval --raw "./tools/nix#images.rdf-protect.imageName") image_tag=$(nix eval --raw "./tools/nix#images.rdf-protect.imageTag") - dir="build/image/$image_name:$image_tag.tar.gz" + + # We cannot use `:` before the tag, because `skopeo` + # is unable to read this path correctly, because it + # stupidly deals with it. + dir="build/image/$image_name|$image_tag.tar.gz" cd "$ROOT_DIR" From 941049489a1ba40e960630bdba64e24afbd3867e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Sat, 6 Jul 2024 22:07:06 +0200 Subject: [PATCH 47/68] fix: CI and deployment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- README.md | 6 ++++-- tools/build-image.sh | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 52e2b4e..6472cf4 100644 --- a/README.md +++ b/README.md @@ -254,6 +254,8 @@ Would become: ## Development +Read first the [Contribution Guidelines](/CONTRIBUTING.md). + ### Setup - Rust Toolchain: You need the `rust` toolchain corresponding to @@ -353,8 +355,8 @@ just release It will: -- Check that the version is sem. version and the version does not exists (local - and remote) and it is newer then all remote version. +- Check that the version is semantic version and the version does not exists + (local and remote) and it is newer then all remote version. - Update the `Cargo.toml` and make a commit on `main`. diff --git a/tools/build-image.sh b/tools/build-image.sh index 3b4dadd..25c43fd 100755 --- a/tools/build-image.sh +++ b/tools/build-image.sh @@ -36,7 +36,7 @@ function main() { print_info "Building image for release." # When CI and in Release, the requested version must match. - version=$(dasel get -f "$VERSION_FILE" .package.version -w yaml) + version=$(dasel -r toml -f "$VERSION_FILE" .package.version -w yaml) release_version=${GITHUB_REF##*prepare-v} From 652eae990d94689c59150fcbbb4e2ff37f06e1d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Sat, 6 Jul 2024 22:10:39 +0200 Subject: [PATCH 48/68] fix: CI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 10 +++++++++- tools/ci/upload-image.sh | 10 ++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index c82ba45..75344c4 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -18,6 +18,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: read-all + defaults: run: shell: bash @@ -138,7 +140,7 @@ jobs: - name: Build package (nix) run: | - just nix-develop-ci nix-package + just nix-develop-ci just nix-package - name: Build container image (nix) run: | @@ -153,6 +155,9 @@ jobs: if: ${{ inputs.is_release }} + permissions: + packages: write + env: CI_IS_RELEASE: true @@ -176,6 +181,9 @@ jobs: just nix-develop-ci just nix-image - name: Push image (if release) + env: + REGISTRY_USERNAME: ${{ github.actor }} + REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} run: | just nix-develop-ci tools/ci/upload-image.sh diff --git a/tools/ci/upload-image.sh b/tools/ci/upload-image.sh index 13b873c..e31f1a2 100755 --- a/tools/ci/upload-image.sh +++ b/tools/ci/upload-image.sh @@ -11,6 +11,14 @@ ROOT_DIR=$(git rev-parse --show-toplevel) cd "$ROOT_DIR" function main() { + + local username=${REGISTRY_USERNAME:-$USERNAME} + local password=${REGISTRY_PASSWORD:-$PASSWORD} + + if [ -z "$username" ] || [ -z "$password" ]; then + die "'USERNAME' or 'PASSWORD' env. variables not set." + fi + if ! ci_is_running; then die "This script should only be executed in CI" fi @@ -33,6 +41,8 @@ function main() { skopeo \ --insecure-policy \ copy \ + --dest-username <(echo "$username") \ + --dest-password <(echo "$password") \ --dest-authfile "$HOME/.docker/config.json" \ "docker-archive://$image_path" \ "docker://$image_name" From cc8ee4060e521a2c1ddcdd813318a4b3a73ded99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 09:28:23 +0200 Subject: [PATCH 49/68] fix: review comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 75344c4..ee47b01 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -190,3 +190,5 @@ jobs: - name: Push tag (if release) run: | just nix-develop-ci ./tools/ci/assert-tag.sh --push "$GITHUB_REF" + + # TODO: on fail delete prepare tag From 41eff3ac632f2f5819aa1674eb35f8e5ba1b9ec0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 11:02:31 +0200 Subject: [PATCH 50/68] fix: WIP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- tools/ci/assert-tag.sh | 53 +++++++++++++++++++++--------------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/tools/ci/assert-tag.sh b/tools/ci/assert-tag.sh index 9515e52..1c2f480 100755 --- a/tools/ci/assert-tag.sh +++ b/tools/ci/assert-tag.sh @@ -15,41 +15,42 @@ cd "$ROOT_DIR" RELEASE_BRANCH="main" function main() { - local push="false" - [ "$1" = "--push" ] && shift 1 && push="true" - - local prepare_tag="$1" + local type="$1" + local prepare_tag="$2" local release_tag=${prepare_tag##*prepare-} - if [ "$push" = "true" ]; then + if [ "$type" = "push" ]; then print_info "Pushing tag '$release_tag'." git push origin "$release_tag" || die "Could not push tag." exit 0 + elif [ "$type" = "create-and-check" ]; then + print_info "Create tag '$release_tag' and check." + + # Gets the message on the annotated commit: + deref() { + git for-each-ref "refs/tags/$release_tag" --format="%($1)" + } + + deref contents + + # Creates a new tag with the same message, + # including trailing headers. + git tag -a -m "$(deref contents)" "$release_tag" || + die "Could not create tag." + + # Fetch the branch. + git fetch --depth 50 origin "$RELEASE_BRANCH" + + # Check if its reachable. + if [ -n "$(git rev-list --first-parent \ + --ancestry-path \ + "$release_tag^..origin/$RELEASE_BRANCH")" ]; then + die "Tag is not reachable from '$RELEASE_BRANCH' (--first-parent) !" + fi fi - # Gets the message on the annotated commit: - deref() { - git for-each-ref "refs/tags/$release_tag" --format="%($1)" - } - - deref contents - - # Creates a new tag with the same message, - # including trailing headers. - git tag -a -m "$(deref contents)" "$release_tag" || - die "Could not create tag." - - # Fetch the branch. - git fetch --depth 50 origin "$RELEASE_BRANCH" - - # Check if its reachable. - if [ -n "$(git rev-list --first-parent \ - --ancestry-path \ - "$release_tag^..origin/$RELEASE_BRANCH")" ]; then - die "Tag is not reachable from '$RELEASE_BRANCH' (--first-parent) !" - fi } main "$@" From 6b61bf227479c77e72703dcee751ccd7f5adfb09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 13:34:11 +0200 Subject: [PATCH 51/68] fix: add cleanup at end MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 8 ++++++-- tools/ci/assert-tag.sh | 13 +++++++++++-- tools/release.sh | 25 ++++++++++++------------- 3 files changed, 29 insertions(+), 17 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index ee47b01..92ce904 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -174,7 +174,7 @@ jobs: - name: Create version tag (if release) run: | - just nix-develop-ci ./tools/ci/assert-tag.sh "$GITHUB_REF" + just nix-develop-ci ./tools/ci/assert-tag.sh create-and-check "$GITHUB_REF" - name: Build container image (nix) run: | @@ -189,6 +189,10 @@ jobs: - name: Push tag (if release) run: | - just nix-develop-ci ./tools/ci/assert-tag.sh --push "$GITHUB_REF" + just nix-develop-ci ./tools/ci/assert-tag.sh push "$GITHUB_REF" + - name: Cleanup + if: always() + run: | + just nix-develop-ci tools/ci/assert-tag cleanup # TODO: on fail delete prepare tag diff --git a/tools/ci/assert-tag.sh b/tools/ci/assert-tag.sh index 1c2f480..a442dbd 100755 --- a/tools/ci/assert-tag.sh +++ b/tools/ci/assert-tag.sh @@ -21,11 +21,12 @@ function main() { if [ "$type" = "push" ]; then print_info "Pushing tag '$release_tag'." + git push origin "$release_tag" || die "Could not push tag." - exit 0 elif [ "$type" = "create-and-check" ]; then + print_info "Create tag '$release_tag' and check." # Gets the message on the annotated commit: @@ -49,8 +50,16 @@ function main() { "$release_tag^..origin/$RELEASE_BRANCH")" ]; then die "Tag is not reachable from '$RELEASE_BRANCH' (--first-parent) !" fi - fi + elif [ "$type" = "cleanup" ]; then + + print_info "Cleanup the prepare tag." + git tag -d "$prepare_tag" || true + git push origin :"$prepare_tag" || true + + else + die "Type '$type' is not known." + fi } main "$@" diff --git a/tools/release.sh b/tools/release.sh index 0fad4d9..178962c 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -20,10 +20,20 @@ function delete_prepare_tags() { for tag in "${prepareTag[@]}"; do print_info "Deleting prepare tag '$tag'." git push -f origin ":${tag}" || true - git tag -d "$tag" + git tag -d "$tag" || die done } +function create_prepare_tag() { + local tag="v$1" + + print_info "Tagging with '$tag'." + git tag -a -m "Version $tag" "prepare-$tag" || die "Could not create tag." + + print_info "Tag contains:" + git cat-file -p "prepare-$tag" || die "Could not show tag content." +} + function commit_version_file() { local version="$1" print_info "Writing new version file... (for Nix)" @@ -37,16 +47,6 @@ function commit_version_file() { fi } -function create_prepare_tag() { - tag="v$version" - - print_info "Tagging..." - git tag -a -m "Version $tag" "prepare-$tag" - - print_info "Tag contains:" - git cat-file -p "prepare-$tag" -} - function trigger_build() { local branch="$1" printf "Do you want to trigger the build? [y|n]: " @@ -115,9 +115,8 @@ function main() { delete_prepare_tags check_new_version "$version" - commit_version_file "$version" - create_prepare_tag + create_prepare_tag "$version" trigger_build "$branch" } From ca10b3815451fd8ef4755398a7d92b9ff6c3a3d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 13:36:15 +0200 Subject: [PATCH 52/68] fix: script typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 4 ++-- tools/release.sh | 20 ++++++++++++-------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 92ce904..8995191 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -174,7 +174,8 @@ jobs: - name: Create version tag (if release) run: | - just nix-develop-ci ./tools/ci/assert-tag.sh create-and-check "$GITHUB_REF" + just nix-develop-ci ./tools/ci/assert-tag.sh \ + create-and-check "$GITHUB_REF" - name: Build container image (nix) run: | @@ -195,4 +196,3 @@ jobs: if: always() run: | just nix-develop-ci tools/ci/assert-tag cleanup - # TODO: on fail delete prepare tag diff --git a/tools/release.sh b/tools/release.sh index 178962c..da4d67d 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -25,13 +25,13 @@ function delete_prepare_tags() { } function create_prepare_tag() { - local tag="v$1" + local tag="$1" print_info "Tagging with '$tag'." - git tag -a -m "Version $tag" "prepare-$tag" || die "Could not create tag." + git tag -a -m "Version $version" "$tag" || die "Could not create tag." print_info "Tag contains:" - git cat-file -p "prepare-$tag" || die "Could not show tag content." + git cat-file -p "$tag" || die "Could not show tag content." } function commit_version_file() { @@ -49,18 +49,20 @@ function commit_version_file() { function trigger_build() { local branch="$1" + local tag="$2" + printf "Do you want to trigger the build? [y|n]: " read -r answer if [ "$answer" != "y" ]; then die "Do not trigger build -> abort." fi - print_info "Pushing tag 'prepare-$tag'." - git push -f origin --no-follow-tags "$branch" "prepare-$tag" + print_info "Pushing tag '$tag'." + git push -f origin --no-follow-tags "$branch" "$tag" } function check_new_version() { - local new_version="$1" # Reference to parent scoped variable. + local new_version="$1" # Check that is a version. if [ "$(ci_container_mgr run --rm alpine/semver semver "$new_version" | tail -1)" != "$new_version" ]; then @@ -114,11 +116,13 @@ function main() { delete_prepare_tags + local prepare_tag="prepare-v$version" + check_new_version "$version" commit_version_file "$version" - create_prepare_tag "$version" - trigger_build "$branch" + create_prepare_tag "$prepare_tag" + trigger_build "$branch" "$prepare_tag" } main "$@" From 25dac369f1b183a23a2b768a6b3f9f7035dceb83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 13:51:50 +0200 Subject: [PATCH 53/68] fix: CI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- tools/release.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/release.sh b/tools/release.sh index da4d67d..c2a1e8c 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -32,6 +32,8 @@ function create_prepare_tag() { print_info "Tag contains:" git cat-file -p "$tag" || die "Could not show tag content." + + print_info "Successfully created prepate tag '$tag'." } function commit_version_file() { @@ -59,6 +61,8 @@ function trigger_build() { print_info "Pushing tag '$tag'." git push -f origin --no-follow-tags "$branch" "$tag" + + print_info "Successfully triggered build." } function check_new_version() { From 4c8315dfe0ea949d62180b13c6bdc52ec063a42d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 13:53:55 +0200 Subject: [PATCH 54/68] fix: CI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 8995191..4d5a819 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -40,7 +40,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - fetch-depth: 0 + fetch-depth: 1 - name: Setup Git & Cache Nix run: | @@ -59,7 +59,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - fetch-depth: 0 + fetch-depth: 1 - name: Setup Git & Cache Nix run: | @@ -87,7 +87,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - fetch-depth: 0 + fetch-depth: 1 - name: Setup Git & Cache Nix run: | @@ -109,7 +109,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - fetch-depth: 0 + fetch-depth: 1 - name: Setup Git & Cache Nix run: | @@ -131,7 +131,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - fetch-depth: 0 + fetch-depth: 1 - name: Setup Git run: | @@ -165,7 +165,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - fetch-depth: 0 + fetch-depth: 1 - name: Setup Git & Nix Cache run: | From 2ff14aadecf5b6670aa3d3162507268deffae768 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 13:59:09 +0200 Subject: [PATCH 55/68] fix: CI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 4d5a819..b096ae6 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -156,6 +156,7 @@ jobs: if: ${{ inputs.is_release }} permissions: + contents: write packages: write env: From f5a03fd9f602e2d17be18050fa26c037d60a0d21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 14:05:08 +0200 Subject: [PATCH 56/68] fix: typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 2 +- tools/ci/assert-tag.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index b096ae6..891da48 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -196,4 +196,4 @@ jobs: - name: Cleanup if: always() run: | - just nix-develop-ci tools/ci/assert-tag cleanup + just nix-develop-ci tools/ci/assert-tag.sh cleanup "$GITHUB_REF" diff --git a/tools/ci/assert-tag.sh b/tools/ci/assert-tag.sh index a442dbd..09568be 100755 --- a/tools/ci/assert-tag.sh +++ b/tools/ci/assert-tag.sh @@ -17,6 +17,7 @@ RELEASE_BRANCH="main" function main() { local type="$1" local prepare_tag="$2" + local release_tag=${prepare_tag##*prepare-} if [ "$type" = "push" ]; then From bff0153d631646d7d4f246794d3fea4cdd17c9f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 14:07:22 +0200 Subject: [PATCH 57/68] fix: typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- tools/ci/upload-image.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/ci/upload-image.sh b/tools/ci/upload-image.sh index e31f1a2..d5902c5 100755 --- a/tools/ci/upload-image.sh +++ b/tools/ci/upload-image.sh @@ -43,7 +43,6 @@ function main() { copy \ --dest-username <(echo "$username") \ --dest-password <(echo "$password") \ - --dest-authfile "$HOME/.docker/config.json" \ "docker-archive://$image_path" \ "docker://$image_name" From c8c81750906c9e5c682bf780c6db826498ea7307 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 17:36:40 +0200 Subject: [PATCH 58/68] fix: add opencontainers label on image build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- tools/nix/images/rdf-protect.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/nix/images/rdf-protect.nix b/tools/nix/images/rdf-protect.nix index 7b5304e..5ef5442 100644 --- a/tools/nix/images/rdf-protect.nix +++ b/tools/nix/images/rdf-protect.nix @@ -11,5 +11,10 @@ pkgs.dockerTools.buildLayeredImage { config = { Entrypoint = ["rdf-protect"]; WorkingDir = "/"; + Labels = { + "org.opencontainers.image.source" = "https://github.com/sdsc-ordes/rdf-protect"; + "org.opencontainers.image.description" = rdf-protect.meta.description; + "org.opencontainers.image.license" = "Apache-2.0"; + }; }; } From 21d4632db3c5c20469bb7f8e66b7dd0048a5b0a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 17:41:12 +0200 Subject: [PATCH 59/68] fix: remove obsolete lint ub MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 891da48..f5956ae 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -70,15 +70,6 @@ jobs: run: | just nix-develop-ci just lint - - name: Lint Undefined-Behavior - continue-on-error: true - run: | - just nix-develop-ci just lint-ub - - - name: Allow to fail - if: failure() - run: echo "lint-up failed -> continue." - build: runs-on: ubuntu-latest container: From 30df3a0c4b9e2ed446e959cf947fd88b6de411ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 17:50:35 +0200 Subject: [PATCH 60/68] fix: stupid token error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- tools/ci/upload-image.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/ci/upload-image.sh b/tools/ci/upload-image.sh index d5902c5..1be4d40 100755 --- a/tools/ci/upload-image.sh +++ b/tools/ci/upload-image.sh @@ -41,8 +41,8 @@ function main() { skopeo \ --insecure-policy \ copy \ - --dest-username <(echo "$username") \ - --dest-password <(echo "$password") \ + --dest-username "$(cat <(echo "$username"))" \ + --dest-password "$(cat <(echo "$password"))" \ "docker-archive://$image_path" \ "docker://$image_name" From 4a1d29e0ae18efe196f54702a5dfcccc33458fa9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 18:16:01 +0200 Subject: [PATCH 61/68] fix: add Github release step MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 32 +++++++++++++++++++++++-------- tools/ci/create-github-release.sh | 27 ++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 8 deletions(-) create mode 100755 tools/ci/create-github-release.sh diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index f5956ae..afa81b4 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -85,10 +85,10 @@ jobs: ./tools/ci/setup-git.sh just nix-develop-ci echo "Built cache." - - name: build + - name: Build run: | just nix-develop-ci just build - - name: tests + - name: Tests run: | just nix-develop-ci just test @@ -129,11 +129,11 @@ jobs: ./tools/ci/setup-git.sh just nix-develop-ci echo "Built cache." - - name: Build package (nix) + - name: Build Package (nix) run: | just nix-develop-ci just nix-package - - name: Build container image (nix) + - name: Build Container Image (nix) run: | just nix-develop-ci just nix-image @@ -164,23 +164,23 @@ jobs: ./tools/ci/setup-git.sh just nix-develop-ci echo "Built cache." - - name: Create version tag (if release) + - name: Create Version Tag run: | just nix-develop-ci ./tools/ci/assert-tag.sh \ create-and-check "$GITHUB_REF" - - name: Build container image (nix) + - name: Build Container Image (nix) run: | just nix-develop-ci just nix-image - - name: Push image (if release) + - name: Push Image env: REGISTRY_USERNAME: ${{ github.actor }} REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} run: | just nix-develop-ci tools/ci/upload-image.sh - - name: Push tag (if release) + - name: Push Tag run: | just nix-develop-ci ./tools/ci/assert-tag.sh push "$GITHUB_REF" @@ -188,3 +188,19 @@ jobs: if: always() run: | just nix-develop-ci tools/ci/assert-tag.sh cleanup "$GITHUB_REF" + + release: + runs-on: ubuntu-latest + if: ${{ inputs.is_release }} + + permissions: + contents: write + + steps: + - name: Create Github Release + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + ./tools/ci/create-github-release.sh \ + "$GITHUB_REF" \ + "$GITHUB_REPOSITORY" diff --git a/tools/ci/create-github-release.sh b/tools/ci/create-github-release.sh new file mode 100755 index 0000000..877e1c9 --- /dev/null +++ b/tools/ci/create-github-release.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090,SC1091 +# This script is sourced in each step. +set -u +set -e + +ROOT_DIR=$(git rev-parse --show-toplevel) +. "$ROOT_DIR/tools/general.sh" + +function main() { + local prepare_tag="$1" + local repo="$2" + + local tag=${prepare_tag#prepare-} + local version=${tag#v} + + print_info "Creating Github release ... " + + gh release create "$tag" \ + --repo="$repo" \ + --title="rdf-protect: \`$version\`" \ + --generate-notes + + print_info "Successfully created release. All done." +} + +main "$@" From 87e281b387c7034c6a72ed459d8690a2030edda8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 18:16:57 +0200 Subject: [PATCH 62/68] fix: typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- tools/release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/release.sh b/tools/release.sh index c2a1e8c..9ce8dd4 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -74,7 +74,7 @@ function check_new_version() { fi if git tag --list "v*" | grep -qE "^v$new_version$"; then - die "Git tag '$tag' already exists locally." + die "Git tag 'v$new_version' already exists locally." fi # Get all remote versions. From 455702b5f97b5d2f07f2ee40d31e84c270fa3dc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 18:19:45 +0200 Subject: [PATCH 63/68] fix: dependencies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 10 ++++++---- tools/ci/setup-git.sh | 1 + 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index afa81b4..394c824 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -138,14 +138,14 @@ jobs: just nix-develop-ci just nix-image deploy: - runs-on: ubuntu-latest + if: ${{ inputs.is_release }} # TODO: uncomment this # needs: [format, lint, build, test] + + runs-on: ubuntu-latest container: image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 - if: ${{ inputs.is_release }} - permissions: contents: write packages: write @@ -190,8 +190,10 @@ jobs: just nix-develop-ci tools/ci/assert-tag.sh cleanup "$GITHUB_REF" release: - runs-on: ubuntu-latest if: ${{ inputs.is_release }} + needs: ["deploy"] + + runs-on: ubuntu-latest permissions: contents: write diff --git a/tools/ci/setup-git.sh b/tools/ci/setup-git.sh index 20f1f85..2b325c2 100755 --- a/tools/ci/setup-git.sh +++ b/tools/ci/setup-git.sh @@ -2,6 +2,7 @@ # shellcheck disable=SC1090,SC1091 # This script is sourced in each step. set -u +set -e git config --global safe.directory "*" || { echo "Could not overwrite safe.directory in Git config." >&2 From 791e37a198f8f73deeadb74b9e1ca8db7bfd37cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 18:24:56 +0200 Subject: [PATCH 64/68] fix: checkout MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 394c824..4dffbb6 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -199,6 +199,11 @@ jobs: contents: write steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 1 + - name: Create Github Release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 4bc9babee95989ee7c57e238c86b98367c8c8ca2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 18:31:29 +0200 Subject: [PATCH 65/68] fix: make deploy depending on `test` only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - No need to slow things down. Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index 4dffbb6..aa968b8 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -33,6 +33,7 @@ on: jobs: format: + if: ${{ ! inputs.is_release }} runs-on: ubuntu-latest container: image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 @@ -52,6 +53,7 @@ jobs: just nix-develop-ci just format lint: + if: ${{ ! inputs.is_release }} runs-on: ubuntu-latest container: image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 @@ -71,6 +73,7 @@ jobs: just nix-develop-ci just lint build: + if: ${{ ! inputs.is_release }} runs-on: ubuntu-latest container: image: ghcr.io/sdsc-ordes/rdf-protect:ci-nix-1.0.0 @@ -88,9 +91,6 @@ jobs: - name: Build run: | just nix-develop-ci just build - - name: Tests - run: | - just nix-develop-ci just test test: runs-on: ubuntu-latest @@ -139,8 +139,7 @@ jobs: deploy: if: ${{ inputs.is_release }} - # TODO: uncomment this - # needs: [format, lint, build, test] + needs: [test] runs-on: ubuntu-latest container: From ae11d4c3d8377f719a8ed9d852a5a2f8a6e87f23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 18:34:33 +0200 Subject: [PATCH 66/68] fix: typo in release name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- tools/ci/create-github-release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ci/create-github-release.sh b/tools/ci/create-github-release.sh index 877e1c9..dca3e4e 100755 --- a/tools/ci/create-github-release.sh +++ b/tools/ci/create-github-release.sh @@ -11,7 +11,7 @@ function main() { local prepare_tag="$1" local repo="$2" - local tag=${prepare_tag#prepare-} + local tag=${prepare_tag#*prepare-} local version=${tag#v} print_info "Creating Github release ... " From 03e8734eb23e69ec59c68a213237277bcffa289d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Tue, 9 Jul 2024 18:35:59 +0200 Subject: [PATCH 67/68] fix: typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 2 +- tools/ci/create-github-release.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index aa968b8..152c0a0 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -208,5 +208,5 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./tools/ci/create-github-release.sh \ - "$GITHUB_REF" \ + "${GITHUB_REF#refs/tags/}" \ "$GITHUB_REPOSITORY" diff --git a/tools/ci/create-github-release.sh b/tools/ci/create-github-release.sh index dca3e4e..877e1c9 100755 --- a/tools/ci/create-github-release.sh +++ b/tools/ci/create-github-release.sh @@ -11,7 +11,7 @@ function main() { local prepare_tag="$1" local repo="$2" - local tag=${prepare_tag#*prepare-} + local tag=${prepare_tag#prepare-} local version=${tag#v} print_info "Creating Github release ... " From 29cff2b465ed579dabddc6f18cbd06946dfcfa68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Wed, 10 Jul 2024 09:26:51 +0200 Subject: [PATCH 68/68] fix: typo in release name --- tools/ci/create-github-release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ci/create-github-release.sh b/tools/ci/create-github-release.sh index 877e1c9..2e240d2 100755 --- a/tools/ci/create-github-release.sh +++ b/tools/ci/create-github-release.sh @@ -18,7 +18,7 @@ function main() { gh release create "$tag" \ --repo="$repo" \ - --title="rdf-protect: \`$version\`" \ + --title="rdf-protect: $version" \ --generate-notes print_info "Successfully created release. All done."