fix: Provisioner deployment (#617)

.changeset/provisioner-new-olives-switch-2.md

@@ -0,0 +1,5 @@
+---
+"provisioner": patch
+---
+
+fix: Update timeout of bunq2ynab to prevent 1password rate limit

.changeset/provisioner-new-olives-switch-3.md

@@ -0,0 +1,5 @@
+---
+"provisioner": patch
+---
+
+chore(deps): Update teleport to 14.2.3

.changeset/provisioner-new-olives-switch.md

@@ -0,0 +1,5 @@
+---
+"provisioner": patch
+---
+
+fix: Ensure nix-build is available inside GitHub actions

.changeset/rules_release-orange-masks-compare-2.md

@@ -0,0 +1,5 @@
+---
+"rules_release": patch
+---
+
+fix: Fix passing multiple arguments to generate-hashes and get-impacted-targets

.changeset/rules_release-orange-masks-compare-3.md

@@ -0,0 +1,5 @@
+---
+"rules_release": minor
+---
+
+feat: Enable passing `previous_revision_cmd` and `final_revision_cmd` to `bazel_diff_release`

.changeset/rules_release-orange-masks-compare-4.md

@@ -0,0 +1,5 @@
+---
+"rules_release": minor
+---
+
+feat: Add `release_changed_files` to enable releasing based on changed file paths inside of git

.changeset/rules_release-orange-masks-compare.md

@@ -0,0 +1,5 @@
+---
+"rules_release": minor
+---
+
+feat: Support changing git directories better by stashing and restoring the working directory

.changeset/rules_task-wet-numbers-explode.md

@@ -0,0 +1,5 @@
+---
+"rules_task": patch
+---
+
+build: Use `release_changed_files` instead of `bazel_diff_release` to detect changes for a release.

.github/actions/setup-bazel/action.yml

@@ -24,6 +24,11 @@ runs:
         OP_SERVICE_ACCOUNT_TOKEN: ${{ inputs.OP_SERVICE_ACCOUNT_TOKEN }}
         BUILDBUDDY_API_KEY: op://vgijssel-prod/buildbuddy-api-key/password
 
+    - name: Install nix package manager
+      uses: cachix/install-nix-action@v22
+      with:
+        nix_path: nixpkgs=channel:nixos-23.11
+
     - name: Create local.bazelrc file
       shell: bash
       run: |

.github/workflows/schedule.yml

@@ -1,12 +1,12 @@
 name: Schedule
 on:
   schedule:
-    - cron: "*/10 * * * *"
+    - cron: "0 * * * *"
 
 jobs:
   provisioner-validate:
     runs-on: ubuntu-latest
-    timeout-minutes: 9
+    timeout-minutes: 10
     concurrency: validate-provisioner
     steps:
       - name: Checkout repository

provisioner/deploys/bunq2ynab/files/docker-compose.yml.j2

@@ -8,8 +8,8 @@ services:
     environment:
       - OP_SERVICE_ACCOUNT_TOKEN={{ op_service_account_token }}
       - SETUP_ENV={{ setup_env }}
-      # sleeping for 15 minutes to prevent rate limiting
-      - TIMEOUT=900
+      # sleeping for 60 minutes to prevent rate limiting in 1Password, Bunq and YNAB
+      - TIMEOUT=3600
     deploy:
       resources:
         limits:

provisioner/deploys/teleport/tasks/install_teleport.py

@@ -5,7 +5,7 @@
 from provisioner.utils import wait_for_reconnect
 
 
-TELEPORT_VERSION = "v14.0.1"
+TELEPORT_VERSION = "v14.2.3"
 
 
 @deploy("Install Teleport")

rules/rules_release/BUILD.bazel

@@ -1,5 +1,5 @@
 load("@rules_task//task:defs.bzl", "cmd")
-load("//tools:defs.bzl", "publish_github_release", release = "bazel_diff_release")
+load("//tools:defs.bzl", "publish_github_release", release = "release_changed_files")
 load("@aspect_bazel_lib//lib:tar.bzl", "mtree_spec", "tar")
 load("@npm//:defs.bzl", "npm_link_all_packages")
 
@@ -137,13 +137,14 @@ publish_github_release(
 
 release(
     name = "release",
+    changed_file_paths = [
+        "rules/rules_release",
+    ],
     changelog_file = "CHANGELOG.md",
-    generate_hashes_extra_args = ["--fineGrainedHashExternalRepos=rules_release"],
     publish_cmds = [
         ":publish_github_release",
     ],
     release_name = "rules_release",
-    target = ":all_files",
     version_file = "version.txt",
     deps = [
         "@rules_task//:release",

rules/rules_release/tools/defs.bzl

@@ -1,7 +1,9 @@
 load("//tools/private:publish_github_release.bzl", _publish_github_release = "publish_github_release")
 load("//tools/private:publish_oci_image.bzl", _publish_oci_image = "publish_oci_image")
 load("//tools/private:bazel_diff_release.bzl", _bazel_diff_release = "bazel_diff_release")
+load("//tools/private:release_changed_files.bzl", _release_changed_files = "release_changed_files")
 
 publish_github_release = _publish_github_release
 bazel_diff_release = _bazel_diff_release
 publish_oci_image = _publish_oci_image
+release_changed_files = _release_changed_files

rules/rules_release/tools/lib/repositories/BazelDiffRepository.mjs

@@ -66,13 +66,35 @@ export default class BazelDiffRepository {
     const currentBranch =
       await $`git -C ${this.workspaceDir} rev-parse --abbrev-ref HEAD`;
 
+    let hasStashedChanges = false;
+
     try {
+      const stashResult =
+        await $`git -C ${this.workspaceDir} stash --include-untracked`;
+      hasStashedChanges =
+        stashResult.stdout.trim() !== "No local changes to save";
+
       await this._checkoutSha(sha);
-      await $`${this.bazelDiffPath} generate-hashes ${this.generateHashesExtraArgs} -w ${this.workspaceDir} -b ${bazelPath} ${hashesFile}`;
+
+      await $`${
+        this.bazelDiffPath
+      } generate-hashes ${this.generateHashesExtraArgs.split(" ")} -w ${
+        this.workspaceDir
+      } -b ${bazelPath} ${hashesFile}`;
+
       await this._checkoutSha(currentBranch);
+
+      if (hasStashedChanges) {
+        await $`git -C ${this.workspaceDir} stash pop`;
+      }
     } catch (error) {
       // make sure we checkout back to the current branch
       await this._checkoutSha(currentBranch);
+
+      // make sure we restore the stash
+      if (hasStashedChanges) {
+        await $`git -C ${this.workspaceDir} stash pop`;
+      }
       throw error;
     }
 
@@ -88,7 +110,11 @@ export default class BazelDiffRepository {
       return impactedTargetsPath;
     }
 
-    await $`${this.bazelDiffPath} get-impacted-targets ${this.getImpactedTargetsExtraArgs} -sh ${previousHashes} -fh ${currentHashes} -o ${impactedTargetsPath}`;
+    await $`${
+      this.bazelDiffPath
+    } get-impacted-targets ${this.getImpactedTargetsExtraArgs.split(
+      " "
+    )} -sh ${previousHashes} -fh ${currentHashes} -o ${impactedTargetsPath}`;
 
     return impactedTargetsPath;
   }

rules/rules_release/tools/private/bazel_diff_release.bzl

@@ -20,10 +20,10 @@ def _bazel_diff_release_impl(ctx):
     args = [bazel_diff_cli_path, "--bazel-diff-path", bazel_diff_path, "--previous-revision-cmd", previous_revision_path, "--final-revision-cmd", final_revision_path]
 
     if ctx.attr.generate_hashes_extra_args:
-        args += ["--generate-hashes-extra-args", " ".join(ctx.attr.generate_hashes_extra_args)]
+        args.append("--generate-hashes-extra-args \'" + " ".join(ctx.attr.generate_hashes_extra_args) + "\'")
 
     if ctx.attr.get_impacted_targets_extra_args:
-        args += ["--get-impacted-targets-extra-args", " ".join(ctx.attr.get_impacted_targets_extra_args)]
+        args.append("--get-impacted-targets-extra-args \'" + " ".join(ctx.attr.get_impacted_targets_extra_args) + "\'")
 
     args.append(_to_label_string(ctx.attr.target.label))
 
@@ -58,30 +58,36 @@ _bazel_diff_release = rule(
     executable = True,
 )
 
-def bazel_diff_release(**kwargs):
+def bazel_diff_release(previous_revision_cmd = None, final_revision_cmd = None, **kwargs):
     name = kwargs.get("name")
     change_cmd_name = "{}.change_cmd".format(name)
-    previous_revision_cmd_name = "{}.previous_revision_cmd".format(name)
-    final_revision_cmd_name = "{}.final_revision_cmd".format(name)
+    previous_revision_cmd_name = previous_revision_cmd
+    final_revision_cmd_name = final_revision_cmd
     target = kwargs.pop("target")
     generate_hashes_extra_args = kwargs.pop("generate_hashes_extra_args", [])
     get_impacted_targets_extra_args = kwargs.pop("get_impacted_targets_extra_args", [])
 
-    task(
-        name = previous_revision_cmd_name,
-        cmds = [
-            "git rev-parse master",
-        ],
-        cwd = "$BUILD_WORKSPACE_DIRECTORY",
-    )
-
-    task(
-        name = final_revision_cmd_name,
-        cmds = [
-            "git rev-parse HEAD",
-        ],
-        cwd = "$BUILD_WORKSPACE_DIRECTORY",
-    )
+    if not previous_revision_cmd_name:
+        previous_revision_cmd_name = "{}.previous_revision_cmd".format(name)
+
+        task(
+            name = previous_revision_cmd_name,
+            cmds = [
+                "git rev-parse master",
+            ],
+            cwd = "$BUILD_WORKSPACE_DIRECTORY",
+        )
+
+    if not final_revision_cmd_name:
+        final_revision_cmd_name = "{}.final_revision_cmd".format(name)
+
+        task(
+            name = final_revision_cmd_name,
+            cmds = [
+                "git rev-parse HEAD",
+            ],
+            cwd = "$BUILD_WORKSPACE_DIRECTORY",
+        )
 
     _bazel_diff_release(
         name = change_cmd_name,

rules/rules_release/tools/private/release_changed_files.bzl

@@ -0,0 +1,48 @@
+load("//release:defs.bzl", "release")
+load("@rules_task//task:defs.bzl", "cmd", "task")
+
+def release_changed_files(changed_file_paths, previous_revision_cmd = None, final_revision_cmd = None, **kwargs):
+    name = kwargs.get("name")
+    change_cmd_name = "{}.change_cmd".format(name)
+    previous_revision_cmd_name = previous_revision_cmd
+    final_revision_cmd_name = final_revision_cmd
+
+    if not previous_revision_cmd_name:
+        previous_revision_cmd_name = "{}.previous_revision_cmd".format(name)
+
+        task(
+            name = previous_revision_cmd_name,
+            cmds = [
+                "git rev-parse master",
+            ],
+            cwd = "$BUILD_WORKSPACE_DIRECTORY",
+        )
+
+    if not final_revision_cmd_name:
+        final_revision_cmd_name = "{}.final_revision_cmd".format(name)
+
+        task(
+            name = final_revision_cmd_name,
+            cmds = [
+                "git rev-parse HEAD",
+            ],
+            cwd = "$BUILD_WORKSPACE_DIRECTORY",
+        )
+
+    task(
+        name = change_cmd_name,
+        cmds = [
+            "export PREVIOUS_REVISION=$($PREVIOUS_REVISION_CMD)",
+            "export FINAL_REVISION=$($FINAL_REVISION_CMD)",
+            "export HAS_CHANGED=$(git diff --name-only $PREVIOUS_REVISION $FINAL_REVISION -- $CHANGED_FILES)",
+            'if [ -z "$HAS_CHANGED" ]; then echo "false"; else echo "true"; fi',
+        ],
+        cwd = "$BUILD_WORKSPACE_DIRECTORY",
+        env = {
+            "PREVIOUS_REVISION_CMD": cmd.executable(previous_revision_cmd_name),
+            "FINAL_REVISION_CMD": cmd.executable(final_revision_cmd_name),
+            "CHANGED_FILES": cmd.shell(*changed_file_paths),
+        },
+    )
+
+    release(change_cmd = change_cmd_name, **kwargs)

rules/rules_task/BUILD.bazel

@@ -1,4 +1,4 @@
-load("@rules_release//tools:defs.bzl", "publish_github_release", release = "bazel_diff_release")
+load("@rules_release//tools:defs.bzl", "publish_github_release", release = "release_changed_files")
 load("@aspect_bazel_lib//lib:tar.bzl", "mtree_spec", "tar")
 load("//task:defs.bzl", "cmd")
 load("//tools:defs.bzl", "compile_pip_requirements")
@@ -106,12 +106,13 @@ publish_github_release(
 
 release(
     name = "release",
+    changed_file_paths = [
+        "rules/rules_task",
+    ],
     changelog_file = "CHANGELOG.md",
-    generate_hashes_extra_args = ["--fineGrainedHashExternalRepos=rules_task"],
     publish_cmds = [
         ":publish_github_release",
     ],
     release_name = "rules_task",
-    target = ":all_files",
     version_file = "version.txt",
 )