From a618ebe06b6766a17fb8a455523074924c586df3 Mon Sep 17 00:00:00 2001 From: Gautier DI FOLCO Date: Thu, 29 Aug 2024 20:27:47 +0200 Subject: [PATCH] refactoring: directly use cabal-audit --- .github/workflows/ci.yml | 4 +- action.yaml | 14 +- app/Main.hs | 167 ------ cabal.project | 26 - flake.lock | 741 ++++---------------------- flake.nix | 484 +---------------- github-action-scan.cabal | 63 --- nix/haskell.nix/modules/profiling.nix | 1 - nix/haskell.nix/modules/static.nix | 74 --- nix/haskell.nix/modules/weeder.nix | 83 --- nix/nixpkgs/overlays/static.nix | 21 - 11 files changed, 112 insertions(+), 1566 deletions(-) delete mode 100644 app/Main.hs delete mode 100644 cabal.project delete mode 100644 github-action-scan.cabal delete mode 100644 nix/haskell.nix/modules/profiling.nix delete mode 100644 nix/haskell.nix/modules/static.nix delete mode 100644 nix/haskell.nix/modules/weeder.nix delete mode 100644 nix/nixpkgs/overlays/static.nix diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 208c4a5..0ddca5b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,13 +20,11 @@ jobs: extra_nix_config: | system-features = nixos-test benchmark big-parallel kvm - uses: DeterminateSystems/magic-nix-cache-action@main - - run: nix build -L '.#packages.x86_64-linux."static-x86_64-unknown-linux-musl:github-action-scan:exe:github-action-scan"' - - run: nix flake check - name: Extract tag name shell: bash run: echo "tag=$(echo ${GITHUB_REF##*/})" >> $GITHUB_OUTPUT id: extract_tag - - run: nix build -L '.#packages.x86_64-linux.github-action-scan-image' + - run: nix build -L - run: docker load -i result - name: Log in to the Container registry if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v') diff --git a/action.yaml b/action.yaml index 293fa84..1a03f76 100644 --- a/action.yaml +++ b/action.yaml @@ -25,30 +25,20 @@ outputs: runs: using: composite steps: - - name: Log in to the Container registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ inputs.token }} - name: Extract shell: bash env: CHECKOUT_PATH: ${{ inputs.checkout_path }} run: | cd "$CHECKOUT_PATH" - export IMG=ghcr.io/blackheaven/haskell-security-action:master - docker pull $IMG - docker create --name dummy $IMG - docker cp -L dummy:/bin/github-action-scan github-action-scan - docker rm -f dummy + wget https://github.com/blackheaven/cabal-audit/releases/download/nightly/cabal-audit - name: Run Haskell Security Action shell: bash env: CHECKOUT_PATH: ${{ inputs.checkout_path }} run: | cd "$CHECKOUT_PATH" - ./github-action-scan --sarif results.sarif + ./cabal-audit --sarif | tee results.sarif cat results.sarif - name: Upload SARIF file id: upload-sarif diff --git a/app/Main.hs b/app/Main.hs deleted file mode 100644 index 1f73c6b..0000000 --- a/app/Main.hs +++ /dev/null @@ -1,167 +0,0 @@ -{-# LANGUAGE CPP #-} - -module Main (main) where - -import Control.Carrier.Lift (runM) -import Control.Effect.Pretty (PrettyC, runPretty) -import Control.Monad.Codensity (Codensity (Codensity)) -import Data.Aeson (encodeFile) -import Data.Coerce -import Data.Functor.Identity -import qualified Data.Map.Strict as Map -import Data.SARIF as Sarif -import Data.Text (Text) -import qualified Data.Text as T -import Distribution.Audit (AuditConfig (..), buildAdvisories) -import Distribution.Client.DistDirLayout (DistDirLayout (distProjectRootDirectory)) -import Distribution.Client.NixStyleOptions (defaultNixStyleFlags) -import Distribution.Client.ProjectOrchestration - ( CurrentCommand (OtherCommand), - ProjectBaseContext (distDirLayout), - commandLineFlagsToProjectConfig, - establishProjectBaseContext, - ) -import Distribution.Client.Setup (defaultGlobalFlags) -import Distribution.Package (PackageName, unPackageName) -import qualified Distribution.Verbosity as Verbosity -import Options.Applicative -import Security.Advisories -import Security.Advisories.Cabal -import Security.Advisories.SBom.Types (prettyVersion) -import System.IO (stdout) -import System.Process (readProcess) - -main :: IO () -main = do - (auditConfig, cliOptions) <- customExecParser (prefs showHelpOnEmpty) $ do - info (helper <*> ((,) <$> cliAuditParser <*> cliGithubContextParser)) $ do - mconcat - [ fullDesc, - progDesc "audit your cabal projects for vulnerabilities and generate a sarif file", - header "Welcome to github-action-scan" - ] - getAdvisories auditConfig >>= uncurry (sendAdvisories cliOptions) - -newtype CliOptions = CliOptions - { sarifOutputPath :: FilePath - } - -cliAuditParser :: Parser AuditConfig -cliAuditParser = - MkAuditConfig - <$> ( ( Left - <$> strOption - ( mconcat - [ long "advisories-file-path", - metavar "FILEPATH", - help "the path to the repository containing an advisories directory" - ] - ) - ) - <|> ( Right - <$> strOption - ( mconcat - [ long "advisories-repository", - metavar "REPOSITORY", - help "the url to the repository containing an advisories directory", - value "https://github.com/haskell/security-advisories" - ] - ) - ) - ) - <*> pure Verbosity.normal - <*> pure (error "outputFormat cannot be constructed, and it was working, it was not used") - <*> pure (Codensity $ \k -> k stdout) - <*> pure False - <*> pure False - -cliGithubContextParser :: Parser CliOptions -cliGithubContextParser = - CliOptions - <$> strOption - ( long "sarif" - <> metavar "FILE" - <> help "Sarif output file path" - <> value "results.sarif" - ) - -getAdvisories :: AuditConfig -> IO (FilePath, [(PackageName, ElaboratedPackageInfoAdvised)]) -getAdvisories auditConfig = do - let nixStyleFlags = defaultNixStyleFlags () - interpretPretty :: forall m a. PrettyC [Text] m a -> m a - interpretPretty = runPretty (const id) - projectConfig = commandLineFlagsToProjectConfig defaultGlobalFlags nixStyleFlags mempty - - advisories <- runM $ interpretPretty $ Map.toList <$> buildAdvisories auditConfig nixStyleFlags - projectBaseContext <- establishProjectBaseContext Verbosity.normal projectConfig OtherCommand - - return (distProjectRootDirectory $ distDirLayout projectBaseContext, advisories) - -sendAdvisories :: CliOptions -> FilePath -> [(PackageName, ElaboratedPackageInfoAdvised)] -> IO () -sendAdvisories cliOptions projectRoot packageAdvisories = do - ghcVersion <- T.pack <$> readProcess "ghc" ["--version"] "" - let advisories = - Map.elems $ - Map.fromListWith (\(advisory, pkgsInfo) (_, pkgsInfo') -> (advisory, pkgsInfo <> pkgsInfo')) $ - flip concatMap packageAdvisories $ \(pkgName, pkgInfo) -> - flip map (runIdentity pkgInfo.packageAdvisories) $ \(advisory, fixedAt) -> - (advisory.advisoryId, (advisory, [(pkgName, fixedAt)])) - run = - MkRun - { runTool = - let tool name version = - defaultToolComponent - { toolComponentName = Just name, - toolComponentVersion = Just version - } - in MkTool - { toolExtensions = - [ tool "cabal-audit" VERSION_cabal_audit, - tool "hsec-tools" VERSION_hsec_tools, - tool "ghc" ghcVersion - ], - toolDriver = tool "github-action-scan" VERSION_github_action_scan - }, - runResults = - flip map advisories $ \(advisory, concernedInfo) -> - MkResult - { resultRuleId = T.pack $ printHsecId advisory.advisoryId, - resultMessage = - defaultMultiformatMessageString $ - let hsecId = T.pack (printHsecId advisory.advisoryId) - in T.intercalate "\n" $ - concat - [ [hsecId <> " \"" <> advisory.advisorySummary <> "\""], - ["published: " <> T.pack (show advisory.advisoryPublished)], - ["https://haskell.github.io/security-advisories/advisory/" <> hsecId], - ["Concerned package:"], - flip map concernedInfo $ \(pkgName, fixedAt) -> - "* " - <> T.pack (unPackageName pkgName) - <> ": " - <> case fixedAt of - Nothing -> "No fix version available" - Just fv -> "Fix available since version " <> prettyVersion fv, - [T.intercalate ", " (coerce advisory.advisoryKeywords)] - ], - resultLocations = - [ -- TODO cabal files/lock? - MkLocation $ - Just $ - MkPhysicalLocation - { physicalLocationArtifactLocation = MkArtifactLocation $ T.pack ("file:///" <> projectRoot), - physicalLocationRegion = MkRegion 1 1 2 2 - } - ], - resultLevel = Just Sarif.Error - }, - runArtifacts = - [ -- TODO cabal files/lock? - MkArtifact - { artifactLocation = MkArtifactLocation $ T.pack ("file:///" <> projectRoot), - artifactMimeType = Nothing - } - ] - } - putStrLn $ "Results written at: " <> cliOptions.sarifOutputPath - encodeFile cliOptions.sarifOutputPath defaultLog {logRuns = [run]} diff --git a/cabal.project b/cabal.project deleted file mode 100644 index acbcaaa..0000000 --- a/cabal.project +++ /dev/null @@ -1,26 +0,0 @@ -packages: *.cabal - -package github-action-scan - -with-compiler: ghc-9.6.5 -index-state: 2024-07-28T00:00:00Z - -source-repository-package - type: git - location: https://github.com/MangoIV/cabal-audit.git - tag: de80acddb176e150b9f375ead987b32d803aa430 - ---source-repository-package --- type: git --- location: https://github.com/haskell/tar.git --- tag: 29ac5b50fdcd7ece25cacab42cefb38695994ef2 - -source-repository-package - type: git - location: https://github.com/haskell/security-advisories.git - tag: d09058a544bf45cc0814ed9b300cd940bc263617 - subdir: code/cvss - code/hsec-core - code/hsec-sync - code/hsec-tools - code/osv diff --git a/flake.lock b/flake.lock index 2f5cf8d..b203786 100644 --- a/flake.lock +++ b/flake.lock @@ -1,80 +1,19 @@ { "nodes": { - "HTTP": { - "flake": false, - "locked": { - "lastModified": 1451647621, - "narHash": "sha256-oHIyw3x0iKBexEo49YeUDV1k74ZtyYKGR2gNJXXRxts=", - "owner": "phadej", - "repo": "HTTP", - "rev": "9bc0996d412fef1787449d841277ef663ad9a915", - "type": "github" - }, - "original": { - "owner": "phadej", - "repo": "HTTP", - "type": "github" - } - }, - "cabal-32": { - "flake": false, - "locked": { - "lastModified": 1603716527, - "narHash": "sha256-X0TFfdD4KZpwl0Zr6x+PLxUt/VyKQfX7ylXHdmZIL+w=", - "owner": "haskell", - "repo": "cabal", - "rev": "48bf10787e27364730dd37a42b603cee8d6af7ee", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "3.2", - "repo": "cabal", - "type": "github" - } - }, - "cabal-34": { - "flake": false, - "locked": { - "lastModified": 1645834128, - "narHash": "sha256-wG3d+dOt14z8+ydz4SL7pwGfe7SiimxcD/LOuPCV6xM=", - "owner": "haskell", - "repo": "cabal", - "rev": "5ff598c67f53f7c4f48e31d722ba37172230c462", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "3.4", - "repo": "cabal", - "type": "github" - } - }, - "cabal-36": { - "flake": false, - "locked": { - "lastModified": 1669081697, - "narHash": "sha256-I5or+V7LZvMxfbYgZATU4awzkicBwwok4mVoje+sGmU=", - "owner": "haskell", - "repo": "cabal", - "rev": "8fd619e33d34924a94e691c5fea2c42f0fc7f144", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "3.6", - "repo": "cabal", - "type": "github" - } - }, "cabal-audit": { - "flake": false, + "inputs": { + "devshell": "devshell", + "nixpkgs": "nixpkgs_2", + "parts": "parts", + "pre-commit-hooks": "pre-commit-hooks", + "security-advisories": "security-advisories" + }, "locked": { - "lastModified": 1722099396, - "narHash": "sha256-CY/fCCXEKg7u/g9VnHelaCjYzsD8QpCPpOOmZ0Mjczw=", - "owner": "mangoiv", + "lastModified": 1724600354, + "narHash": "sha256-/AOrHX+Y5J23khdijE1zl+YkymYaIIFBbbplTPTACrA=", + "owner": "blackheaven", "repo": "cabal-audit", - "rev": "de80acddb176e150b9f375ead987b32d803aa430", + "rev": "33d3028f5f8ce0d85d6e6f98ca8b71bc0329c38c", "type": "github" }, "original": { @@ -83,19 +22,21 @@ "type": "github" } }, - "cardano-shell": { - "flake": false, + "devshell": { + "inputs": { + "nixpkgs": "nixpkgs" + }, "locked": { - "lastModified": 1608537748, - "narHash": "sha256-PulY1GfiMgKVnBci3ex4ptk2UNYMXqGjJOxcPy2KYT4=", - "owner": "input-output-hk", - "repo": "cardano-shell", - "rev": "9392c75087cb9a3d453998f4230930dea3a95725", + "lastModified": 1722113426, + "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=", + "owner": "numtide", + "repo": "devshell", + "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae", "type": "github" }, "original": { - "owner": "input-output-hk", - "repo": "cardano-shell", + "owner": "numtide", + "repo": "devshell", "type": "github" } }, @@ -115,33 +56,16 @@ "type": "github" } }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1672831974, - "narHash": "sha256-z9k3MfslLjWQfnjBtEtJZdq3H7kyi2kQtUThfTgdRk0=", - "owner": "input-output-hk", - "repo": "flake-compat", - "rev": "45f2638735f8cdc40fe302742b79f248d23eb368", - "type": "github" - }, - "original": { - "owner": "input-output-hk", - "ref": "hkm/gitlab-fix", - "repo": "flake-compat", - "type": "github" - } - }, "flake-utils": { "inputs": { "systems": "systems" }, "locked": { - "lastModified": 1709126324, - "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "d465f4819400de7c8d874d50b982301f28a84605", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -150,50 +74,11 @@ "type": "github" } }, - "ghc-8.6.5-iohk": { - "flake": false, - "locked": { - "lastModified": 1600920045, - "narHash": "sha256-DO6kxJz248djebZLpSzTGD6s8WRpNI9BTwUeOf5RwY8=", - "owner": "input-output-hk", - "repo": "ghc", - "rev": "95713a6ecce4551240da7c96b6176f980af75cae", - "type": "github" - }, - "original": { - "owner": "input-output-hk", - "ref": "release/8.6.5-iohk", - "repo": "ghc", - "type": "github" - } - }, - "git-hooks": { - "inputs": { - "flake-compat": "flake-compat", - "gitignore": "gitignore", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1721042469, - "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, "gitignore": { "inputs": { "nixpkgs": [ - "git-hooks", + "cabal-audit", + "pre-commit-hooks", "nixpkgs" ] }, @@ -211,573 +96,134 @@ "type": "github" } }, - "hackage": { - "flake": false, - "locked": { - "lastModified": 1722126512, - "narHash": "sha256-CxiOA9zsKWwy6rm9deBSwtOn8FKajOIvPesv9YgyDKI=", - "owner": "input-output-hk", - "repo": "hackage.nix", - "rev": "978f446ca0e4134041a4bdb36f6d22c297b8bc02", - "type": "github" - }, - "original": { - "owner": "input-output-hk", - "repo": "hackage.nix", - "type": "github" - } - }, - "haskell-nix": { - "inputs": { - "HTTP": "HTTP", - "cabal-32": "cabal-32", - "cabal-34": "cabal-34", - "cabal-36": "cabal-36", - "cardano-shell": "cardano-shell", - "flake-compat": "flake-compat_2", - "ghc-8.6.5-iohk": "ghc-8.6.5-iohk", - "hackage": "hackage", - "hls-1.10": "hls-1.10", - "hls-2.0": "hls-2.0", - "hls-2.2": "hls-2.2", - "hls-2.3": "hls-2.3", - "hls-2.4": "hls-2.4", - "hls-2.5": "hls-2.5", - "hls-2.6": "hls-2.6", - "hls-2.7": "hls-2.7", - "hls-2.8": "hls-2.8", - "hls-2.9": "hls-2.9", - "hpc-coveralls": "hpc-coveralls", - "hydra": "hydra", - "iserv-proxy": "iserv-proxy", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-2003": "nixpkgs-2003", - "nixpkgs-2105": "nixpkgs-2105", - "nixpkgs-2111": "nixpkgs-2111", - "nixpkgs-2205": "nixpkgs-2205", - "nixpkgs-2211": "nixpkgs-2211", - "nixpkgs-2305": "nixpkgs-2305", - "nixpkgs-2311": "nixpkgs-2311", - "nixpkgs-2405": "nixpkgs-2405", - "nixpkgs-unstable": "nixpkgs-unstable", - "old-ghc-nix": "old-ghc-nix", - "stackage": "stackage" - }, - "locked": { - "lastModified": 1722127854, - "narHash": "sha256-Qf6mCqZfYvwzi/JpJjf/9BXyGL6br8j9dHYQXA3Jx28=", - "owner": "input-output-hk", - "repo": "haskell.nix", - "rev": "2b63e7aa377082cb2923d39bfa7f6eb779e455cf", - "type": "github" - }, - "original": { - "owner": "input-output-hk", - "repo": "haskell.nix", - "type": "github" - } - }, - "haskell-security-advisories": { - "flake": false, - "locked": { - "lastModified": 1721365987, - "narHash": "sha256-F2Jk2T01fy9+IeTMoW9TGFUUzSmHokq5w4hbcMVHRhY=", - "owner": "haskell", - "repo": "security-advisories", - "rev": "d09058a544bf45cc0814ed9b300cd940bc263617", - "type": "github" - }, - "original": { - "owner": "haskell", - "repo": "security-advisories", - "type": "github" - } - }, - "hls-1.10": { - "flake": false, - "locked": { - "lastModified": 1680000865, - "narHash": "sha256-rc7iiUAcrHxwRM/s0ErEsSPxOR3u8t7DvFeWlMycWgo=", - "owner": "haskell", - "repo": "haskell-language-server", - "rev": "b08691db779f7a35ff322b71e72a12f6e3376fd9", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "1.10.0.0", - "repo": "haskell-language-server", - "type": "github" - } - }, - "hls-2.0": { - "flake": false, - "locked": { - "lastModified": 1687698105, - "narHash": "sha256-OHXlgRzs/kuJH8q7Sxh507H+0Rb8b7VOiPAjcY9sM1k=", - "owner": "haskell", - "repo": "haskell-language-server", - "rev": "783905f211ac63edf982dd1889c671653327e441", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "2.0.0.1", - "repo": "haskell-language-server", - "type": "github" - } - }, - "hls-2.2": { - "flake": false, - "locked": { - "lastModified": 1693064058, - "narHash": "sha256-8DGIyz5GjuCFmohY6Fa79hHA/p1iIqubfJUTGQElbNk=", - "owner": "haskell", - "repo": "haskell-language-server", - "rev": "b30f4b6cf5822f3112c35d14a0cba51f3fe23b85", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "2.2.0.0", - "repo": "haskell-language-server", - "type": "github" - } - }, - "hls-2.3": { - "flake": false, - "locked": { - "lastModified": 1695910642, - "narHash": "sha256-tR58doOs3DncFehHwCLczJgntyG/zlsSd7DgDgMPOkI=", - "owner": "haskell", - "repo": "haskell-language-server", - "rev": "458ccdb55c9ea22cd5d13ec3051aaefb295321be", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "2.3.0.0", - "repo": "haskell-language-server", - "type": "github" - } - }, - "hls-2.4": { - "flake": false, - "locked": { - "lastModified": 1699862708, - "narHash": "sha256-YHXSkdz53zd0fYGIYOgLt6HrA0eaRJi9mXVqDgmvrjk=", - "owner": "haskell", - "repo": "haskell-language-server", - "rev": "54507ef7e85fa8e9d0eb9a669832a3287ffccd57", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "2.4.0.1", - "repo": "haskell-language-server", - "type": "github" - } - }, - "hls-2.5": { - "flake": false, - "locked": { - "lastModified": 1701080174, - "narHash": "sha256-fyiR9TaHGJIIR0UmcCb73Xv9TJq3ht2ioxQ2mT7kVdc=", - "owner": "haskell", - "repo": "haskell-language-server", - "rev": "27f8c3d3892e38edaef5bea3870161815c4d014c", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "2.5.0.0", - "repo": "haskell-language-server", - "type": "github" - } - }, - "hls-2.6": { - "flake": false, - "locked": { - "lastModified": 1705325287, - "narHash": "sha256-+P87oLdlPyMw8Mgoul7HMWdEvWP/fNlo8jyNtwME8E8=", - "owner": "haskell", - "repo": "haskell-language-server", - "rev": "6e0b342fa0327e628610f2711f8c3e4eaaa08b1e", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "2.6.0.0", - "repo": "haskell-language-server", - "type": "github" - } - }, - "hls-2.7": { - "flake": false, - "locked": { - "lastModified": 1708965829, - "narHash": "sha256-LfJ+TBcBFq/XKoiNI7pc4VoHg4WmuzsFxYJ3Fu+Jf+M=", - "owner": "haskell", - "repo": "haskell-language-server", - "rev": "50322b0a4aefb27adc5ec42f5055aaa8f8e38001", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "2.7.0.0", - "repo": "haskell-language-server", - "type": "github" - } - }, - "hls-2.8": { - "flake": false, - "locked": { - "lastModified": 1715153580, - "narHash": "sha256-Vi/iUt2pWyUJlo9VrYgTcbRviWE0cFO6rmGi9rmALw0=", - "owner": "haskell", - "repo": "haskell-language-server", - "rev": "dd1be1beb16700de59e0d6801957290bcf956a0a", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "2.8.0.0", - "repo": "haskell-language-server", - "type": "github" - } - }, - "hls-2.9": { - "flake": false, - "locked": { - "lastModified": 1718469202, - "narHash": "sha256-THXSz+iwB1yQQsr/PY151+2GvtoJnTIB2pIQ4OzfjD4=", - "owner": "haskell", - "repo": "haskell-language-server", - "rev": "40891bccb235ebacce020b598b083eab9dda80f1", - "type": "github" - }, - "original": { - "owner": "haskell", - "ref": "2.9.0.0", - "repo": "haskell-language-server", - "type": "github" - } - }, - "hpc-coveralls": { - "flake": false, - "locked": { - "lastModified": 1607498076, - "narHash": "sha256-8uqsEtivphgZWYeUo5RDUhp6bO9j2vaaProQxHBltQk=", - "owner": "sevanspowell", - "repo": "hpc-coveralls", - "rev": "14df0f7d229f4cd2e79f8eabb1a740097fdfa430", - "type": "github" - }, - "original": { - "owner": "sevanspowell", - "repo": "hpc-coveralls", - "type": "github" - } - }, - "hydra": { - "inputs": { - "nix": "nix", - "nixpkgs": [ - "haskell-nix", - "hydra", - "nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1671755331, - "narHash": "sha256-hXsgJj0Cy0ZiCiYdW2OdBz5WmFyOMKuw4zyxKpgUKm4=", - "owner": "NixOS", - "repo": "hydra", - "rev": "f48f00ee6d5727ae3e488cbf9ce157460853fea8", - "type": "github" - }, - "original": { - "id": "hydra", - "type": "indirect" - } - }, - "iserv-proxy": { - "flake": false, - "locked": { - "lastModified": 1717479972, - "narHash": "sha256-7vE3RQycHI1YT9LHJ1/fUaeln2vIpYm6Mmn8FTpYeVo=", - "owner": "stable-haskell", - "repo": "iserv-proxy", - "rev": "2ed34002247213fc435d0062350b91bab920626e", - "type": "github" - }, - "original": { - "owner": "stable-haskell", - "ref": "iserv-syms", - "repo": "iserv-proxy", - "type": "github" - } - }, - "lowdown-src": { - "flake": false, - "locked": { - "lastModified": 1633514407, - "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=", - "owner": "kristapsdz", - "repo": "lowdown", - "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8", - "type": "github" - }, - "original": { - "owner": "kristapsdz", - "repo": "lowdown", - "type": "github" - } - }, - "nix": { - "inputs": { - "lowdown-src": "lowdown-src", - "nixpkgs": "nixpkgs", - "nixpkgs-regression": "nixpkgs-regression" - }, - "locked": { - "lastModified": 1661606874, - "narHash": "sha256-9+rpYzI+SmxJn+EbYxjGv68Ucp22bdFUSy/4LkHkkDQ=", - "owner": "NixOS", - "repo": "nix", - "rev": "11e45768b34fdafdcf019ddbd337afa16127ff0f", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "2.11.0", - "repo": "nix", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1657693803, - "narHash": "sha256-G++2CJ9u0E7NNTAi9n5G8TdDmGJXcIjkJ3NF8cetQB8=", + "lastModified": 1722073938, + "narHash": "sha256-OpX0StkL8vpXyWOGUD6G+MA26wAXK6SpT94kLJXo6B4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "365e1b3a859281cf11b94f87231adeabbdd878a2", + "rev": "e36e9f57337d0ff0cf77aceb58af4c805472bfae", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.05-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2003": { - "locked": { - "lastModified": 1620055814, - "narHash": "sha256-8LEHoYSJiL901bTMVatq+rf8y7QtWuZhwwpKE2fyaRY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "1db42b7fe3878f3f5f7a4f2dc210772fd080e205", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-20.03-darwin", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2105": { - "locked": { - "lastModified": 1659914493, - "narHash": "sha256-lkA5X3VNMKirvA+SUzvEhfA7XquWLci+CGi505YFAIs=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "022caabb5f2265ad4006c1fa5b1ebe69fb0c3faf", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-21.05-darwin", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2111": { - "locked": { - "lastModified": 1659446231, - "narHash": "sha256-hekabNdTdgR/iLsgce5TGWmfIDZ86qjPhxDg/8TlzhE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "eabc38219184cc3e04a974fe31857d8e0eac098d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-21.11-darwin", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2205": { - "locked": { - "lastModified": 1685573264, - "narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "380be19fbd2d9079f677978361792cb25e8a3635", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-22.05-darwin", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-2211": { + "nixpkgs-lib": { "locked": { - "lastModified": 1688392541, - "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", - "type": "github" + "lastModified": 1722555339, + "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" }, "original": { - "owner": "NixOS", - "ref": "nixpkgs-22.11-darwin", - "repo": "nixpkgs", - "type": "github" + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" } }, - "nixpkgs-2305": { + "nixpkgs-stable": { "locked": { - "lastModified": 1705033721, - "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=", + "lastModified": 1720386169, + "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea", + "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-23.05-darwin", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-2311": { + "nixpkgs_2": { "locked": { - "lastModified": 1719957072, - "narHash": "sha256-gvFhEf5nszouwLAkT9nWsDzocUTqLWHuL++dvNjMp9I=", - "owner": "NixOS", + "lastModified": 1724748588, + "narHash": "sha256-NlpGA4+AIf1dKNq76ps90rxowlFXUsV9x7vK/mN37JM=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "7144d6241f02d171d25fba3edeaf15e0f2592105", + "rev": "a6292e34000dc93d43bccf78338770c1c5ec8a99", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixpkgs-23.11-darwin", + "owner": "nixos", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-2405": { + "nixpkgs_3": { "locked": { - "lastModified": 1720122915, - "narHash": "sha256-Nby8WWxj0elBu1xuRaUcRjPi/rU3xVbkAt2kj4QwX2U=", + "lastModified": 1719082008, + "narHash": "sha256-jHJSUH619zBQ6WdC21fFAlDxHErKVDJ5fpN0Hgx4sjs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "835cf2d3f37989c5db6585a28de967a667a75fb1", + "rev": "9693852a2070b398ee123a329e68f0dab5526681", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-24.05-darwin", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-regression": { + "nixpkgs_4": { "locked": { - "lastModified": 1643052045, - "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "lastModified": 1724819573, + "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "rev": "71e91c409d1e654808b2621f28a327acfdad8dc2", "type": "github" }, "original": { "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", "type": "github" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1720386169, - "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", - "type": "github" + "parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { "locked": { - "lastModified": 1720181791, - "narHash": "sha256-i4vJL12/AdyuQuviMMd1Hk2tsGt02hDNhA0Zj1m16N8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4284c2b73c8bce4b46a6adf23e16d9e2ec8da4bb", + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", + "owner": "hercules-ci", + "repo": "flake-parts", "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1719956923, - "narHash": "sha256-nNJHJ9kfPdzYsCOlHOnbiiyKjZUW5sWbwx3cakg3/C4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "706eef542dec88cc0ed25b9075d3037564b2d164", - "type": "github" + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": "nixpkgs_3", + "nixpkgs-stable": "nixpkgs-stable" }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "old-ghc-nix": { - "flake": false, "locked": { - "lastModified": 1631092763, - "narHash": "sha256-sIKgO+z7tj4lw3u6oBZxqIhDrzSkvpHtv0Kki+lh9Fg=", - "owner": "angerman", - "repo": "old-ghc-nix", - "rev": "af48a7a7353e418119b6dfe3cd1463a657f342b8", + "lastModified": 1724857454, + "narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6", "type": "github" }, "original": { - "owner": "angerman", - "ref": "master", - "repo": "old-ghc-nix", + "owner": "cachix", + "repo": "git-hooks.nix", "type": "github" } }, @@ -785,25 +231,22 @@ "inputs": { "cabal-audit": "cabal-audit", "flake-utils": "flake-utils", - "git-hooks": "git-hooks", - "haskell-nix": "haskell-nix", - "haskell-security-advisories": "haskell-security-advisories", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_4" } }, - "stackage": { + "security-advisories": { "flake": false, "locked": { - "lastModified": 1722125614, - "narHash": "sha256-UNTs/1ac0ZTIKfNNY6g1ygKbtfOE66AqkLwy6prgVCs=", - "owner": "input-output-hk", - "repo": "stackage.nix", - "rev": "47a37eea53b663e66dca6222fff1859794c0f9a0", + "lastModified": 1724670803, + "narHash": "sha256-4lJg5E5lOehYjBoo3JOOE95vE2+f7asA/I9Xs4jK6Cg=", + "owner": "haskell", + "repo": "security-advisories", + "rev": "add617d5026bd31cad2bdbe8259b5f67381db246", "type": "github" }, "original": { - "owner": "input-output-hk", - "repo": "stackage.nix", + "owner": "haskell", + "repo": "security-advisories", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 48f3a6e..e1cca5b 100644 --- a/flake.nix +++ b/flake.nix @@ -1,51 +1,13 @@ # SPDX-FileCopyrightText: (C) Gautier DI FOLCO -# SPDX-License-Identifier: CC0-1.0 +# SPDX-License-Identifier: ISC { description = "A Nix Flake for haskell-security-action"; - # To use this Nix flake you may need to enable Nix flake support for your user with: - # echo >>~/.config/nix/nix.conf "experimental-features = nix-command flakes" - # WARNING: be sure that `nix --version` is greater or equal to 2.18, - # otherwise nix may not support some attributes used in flake.lock. - - # For any input, one can: - # Update to the latest commit: - # nix flake lock --update-input nixpkgs - # Or to a specific commit (eg. a green one on https://status.nixos.org): - # nix flake lock --override-input nixpkgs github:NixOS/nixpkgs/72da83d9515b43550436891f538ff41d68eecc7f - # Or to a commit (in /etc/nix/registry.json) of a NixOS host: - # nix flake lock --override-input nixpkgs flake:nixpkgs inputs = { - haskell-nix.url = "github:input-output-hk/haskell.nix"; - - # For trying to hit cache.iog.io one would have - # to follow haskell.nix's nixpkgs pinned version, - # but it may be a few months old, so pin it here instead. - #nixpkgs.follows = "haskell-nix/nixpkgs"; - nixpkgs.url = "flake:nixpkgs"; - haskell-nix.inputs.nixpkgs.follows = "nixpkgs"; - - # Convenient Nix Flake utilities, like flake-utils.lib.eachSystem. + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; flake-utils.url = "github:numtide/flake-utils"; - - # Git pre-commit hooks. - git-hooks.url = "github:cachix/git-hooks.nix"; - git-hooks.inputs.nixpkgs.follows = "nixpkgs"; - - cabal-audit = { - url = "github:mangoiv/cabal-audit"; - flake = false; - }; - haskell-security-advisories = { - url = "github:haskell/security-advisories?submodules=1"; - flake = false; - }; + cabal-audit.url = "github:mangoiv/cabal-audit"; }; - # For printing the available outputs: - # $ nix -L flake show --allow-import-from-derivation - # Note that multiple-systems are enabled hence it can only work - # without IFD because of https://github.com/NixOS/nix/issues/4265, - # ie. with a non-null materialized= outputs = { self, ... }@inputs: let supportedSystems = with inputs.flake-utils.lib.system; @@ -56,435 +18,23 @@ #aarch64-darwin ]; in inputs.flake-utils.lib.eachSystem supportedSystems (system: - let - pkgs = import inputs.nixpkgs { - inherit system; - config = inputs.haskell-nix.config; - overlays = [ - inputs.haskell-nix.overlay - (import nix/nixpkgs/overlays/static.nix) - #(f: p: { gtkpod = f.hello; }) - ]; - }; - - # A standard library of Nix expressions. - lib = inputs.nixpkgs.lib; - - # A library of Nix expressions internal to haskell.nix. - inherit (pkgs.haskell-nix) haskellLib; - - rawCabalProject = lib.readFile ./cabal.project; - - # haskell.nix's main entry point - project = pkgs.haskell-nix.cabalProject' [ - ({ config, pkgs, ... }: { - name = "github-action-scan"; - - # Filter-in input files to avoid unnecessary rebuilds - # after changing any file tracked in Git that is not actually used by cabalProject. - src = with lib.fileset; - toSource { - root = ./.; - fileset = unions [ - ./LICENSE - ./cabal.project - #./cabal.project.freeze - ./github-action-scan.cabal - (fileFilter (file: lib.any file.hasExt [ "hs" ]) ./app) - ]; - }; - - # By default plan evaluation is done on the build system. - #evalSystem = "x86_64-linux"; - - # Retrieve compiler-nix-name from cabal.project's with-compiler field. - # Eg. `with-compiler: ghc-9.4.7` becomes "ghc947" - compiler-nix-name = lib.replaceStrings [ "-" "." ] [ "" "" ] - (lib.head (lib.concatLists (lib.filter (l: l != null) - (builtins.map (l: builtins.match "^with-compiler: *(.*)" l) - (lib.splitString "\n" rawCabalProject))))); - - # Download GHC from Nixpkgs' binary cache instead of IOHK's - # which would be done by using: pkgs.haskell-nix.compiler - # Beware that if any dependency has `build-depends: ghc` - # then` reinstallableLibGhc = false` is required - # to avoid missing `genprimopcode`. - # See https://github.com/input-output-hk/haskell.nix/issues/1809#issuecomment-1358469589 - compilerSelection = pkgs: - # Avoid: - # error: attribute 'buildGHC' missing - # at /nix/store/wlvllg9m9bklpzs4fk83w1lki3jwrjhg-source/builder/ghc-for-component-wrapper.nix:27:10: - # 26| haddock = if stdenv.hostPlatform.isLinux && stdenv.targetPlatform.isMusl && !haskellLib.isNativeMusl - # 27| then ghc.buildGHC - # | ^ - # 28| else ghc; - #lib.mapAttrs (name: ghc: ghc // { buildGHC = ghc; }) - # pkgs.haskell.compiler; - pkgs.haskell-nix.compiler; - - # Pinning the index-state of Hackage, - # instead of using the latest known by haskell.nix, - # removes haskell.nix from interfering too much into the reproducibility. - # It also enables to materialize the plan-nix. - index-state = haskellLib.parseIndexState rawCabalProject; - - # Materializing a project means caching the nix files - # generated from the *.cabal/stack.yaml/package.yaml files. - # To update: - # $ nix run .#update-nix-cache-haskell-nix-materialized - # It's only checked in ciJobs. - materialized = - if builtins.pathExists nix/cache/haskell.nix/materialized then - nix/cache/haskell.nix/materialized - else - null; - - # Using inputMap for each source-repository-package of cabal.project - # leverages Nix Flake's inputs to automatically get their rev and sha256 hashes - # and to check upstreams for updates (using `nix flake update` - # or `nix flake lock --update-input `). - inputMap = let - # findCabalFiles (in nix-tools/nix-tools/cabal2nix/Main.hs) - # always prefers package.yaml over *.cabal, - # but when the resulting *.cabal file is different - # than a previously existing one, - # the build fails with an error like this one: - # crawlerIsidore.cabal was modified manually, please use --force to overwrite. - # Hence just remove this out-of-sync package.yaml. - removePackageYaml = src: - pkgs.symlinkJoin { - name = "removePackageYaml-patched"; - paths = [ src ]; - postBuild = "rm $out/package.yaml"; - # Preserve rev for the inputMap - passthru.rev = src.rev; - }; - applyPatches = inputName: patches: - pkgs.buildPackages.applyPatches { - name = "${inputName}-patched"; - src = inputs.${inputName}; - inherit patches; - } // { - inherit (inputs.${inputName}) rev; - }; - in { - "https://github.com/MangoIV/cabal-audit.git" = inputs.cabal-audit; - "https://github.com/haskell/security-advisories.git" = - inputs.haskell-security-advisories; - #"https://github.com/haskell/tar.git" = applyPatches "tar" [ - # nix/haskell.nix/patches/tar/0001-compatibility-static-build-remove-QuasiQuotes.patch - #]; - }; - - # Default project configuration. - modules = [ - ({ pkgs, ... }: - { - # Make the closure dependency significantly larger - # but avoid missing genprimopcode with compilerSelection = p: pkgs.haskell.compiler - #reinstallableLibGhc = false; - - # Link with OpenBLAS optimized libraries. - # WARNING: OpenBLAS must only be used by trusted code - # it is inherently unsuitable for security-conscious applications. - # See nixpkgs/pkgs/development/libraries/science/math/openblas/default.nix - #packages.hmatrix.flags.openblas = true; - }) - ]; - - # Shell configuration shared by the default shell - # and all shells from the flake.variants. - shell = { - # By default haskell.nix does not force cabal-install (by setting CABAL_CONFIG=) - # to use the packages selected by project.plan-nix and available in `ghc-pkg list`, - # leaving cabal-install in charge of provisioning Haskell packages, - # which gives more flexibility when developing. - #exactDeps = false; - #allToolDeps = true; - - # haskell.nix provisions (in `ghc-pkg list`) - # the **dependencies** of the packages selected here, - # which are also **not** selected here. - # - # By default haskell.nix selects all _local_ packages here - # (packages from both the `packages` and the `source-repository-package` stanzas) - # which therefore excludes `source-repository-package`s from being provisioned, - # - # Note that it means `cabal update` must be run to get an index-state. - # and be able to download and build missing dependencies - # that depend on `source-repository-package`s. - # Eg. gargantext's dependency `hstatistics` depends on `hmatrix`, - # but hmatrix is a `source-repository-package` - # hence `hstatistics` is not provisioned by haskell.nix. - #packages = ps: lib.attrValues (haskellLib.selectLocalPackages ps); - - # Add in this list any development tool needed - # that is not expected to come from the developers' own system. - nativeBuildInputs = [ - pkgs.haskell.packages.${config.compiler-nix-name}.cabal-install - #pkgs.haskell.packages.${config.compiler-nix-name}.ghcid - pkgs.haskell.packages.${config.compiler-nix-name}.haskell-language-server - pkgs.haskell.packages.${config.compiler-nix-name}.hlint - pkgs.haskell.packages.${config.compiler-nix-name}.ormolu - pkgs.haskell.packages.${config.compiler-nix-name}.cabal-fmt - ]; - - shellHook = '' - cat >&2 ${ - pkgs.buildPackages.writeText "shellEnterMessage.txt" '' - **Warning** - This Nix development shell is not configured to provision - `cabal.project`'s `source-repository-package`s and their reverse dependencies, - therefore when `source-repository-package`s are used - a `cabal update` has to be run manually to fetch an `index-state` - before running `cabal build`. - '' - } - '' + self.checks.${system}.git-hooks-check.shellHook; - - # When true, builds a Hoogle documentation index of all dependencies, - # and provides a "hoogle" command to search the index. - #withHoogle = true; - }; - - # Variants to the default project configuration above. - # They're accessed in the flake's outputs with their name prefixed. - # $ nix -L build .#haskell-nix-ghc:github-action-scan:exe:github-action-scan-exe - # Or via `legacyPackages.${system}.project.projectVariants`: - # $ nix -L build .#project.projectVariants.haskell-nix-ghc.components.executables.github-action-scan-exe - flake.variants = { - # For using profiling versions of Haskell packages: - # $ nix develop .#profiling - profiling = { - modules = [{ - # Applies to all packages of the Haskell closure. For instance: - # $ nix eval .#project.hsPkgs.containers.components.library.config.enableProfiling - # false - # $ nix eval .#project.projectVariants.profiling.hsPkgs.containers.components.library.config.enableProfiling - # true - enableProfiling = true; - enableLibraryProfiling = true; - }]; - }; - - # For using haskell.nix's GHC: - # $ nix -L develop .#haskell-nix-ghc - # $ nix -L build .#haskell-nix-ghc:github-action-scan:exe:github-action-scan-exe - haskell-nix-ghc = { - compilerSelection = - lib.mkForce (pkgs: pkgs.haskell-nix.compiler); - materialized = lib.mkForce null; - modules = [{ - # Revert to the default - reinstallableLibGhc = lib.mkForce true; - }]; - }; - }; - - # Enable coverage report in `ciJobs` and `hydraJobs` flake outputs. - # For building the coverages: - # $ nix -L build .#ciJobs.x86_64-linux.coverage.github-action-scan - # Alas, coverage fails to find hpc when using Nixpkgs' GHC: - # github-action-scan> no such hpc command - # So for now the haskell-nix-ghc variant has to be used: - # $ nix -L build .#project.projectVariants.haskell-nix-ghc.flake"'".ciJobs.coverage.github-action-scan - # $ firefox result/share/hpc/vanilla/html/ - flake.doCoverage = true; - # Defaults to haskellLib.selectProjectPackages which select cabal.project's `packages` - # but rather make all `source-repository-package`s also available in `ciJobs.coverage.*` - flake.packages = haskellLib.selectLocalPackages; - # FIXME: haskell.nix uses a `doCoverage = lib.mkDefault true` which causes conflicts. - flake.coverageProjectModule = { - modules = [{ - packages = let - packageNames = project: - builtins.attrNames (config.flake.packages project.hsPkgs); - in lib.genAttrs (packageNames config) - (_: { doCoverage = true; }); - }]; - }; - - # Dead-code analysis - # $ nix -L build .#weeder-project-analysis - # $ bat result - # Note that there may be false positives - # and that some file location may be wrong. - weeder = { - packages = ps: - haskellLib.selectProjectPackages ps // lib.getAttrs [ - #"epo-api-client" - ] ps; - # See https://github.com/ocharles/weeder?tab=readme-ov-file#configuration-options - settings = { - roots = [ - "^Main.main$" - # Automatically generated by Cabal - "^Paths_.*" - ]; - root-instances = [ ]; - # Consider all instances of type classes as roots. - type-class-roots = true; - unused-types = true; - }; - }; - - # Make some variables available to all project modules - _module.specialArgs = { - # Use specialArgs to avoid infinite recursion - # when `inputs` is used in `imports`. - inherit inputs; - }; - _module.args = { - inherit system; - inherit (pkgs.haskell-nix) haskellLib; - }; - }) - - # project modules - (import nix/haskell.nix/modules/weeder.nix) - (import nix/haskell.nix/modules/static.nix) - ]; - - projectFlake = project.flake { }; - in { - legacyPackages = pkgs // { - # For exploring the project: - # $ nix --extra-experimental-features 'flakes repl-flake' repl . - # nix-repl> :lf . - # nix-repl> legacyPackages.x86_64-linux.project. - inherit project; - }; - - # For building a component of this project: - # $ nix -L build .#github-action-scan:exe:github-action-scan-exe - packages = projectFlake.packages // { - weeder-analysis = project.args.weeder.analysis; - github-action-scan-image = pkgs.dockerTools.buildImage { - name = "blackheaven/haskell-security-action"; - tag = "latest"; - - copyToRoot = pkgs.buildEnv { - name = "image-root"; - paths = [ - projectFlake.packages."static-x86_64-unknown-linux-musl:github-action-scan:exe:github-action-scan" - ]; - pathsToLink = [ "/bin" ]; - }; - config = { Cmd = [ "/bin/only-for-file-transfer" ]; }; + let pkgs = import inputs.nixpkgs { inherit system; }; + in rec { + packages.github-action-scan-image = pkgs.dockerTools.buildImage { + name = "blackheaven/haskell-security-action"; + tag = "latest"; + + copyToRoot = pkgs.buildEnv { + name = "image-root"; + paths = + [ inputs.cabal-audit.packages.${system}.cabal-audit-static ]; + pathsToLink = [ "/bin" ]; }; + config = { Cmd = [ "/bin/only-for-file-transfer" ]; }; }; - # For entering the default development shell: - # $ nix -L develop - # $ cabal build --disable-optimization - # - # For entering the development shell variant `profiling`: - # $ nix -L develop .#profiling - # $ cabal run --enable-profiling github-action-scan-exe - devShells = projectFlake.devShells; - - apps = projectFlake.apps // { - # For updating nix/cache/haskell.nix/materialized: - # $ nix run .#update-nix-cache-haskell-nix-materialized - # It needs to be updated when cabal.freeze or any other input to the plan-nix changes. - # It's only OK to use it when the plan-nix does not depend on `system`. - # See https://github.com/input-output-hk/haskell.nix/blob/master/docs/tutorials/materialization.md#when-is-it-ok-to-materialize - update-nix-cache-haskell-nix-materialized = - inputs.flake-utils.lib.mkApp { - drv = pkgs.writeShellApplication { - name = "update-nix-cache-haskell-nix-materialized"; - text = '' - set -eux - git diff --exit-code - ${ - (project.appendModule { - materialized = lib.mkForce null; - }).plan-nix.passthru.generateMaterialized - } nix/cache/haskell.nix/materialized - git add --all nix/cache/haskell.nix/materialized - git commit -m "nix: update nix/cache/haskell.nix/materialized" - ''; - }; - }; + defaultPackage = packages.github-action-scan-image; - # Register the default project's toolchain, - # to prevent nix-collect-garbage from removing them from the Nix store. - # Note that it does not register the roots of the `projectVariants`. - update-nix-cache-haskell-nix-gc-roots = inputs.flake-utils.lib.mkApp { - drv = pkgs.writeShellApplication { - name = "update-nix-cache-haskell-nix-gc-roots"; - text = '' - set -eux - rm -rf nix/cache/haskell.nix/gc-roots - nix-store --add-root nix/cache/haskell.nix/gc-roots/default --indirect --realise ${project.roots} - ''; - }; - }; - - }; - - # For running all checks (very slow): - # $ nix -L flake check - # - # For building a specific check of the project: - # $ nix -L build .#project.hsPkgs.github-action-scan.components.tests.github-action-scan-test - # $ result/bin/github-action-scan-test - # - # Alternatively, but slower: - # $ nix -L build .#checks.x86_64-linux.github-action-scan:test:github-action-scan-test - # $ bat result/test-stdout - # - # See names from: - # $ nix -L flake show --allow-import-from-derivation - # Alas, currently coverage reports do not work (can't find hpc) - # with nixpkgs.haskellPackages' GHC, so haskell.nix's GHC has to be used: - # $ # nix -L build .#project.projectCoverageReport - # $ nix -L build .#project.projectVariants.haskell-nix-ghc.projectCoverageReport - # $ firefox result/share/hpc/vanilla/html/index.html - checks = projectFlake.checks // { - git-hooks-check = inputs.git-hooks.lib.${system}.run { - src = ./.; - hooks = { - cabal-fmt.enable = true; - ormolu.enable = true; - hlint.enable = true; - # nixfmt-rfc-style.enable = true; - # nixfmt-classic.enable = true; - nixfmt.enable = true; - }; - }; - }; - - # Jobs for the Nix-based continuous integration system: Hydra - # https://nixos.wiki/wiki/Hydra - # Note that haskell.nix always set `checkMaterialization = true` in `hydraJobs`. - #hydraJobs = projectFlake.hydraJobs; - - # `ciJobs` is like `hydraJobs` but with `${system}` first - # so that the IFDs will not have to run for systems - # we are not testing (placement of `${system}` is done by `flake-utils.eachSystem` - # and it treats `hydraJobs` differently from the other flake. - # Note that haskell.nix always set `checkMaterialization = true` in `ciJobs`. - ciJobs = projectFlake.ciJobs; + devShell = pkgs.mkShell { }; }); - - # Ask users to set Nix config entries in ~/.local/share/nix/trusted-settings.json. - nixConfig = { - # This sets the flake to use the IOG nix cache. - # Only useful when using the haskell-nix-ghc variant. - extra-substituters = [ "https://cache.iog.io" ]; - extra-trusted-public-keys = - [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ]; - - # haskell.nix translates to Nix expressions: - # - the build plan usually generated in `dist-newstyle/cache/plan.json` by `cabal configure` - # - and the `.cabal`/`stack.yaml`/`package.yaml` files of projects. - # - # haskell.nix can either generate those Nix expressions on-demand - # by calling its nix-tools' make-install-plan and cabal-to-nix, - # hence importing them from a derivation (IFD). - # Or import pre-generated files whenever project's materialized= attribute is not null, - # and then no longer needs to allow IFD. - allow-import-from-derivation = "true"; - }; } diff --git a/github-action-scan.cabal b/github-action-scan.cabal deleted file mode 100644 index fda28b4..0000000 --- a/github-action-scan.cabal +++ /dev/null @@ -1,63 +0,0 @@ -cabal-version: 3.8 -name: github-action-scan -version: 0.1.0.0 -author: Gautier DI FOLCO -maintainer: gautier.difolco@gmail.com -category: Data -build-type: Simple -license: ISC -license-file: LICENSE -synopsis: Scan for vulnerabilities and create advisories on GitHub -description: Scan for vulnerabilities and create advisories on GitHub. -homepage: http://github.com/blackheaven/github-action-scan -tested-with: GHC ==9.6.5 - -executable github-action-scan - -- type: exitcode-stdio-1.0 - main-is: Main.hs - hs-source-dirs: app - default-extensions: - DataKinds - DefaultSignatures - DeriveAnyClass - DeriveGeneric - DerivingStrategies - DerivingVia - DuplicateRecordFields - FlexibleContexts - GADTs - GeneralizedNewtypeDeriving - KindSignatures - LambdaCase - OverloadedRecordDot - OverloadedStrings - RankNTypes - RecordWildCards - ScopedTypeVariables - TypeApplications - TypeFamilies - TypeOperators - - ghc-options: - -threaded -rtsopts -with-rtsopts=-N -Wall -Wcompat -Widentities - -Wincomplete-record-updates -Wincomplete-uni-patterns - -Wpartial-fields -Wredundant-constraints - - build-depends: - , aeson - , base - , Cabal - , cabal-audit - , cabal-install - , Cabal-syntax - , containers - , fused-effects - , hsec-tools - , http-types - , kan-extensions - , optparse-applicative - , process - , sarif - , text - - default-language: Haskell2010 diff --git a/nix/haskell.nix/modules/profiling.nix b/nix/haskell.nix/modules/profiling.nix deleted file mode 100644 index c915eb0..0000000 --- a/nix/haskell.nix/modules/profiling.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: { } diff --git a/nix/haskell.nix/modules/static.nix b/nix/haskell.nix/modules/static.nix deleted file mode 100644 index 68685dd..0000000 --- a/nix/haskell.nix/modules/static.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ config, pkgs, lib, haskellLib, ... }: { - config = { - flake.variants = { - # For building static executables: - # $ nix -L build .#static-x86_64-unknown-linux-musl:github-action-scan:exe:github-action-scan-exe - # - # Note the use of the Musl cross compiling platform - # to replace glibc which does not fully support static linking. - # - # For debugging static executables (Musl is not bug-to-bug compatible with glibc): - # $ nix -L develop .#legacyPackages.x86_64-linux.project.projectVariants.static.projectCross.musl64.hsPkgs.github-action-scan.components.executables.github-action-scan-exe - # devShell> $ rm -rf source outputs - # devShell> $ unpackPhase - # devShell> $ cd source - # devShell> $ patchPhase - # devShell> $ eval "$configurePhase" - # devShell> $ eval "$buildPhase" - # devShell> $ (unset LD_LIBRARY_PATH; $EDITOR **/*.hs) # hack hack hack - # devShell> $ eval "$buildPhase" - # devShell> $ eval "$installPhase" - # - # FIXME: this static compiling currently fails. - # A problem to look for is pkgsCross.musl64 - # still having some libraries not built statically. - static = { - modules = [ - ({ config, pkgs, ... }: { - enableStatic = true; - # Fails with: - # cmdargs-lib-cmdargs-x86_64-unknown-linux-musl> Bad interface file: /nix/store/n0iwpy7240kw1mkmryzcgj9s9vvbfslb-transformers-lib-transformers-x86_64-unknown-linux-musl-0.5.6.2/lib/x86_64-linux-ghc-9.4.7/transformers-0.5.6.2-7uipldXxD6oGHq4y3fP618/Control/Monad/Trans/State.dyn_hi - # - # Besides it does not apply DYNAMIC_GHC_PROGRAMS=NO to GHC. - #enableShared = false; - - # Musl does not provide the thread-safe random_r()/initstate_r() - # so make randomVector fallback to a **non** thread-safe alternative, nrand48() - # See https://github.com/haskell-numerics/hmatrix/issues/279 - # - # As a consequence, random numbers may not be random between threads - # as they now share a common state. - # See http://www.evanjones.ca/random-thread-safe.html - # > the best solution for truly portable applications - # > is to include your own random number generator implementation, - # > and not rely on the system's C library. - # See https://github.com/haskell-numerics/hmatrix/issues/307 - #packages.hmatrix.flags.no-random_r = true; - - # Use pkg-config instead of pg_config to avoid: - # $ nix -L build .#legacyPackages.x86_64-linux.project.projectVariants.static.projectCross.musl64.hsPkgs.postgresql-libpq.components.library - # > Error: Setup: The program 'pg_config' is required but it could not be found - #packages.postgresql-libpq.flags.use-pkg-config = true; - - # > : error: - # > Couldn't find a target code interpreter. Try with -fexternal-interpreter - #packages.tar.ghcOptions = [ "-fexternal-interpreter" ]; - - packages.github-action-scan.components.exes.github-action-scan-exe.dontStrip = - false; - }) - ]; - - flake.crossPlatforms = platforms: - pkgs.lib.optionals pkgs.stdenv.hostPlatform.isx86_64 ( - # For building static executables. - pkgs.lib.optionals pkgs.stdenv.hostPlatform.isLinux [ - platforms.musl64 - ] - # For cross compiling to Windows. - # ++ [ platforms.mingwW64 ] - ); - }; - }; - }; -} diff --git a/nix/haskell.nix/modules/weeder.nix b/nix/haskell.nix/modules/weeder.nix deleted file mode 100644 index 3a7e147..0000000 --- a/nix/haskell.nix/modules/weeder.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ config, pkgs, lib, haskellLib, ... }: -let - cfg = config.weeder; - toml = pkgs.formats.toml { }; -in { - options.weeder = { - analysis = lib.mkOption { - type = lib.types.package; - default = null; - internal = true; - }; - packages = lib.mkOption { - type = lib.types.unspecified; - default = haskellLib.selectProjectPackages; - }; - settings = lib.mkOption { - type = toml.type; - default = { }; - }; - }; - - config = { - modules = [{ - # Enable writeHieFiles by default. - # See https://github.com/input-output-hk/haskell.nix/issues/298#issuecomment-767936405 - # for what's going on in this trick. - options.packages = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({ config, ... }: { - config = lib.mkIf ((cfg.packages { - ${config.package.identifier.name} = config.package; - }) ? ${config.package.identifier.name}) { - writeHieFiles = lib.mkForce true; - }; - })); - }; - }]; - - weeder.analysis = pkgs.runCommand "weeder-${config.name}" { - buildInputs = [ - pkgs.glibcLocales - pkgs.haskell.packages.${config.compiler-nix-name}.weeder - ]; - allHieFiles = pkgs.linkFarm "allHieFiles" (lib.concatMap (package: - let - lib-hies = lib.optional (package.components ? library) { - name = "${package.identifier.name}-library"; - path = package.components.library.hie; - }; - - exe-hies = lib.concatMap (exe: - lib.optional (package.components.exes.${exe} ? hie) { - name = "${package.identifier.name}-exe-${exe}"; - path = package.components.exes.${exe}.hie; - }) (lib.attrNames package.components.exes); - - test-hies = lib.concatMap (test-name: - let - test = package.components.tests.${test-name}; - is-doctest = - # doctest tests build _all_ components of a package. - # The GHC id of these packages will be different, - # which means that when we run weeder, all this code - # will be uncalled. These are false positives, so - # we don't include hie files from anything that - # depends on `doctest`. - lib.any (x: x.identifier.name or "" == "doctest") - test.config.depends; - in lib.optional (!is-doctest) { - name = "${package.identifier.name}-test-${test-name}"; - path = test.hie; - }) (lib.attrNames package.components.tests); - in lib-hies ++ exe-hies ++ test-hies) - (builtins.attrValues (cfg.packages config.hsPkgs))); - } '' - export LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 LANGUAGE=en_US.UTF-8 - cd $allHieFiles - weeder >$out --no-default-fields --config ${ - toml.generate "weeder.toml" cfg.settings - } || - test $? = 228 # One or more weeds found - ''; - }; -} diff --git a/nix/nixpkgs/overlays/static.nix b/nix/nixpkgs/overlays/static.nix deleted file mode 100644 index 5405f39..0000000 --- a/nix/nixpkgs/overlays/static.nix +++ /dev/null @@ -1,21 +0,0 @@ -finalPkgs: previousPkgs: { - pkgsCross = previousPkgs.pkgsCross // { - musl64 = previousPkgs.pkgsCross.musl64.extend (finalMusl64: previousMusl64: - { - - #openblas = previousMusl64.openblas.override { - # # See https://github.com/input-output-hk/haskell.nix/issues/914#issuecomment-2021507590 - # enableStatic = true; - # # Necessary to overcome lapack and blas packaging. - # # And avoid ghc-iserv to fail finding the shared libs. - # enableShared = true; - #}; - - # Not enough anyway to avoid: - # unknown symbol `ZSTD_trace_compress_begin' in zstd Haskell package. - #zstd = previousMusl64.zstd.override { - # static = true; - #}; - }); - }; -}