Skip to content

Make devbox sandbox friendly, add devbox CI. #27728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mdwn merged 4 commits into from
Jun 14, 2023
Merged

Make devbox sandbox friendly, add devbox CI. #27728

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ccb345a
Make devbox sandbox friendly, add devbox CI.
Jun 12, 2023
c7d3ae3
Install correct binary name for node protoc plugin.
Jun 13, 2023
10400b2
Add in zlib to support LIBFIDO compilation.
Jun 13, 2023
582c798
Merge branch 'master' into mike.wilson/devbox-ci
mdwn Jun 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions .github/workflows/check-devbox-bypass.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: Check Devbox
run-name: Check Devbox - ${{ github.run_id }} - @${{ github.actor }}

on:
pull_request:
paths-ignore:
- 'devbox.json'
- 'devbox.lock'
- 'build.assets/flake/**'
merge_group:
paths-ignore:
- 'devbox.json'
- 'devbox.lock'
- 'build.assets/flake/**'

jobs:
check-devbox:
if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
name: Check Devbox
runs-on: ubuntu-latest

permissions:
contents: none

steps:
- run: 'echo "No changes to verify"'
34 changes: 34 additions & 0 deletions .github/workflows/check-devbox.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Check Devbox
run-name: Check Devbox - ${{ github.run_id }} - @${{ github.actor }}

on:
pull_request:
paths:
- 'devbox.json'
- 'devbox.lock'
- 'build.assets/flake/**'
merge_group:
paths:
- 'devbox.json'
- 'devbox.lock'
- 'build.assets/flake/**'

jobs:
check-devbox:
if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
name: Check Devbox
runs-on: ubuntu-latest

permissions:
contents: read

steps:
- name: Checkout
uses: actions/checkout@v3

- name: Install devbox
run: curl -fsSL https://get.jetpack.io/devbox | FORCE=1 bash
Comment on lines +29 to +30
Copy link
Copy Markdown
Contributor

@wadells wadells Jun 20, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we do the curl | bash before we checkout (to descope source code)?

I'm thinking about attacks like https://about.codecov.io/security-update/ here.

I'm also somewhat amused that we're using a floating version of devbox, when the entire point of the tool is to pin the toolchain to specific known versions. We should probably pin the devbox version too. 😄


- name: Install devbox dependencies
run: |
devbox install
Copy link
Copy Markdown

@LucilleH LucilleH Jun 14, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 🎉 🎉 In case you want to enable caching in the future, you can use https://github.com/marketplace/actions/devbox-installer or copy the yaml there

71 changes: 70 additions & 1 deletion build.assets/flake/flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

133 changes: 64 additions & 69 deletions build.assets/flake/flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@
inputs = {
flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:nixos/nixpkgs/8ad5e8132c5dcf977e308e7bf5517cc6cc0bf7d8"; # general packages
rust-overlay.url = "github:oxalica/rust-overlay";


# Linting dependencies
helmPkgs.url = "github:nixos/nixpkgs/8ad5e8132c5dcf977e308e7bf5517cc6cc0bf7d8"; # helm 3.11.1
Expand All @@ -37,6 +39,7 @@
outputs = { self,
flake-utils,
nixpkgs,
rust-overlay,

helmPkgs,
libbpfPkgs,
Expand All @@ -46,15 +49,16 @@
(system:
let
# These versions are not available from nixpkgs
golangciLintVersion = "v1.53.2";
rustVersion = "1.68.0";
gogoVersion = "v1.3.2";
helmUnittestVersion = "v1.0.16";
nodeProtocTsVersion = "5.0.1";
nodeProtocTsVersion = "v5.0.1";
grpcToolsVersion = "1.12.4";
libpcscliteVersion = "1.9.9-teleport";
rustVersion = "1.68.0";
yarnVersion = "1.22.19";

overlays = [ (import rust-overlay) ];

# Package aliases to make reusing these packages easier.
# The individual package names here have been determined by using
# https://lazamar.co.uk/nix-versions/
Expand All @@ -63,7 +67,9 @@

# pkgs is an alias for the nixpkgs at the system level. This will be used
# for general utilities.
pkgs = nixpkgs.legacyPackages.${system};
pkgs = import nixpkgs {
inherit system overlays;
};

# The helm unittest plugin.
helm-unittest = pkgs.buildGoModule rec {
Expand All @@ -90,19 +96,6 @@
# Wrap helm with the unittest plugin.
helm = (pkgs.wrapHelm helmPkgs.legacyPackages.${system}.kubernetes-helm {plugins = [helm-unittest];});

# Install golangci-lint
golangci-lint = pkgs.stdenv.mkDerivation {
name = "golangci-lint";
buildInputs = [
pkgs.cacert
pkgs.curl
];
dontUnpack = true;
buildPhase = ''
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $out/bin ${golangciLintVersion}
'';
};

libpcscliteAdditionalNativeBuildInputs = if pkgs.stdenv.isDarwin then
[pkgs.darwin.IOKit] else [];
libpcscliteAdditionalBuildInputs = if pkgs.stdenv.isLinux then
Expand All @@ -126,30 +119,29 @@
pkgs.gcc
pkgs.pkg-config
] ++ libpcscliteAdditionalBuildInputs;
autoreconfPhase = ''
./bootstrap
'';
configurePhase = ''
./configure --enable-static --with-pic --disable-libsystemd --prefix="$out"
'';
shellHook = ''
export CFLAGS="-std=gnu99"
./bootstrap
./configure --enable-static --with-pic --disable-libsystemd --with-systemdsystemunitdir=$out --exec-prefix=$out --prefix=$out
'';
makeFlags = [
"CFLAGS=\"-std=gnu99\""
];
};

# Compile protoc-gen-gogo for golang protobuf compilation.
protoc-gen-gogo = pkgs.stdenv.mkDerivation {
protoc-gen-gogo = pkgs.buildGoModule {
name = "protoc-gen-gogo";
version = gogoVersion;

src = pkgs.fetchFromGitHub {
owner = "gogo";
repo = "protobuf";
rev = gogoVersion;
sha256 = "sha256-CoUqgLFnLNCS9OxKFS7XwjE17SlH6iL1Kgv+0uEK2zU=";
};
buildInputs = [
pkgs.cacert
pkgs.go
];

vendorSha256 = "sha256-nOL2Ulo9VlOHAqJgZuHl7fGjz/WFAaWPdemplbQWcak=";

buildPhase = ''
export GOBIN="$out/bin"
export GOCACHE="$(mktemp -d)"
Expand All @@ -158,58 +150,61 @@
'';
};

# Compile grpc-tools for nodejs protobuf compilation.
grpc-tools = pkgs.stdenv.mkDerivation {
name = "grpc-tools";
dontUnpack = true;
buildInputs = [
pkgs.nodejs-16_x
];
buildPhase = ''
export HOME="$(mktemp -d)"
export TEMPDIR="$(mktemp -d)"
npm install --prefix "$TEMPDIR" grpc_tools_node_protoc_ts@${nodeProtocTsVersion} grpc-tools@${grpcToolsVersion}
mv "$TEMPDIR" "$out"
mkdir "$out/bin"
cd "$out/bin"
ln -s ../node_modules/.bin/* "$out/bin/"
'';
node-protoc-ts = pkgs.buildNpmPackage {
name = "grpc_tools_node_protoc_ts";
version = nodeProtocTsVersion;

src = pkgs.fetchFromGitHub {
owner = "agreatfool";
repo = "grpc_tools_node_protoc_ts";
rev = nodeProtocTsVersion;
sha256 = "sha256-kDrflQVENjOY7ei3+D3Znx4eUDPoja8UGG2Phv1eptA=";
};

npmDepsHash = "sha256-fxOyItDkkv5OAmtScD9ykq26Meh6qyZSDmWegeh+GRY=";
};

# Rust and cargo binaries.
rust = pkgs.stdenv.mkDerivation {
name = "rust";
dontUnpack = true;
buildInputs = [
pkgs.cacert
pkgs.curl
];
buildPhase = ''
export RUSTUP_HOME="$out"
export CARGO_HOME="$out"
curl --proto '=https' --tlsv1.2 -fsSL https://sh.rustup.rs | sh -s -- -y --no-modify-path --default-toolchain "${rustVersion}"
grpc-tools = pkgs.stdenv.mkDerivation rec {
pname = "grpc-tools";
version = grpcToolsVersion;

src = pkgs.fetchFromGitHub {
owner = "grpc";
repo = "grpc-node";
rev = "grpc-tools@${grpcToolsVersion}";
fetchSubmodules = true;
sha256 = "sha256-708lBIGW5+vvSTrZHl/kc+ck7JKNXElrghIGDrMSyx8=";
};

sourceRoot = "source/packages/grpc-tools";

nativeBuildInputs = [ pkgs.cmake ];

installPhase = ''
install -Dm755 -t $out/bin grpc_node_plugin

cp grpc_node_plugin grpc_tools_node_protoc_plugin
install -Dm755 -t $out/bin grpc_tools_node_protoc_plugin

install -Dm755 -t $out/bin deps/protobuf/protoc
'';
};

rust = pkgs.rust-bin.stable.${rustVersion}.default;

# Yarn binary.
yarn = pkgs.stdenv.mkDerivation {
name = "yarn";
dontUnpack = true;
src = fetchTarball {
url = "https://yarnpkg.com/downloads/${yarnVersion}/yarn-v${yarnVersion}.tar.gz";
sha256 = "sha256:0jl77rl2sidsj3ym637w7g35wnv190l96n050aqlm4pyc6wi8v6p";
};
buildInputs = [
pkgs.cacert
pkgs.curl
pkgs.nodejs-16_x
];
buildPhase = ''
mkdir "$out"
export HOME="$out"
export PROFILE="$HOME/.bashrc"
touch "$PROFILE"
curl -o- -L https://yarnpkg.com/install.sh | bash -s -- --version ${yarnVersion}
cd "$out/.yarn"
mv * ..
cd "$out"
rm -rf .yarn
cp -R * "$out"
'';
};

Expand All @@ -226,7 +221,7 @@
{
packages = {
conditional = conditional;
golangci-lint = golangci-lint;
node-protoc-ts = node-protoc-ts;
grpc-tools = grpc-tools;
helm = helm;
libpcsclite = libpcsclite;
Expand Down
Loading