[feat] bombon derivations

Makefile

@@ -542,3 +542,7 @@ kind-restart-%: .local/kind-kubeconfig
 #   make helm-template-wire-server
 helm-template-%: clean-charts charts-integration
 	./hack/bin/helm-template.sh $(*)
+
+.PHONY: upload-bombon
+upload-bombon:
+	./hack/bin/bombon.hs -- "$@"

changelog.d/5-internal/upload-bom

@@ -0,0 +1 @@
+add a Makefile target to make it possible to upload a bom of all services to s3 on every CI run

hack/bin/bombon.hs

@@ -0,0 +1,17 @@
+#!/usr/bin/env -S nix -Lv run github:wireapp/ghc-flakr/ecb1f45f1549e06c92d71164e305ce501eb0e36e
+{-# LANGUAGE BlockArguments #-}
+{-# LANGUAGE ImportQualifiedPost #-}
+{-# LANGUAGE OverloadedStrings #-}
+
+import Data.Text qualified as T
+import Turtle
+
+main = do
+  (release, repo) <- options "Upload boms" do
+    (,)
+      <$> optText "release" 't' "Which release tag to upload the artifacts to"
+      <*> optText "repo" 'r' "Which repository to upload the artifacts to"
+  let bomName = "wire-server-bom-" <> release <> ".json"
+  ExitSuccess <- proc "nix" ["build", "-f", "nix", "wireServer.allLocalPackagesBom", "-o", bomName] mempty
+  printf ("uploading " % s % " to release " % s % "\n") bomName ("chart/" <> release)
+  proc "gh" ["-R", repo, "release", "upload", "chart/" <> release, bomName] mempty

nix/default.nix

@@ -7,6 +7,7 @@ let
       # All wire-server specific packages
       (import ./overlay.nix)
       (import ./overlay-docs.nix)
+      (self: super: { lib = super.lib // (import sources.bombon).lib.${super.system}; })
     ];
   };
 

nix/sources.json

@@ -1,4 +1,16 @@
 {
+    "bombon": {
+        "branch": "main",
+        "description": "Nix CycloneDX Software Bills of Materials (SBOMs)",
+        "homepage": "",
+        "owner": "nikstur",
+        "repo": "bombon",
+        "rev": "09dce0377beb87c24822f79501d6c76166105788",
+        "sha256": "1z80waaimga03m4b0nhc3djaca4y2bh0dq8mc1r8s59hqngc22ch",
+        "type": "tarball",
+        "url": "https://github.com/nikstur/bombon/archive/09dce0377beb87c24822f79501d6c76166105788.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
     "nixpkgs": {
         "branch": "nixpkgs-unstable",
         "description": "Nix Packages collection",

nix/wire-server.nix

@@ -44,7 +44,7 @@
 # with nixpkgs' dockerTools to make derivations for docker images that we need.
 pkgs:
 let
-  lib = pkgs.lib;
+  inherit (pkgs) lib;
   hlib = pkgs.haskell.lib;
   withCleanedPath = drv:
     hlib.overrideCabal drv (old: {
@@ -459,9 +459,20 @@ let
       export LOCALE_ARCHIVE=${pkgs.glibcLocales}/lib/locale/locale-archive
     '';
   };
+  allLocalPackages = pkgs.symlinkJoin {
+    name = "all-local-packages";
+    paths = map (e: (hPkgs localModsEnableAll).${e}) wireServerPackages;
+  };
+
+  allImages = pkgs.linkFarm "all-images" (images localModsEnableAll);
+
+  # BOM is an acronym for bill of materials
+  allLocalPackagesBom = lib.buildBom allLocalPackages {
+    includeBuildtimeDependencies = true;
+  };
 in
 {
-  inherit ciImage hoogleImage;
+  inherit ciImage hoogleImage allImages allLocalPackages allLocalPackagesBom;
 
   images = images localModsEnableAll;
   imagesUnoptimizedNoDocs = images localModsOnlyTests;
@@ -522,13 +533,4 @@ in
   inherit brig-templates;
   haskellPackages = hPkgs localModsEnableAll;
   haskellPackagesUnoptimizedNoDocs = hPkgs localModsOnlyTests;
-  allLocalPackages = pkgs.symlinkJoin {
-    name = "all-local-packages";
-    paths = map (e: (hPkgs localModsEnableAll).${e}) wireServerPackages;
-  };
-
-  allImages = pkgs.symlinkJoin {
-    name = "all-images";
-    paths = builtins.attrValues (images localModsEnableAll);
-  };
 } // attrsets.genAttrs wireServerPackages (e: (hPkgs localModsEnableAll).${e})