diff --git a/pkgs/by-name/de/dependabot-cli/package.nix b/pkgs/by-name/de/dependabot-cli/package.nix index 240b096997e7..9ba6982bebac 100644 --- a/pkgs/by-name/de/dependabot-cli/package.nix +++ b/pkgs/by-name/de/dependabot-cli/package.nix @@ -1,44 +1,31 @@ { + lib, + stdenv, buildGoModule, dependabot-cli, dockerTools, fetchFromGitHub, installShellFiles, - lib, makeWrapper, symlinkJoin, testers, }: let pname = "dependabot-cli"; - version = "1.63.0"; + version = "1.71.0"; - # vv Also update this vv + # `tag` is what `dependabot` uses to find the relevant docker images. tag = "nixpkgs-dependabot-cli-${version}"; - updateJobProxy = dockerTools.pullImage { - imageName = "ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy"; - # Get these hashes from - # nix run nixpkgs#nix-prefetch-docker -- --image-name ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy --image-tag latest --final-image-name dependabot-update-job-proxy --final-image-tag ${tag} - imageDigest = "sha256:3030ba5ff8f556e47016fca94d81c677b5c6abde99fef228341e1537588e503a"; - hash = "sha256-RiXUae5ONScoDu85L6BEf3T4JodBYha6v+d9kWl8oWc="; + # Get these hashes from + # nix run nixpkgs#nix-prefetch-docker -- --image-name ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy --image-tag latest --final-image-name dependabot-update-job-proxy --final-image-tag ${tag} + updateJobProxy.imageDigest = "sha256:a42f9b9845929ae044b8cd51b5335195c33fd610405e558552408287c5295827"; + updateJobProxy.hash = "sha256-pEtwBoJ+wF2TdQCcCyigLg4NYqOp2oNCEB7oCJOkwYc="; - # Don't update this, it's used to refer to the imported image later - finalImageName = "dependabot-update-job-proxy"; - finalImageTag = tag; - }; - - updaterGitHubActions = dockerTools.pullImage { - imageName = "ghcr.io/dependabot/dependabot-updater-github-actions"; - # Get these hashes from - # nix run nixpkgs#nix-prefetch-docker -- --image-name ghcr.io/dependabot/dependabot-updater-github-actions --image-tag latest --final-image-name dependabot-updater-github-actions --final-image-tag ${tag} - imageDigest = "sha256:a356576adbec11bc34b142b6ef69a5856a09dc3654bdc9f9b046c08ee2d73ff8"; - hash = "sha256-zqydb2v39xiSBT5ayWEacD0NIH6LoFX8lkRcCKppH08="; - - # Don't update this, it's used to refer to the imported image later - finalImageName = "dependabot-updater-github-actions"; - finalImageTag = tag; - }; + # Get these hashes from + # nix run nixpkgs#nix-prefetch-docker -- --image-name ghcr.io/dependabot/dependabot-updater-github-actions --image-tag latest --final-image-name dependabot-updater-github-actions --final-image-tag ${tag} + updaterGitHubActions.imageDigest = "sha256:ca93364b87b6a803d0005409cdb4c61d9c6d808dca33de47de14ef8c30811b51"; + updaterGitHubActions.hash = "sha256-TnV8IaBrGPpd06YYmvazGMlZTAVJIMCSWdOgi6hkpRE="; in buildGoModule { inherit pname version; @@ -47,10 +34,10 @@ buildGoModule { owner = "dependabot"; repo = "cli"; rev = "v${version}"; - hash = "sha256-lk0AEFQYemr4wP7JXx5mPzzo2VzSJvygPP5vtUvPaxs="; + hash = "sha256-RZNZ72FG4KQr52X0No6iXU4NMUQs7k000KYpw2Kuz5U="; }; - vendorHash = "sha256-pnB1SkuEGm0KfkDfjnoff5fZRsAgD5w2H4UwsD3Jlbo="; + vendorHash = "sha256-5zOMTe8Sa/nkIGtwm4FbAqv3/9Mg5Du2ixxF84VQbXE="; ldflags = [ "-s" @@ -63,7 +50,7 @@ buildGoModule { installShellFiles ]; - postInstall = '' + postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) '' installShellCompletion --cmd dependabot \ --bash <($out/bin/dependabot completion bash) \ --fish <($out/bin/dependabot completion fish) \ @@ -79,18 +66,36 @@ buildGoModule { $out/bin/dependabot --help ''; + passthru.updateScript = ./update.sh; + passthru.withDockerImages = symlinkJoin { name = "dependabot-cli-with-docker-images"; paths = [ dependabot-cli ]; buildInputs = [ makeWrapper ]; - postBuild = '' - # Create a wrapper that pins the docker images that are depended upon - wrapProgram $out/bin/dependabot \ - --run "docker load --input ${updateJobProxy} >&2" \ - --add-flags "--proxy-image=dependabot-update-job-proxy:${tag}" \ - --run "docker load --input ${updaterGitHubActions} >&2" \ - --add-flags "--updater-image=dependabot-updater-github-actions:${tag}" - ''; + postBuild = + let + updateJobProxyImage = dockerTools.pullImage { + imageName = "ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy"; + finalImageName = "dependabot-update-job-proxy"; + finalImageTag = tag; + inherit (updateJobProxy) imageDigest hash; + }; + + updaterGitHubActionsImage = dockerTools.pullImage { + imageName = "ghcr.io/dependabot/dependabot-updater-github-actions"; + finalImageName = "dependabot-updater-github-actions"; + finalImageTag = tag; + inherit (updaterGitHubActions) imageDigest hash; + }; + in + '' + # Create a wrapper that pins the docker images that `dependabot` uses. + wrapProgram $out/bin/dependabot \ + --run "docker load --input ${updateJobProxyImage} >&2" \ + --add-flags "--proxy-image=dependabot-update-job-proxy:${tag}" \ + --run "docker load --input ${updaterGitHubActionsImage} >&2" \ + --add-flags "--updater-image=dependabot-updater-github-actions:${tag}" + ''; }; passthru.tests.version = testers.testVersion { @@ -99,15 +104,15 @@ buildGoModule { version = "v${version}"; }; - meta = with lib; { + meta = { changelog = "https://github.com/dependabot/cli/releases/tag/v${version}"; description = "Tool for testing and debugging Dependabot update jobs"; mainProgram = "dependabot"; homepage = "https://github.com/dependabot/cli"; - license = licenses.mit; - maintainers = with maintainers; [ - l0b0 + license = lib.licenses.mit; + maintainers = with lib.maintainers; [ infinisil + philiptaron ]; }; } diff --git a/pkgs/by-name/de/dependabot-cli/update.sh b/pkgs/by-name/de/dependabot-cli/update.sh new file mode 100755 index 000000000000..a01d0accfa32 --- /dev/null +++ b/pkgs/by-name/de/dependabot-cli/update.sh @@ -0,0 +1,48 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p curl gnugrep gnused jq gh nix-prefetch-docker nix gitMinimal + +set -x -eu -o pipefail + +cd $(dirname "${BASH_SOURCE[0]}") + +NIXPKGS_PATH="$(git rev-parse --show-toplevel)" + +temp_dir=$(mktemp -d) +trap 'rm -rf "$temp_dir"' EXIT + +gh api repos/dependabot/cli/releases/latest > "$temp_dir/latest.json" + +VERSION="$(jq -r .tag_name "$temp_dir/latest.json" | sed 's/^v//')" +OLD_VERSION="$(grep -m1 'version = "' ./package.nix | cut -d'"' -f2)" + +if [ "$OLD_VERSION" = "$VERSION" ]; then + echo "dependabot is already up-to-date at $OLD_VERSION" + exit 0 +fi + +SHA256="$(nix-prefetch-url --quiet --unpack https://github.com/dependabot/cli/archive/refs/tags/v${VERSION}.tar.gz)" +HASH="$(nix hash convert --hash-algo sha256 --to sri "$SHA256")" + +nix-prefetch-docker --json --quiet --final-image-name dependabot-update-job-proxy --final-image-tag "nixpkgs-dependabot-cli-$VERSION" ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy latest > "$temp_dir/dependabot-update-job-proxy.json" + +nix-prefetch-docker --json --quiet --final-image-name dependabot-updater-github-actions --final-image-tag "nixpkgs-dependabot-cli-$VERSION" ghcr.io/dependabot/dependabot-updater-github-actions latest > "$temp_dir/dependabot-updater-github-actions.json" + +setKV () { + sed -i "s,$1 = \"[^v].*\",$1 = \"${2:-}\"," ./package.nix +} + +setKV version "${VERSION}" +setKV hash "${HASH}" +setKV updateJobProxy.imageDigest "$(jq -r .imageDigest "$temp_dir/dependabot-update-job-proxy.json")" +setKV updateJobProxy.hash "$(jq -r .hash "$temp_dir/dependabot-update-job-proxy.json")" +setKV updaterGitHubActions.imageDigest "$(jq -r .imageDigest "$temp_dir/dependabot-updater-github-actions.json")" +setKV updaterGitHubActions.hash "$(jq -r .hash "$temp_dir/dependabot-updater-github-actions.json")" + +# We need to figure out the vendorHash for this new version, so we initially set it to `lib.fakeHash` +FAKE_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" +setKV vendorHash "$FAKE_HASH" + +set +e +VENDOR_HASH="$(nix-build --no-out-link --log-format internal-json -A dependabot-cli "$NIXPKGS_PATH" 2>&1 >/dev/null | grep "$FAKE_HASH" | grep -o "sha256-[^\\]*" | tail -1)" +set -e +setKV vendorHash "$VENDOR_HASH"