Merge pull request 'vendor writePureShellScriptBin' (#68) from lassulus-HEAD into main

Reviewed-on: #68
2023-08-03 15:36:39 +00:00 · 2023-08-03 15:36:39 +00:00 · c5dfc0e932
commit c5dfc0e932
parent 2d8c393bb5 93ac4a7dea
2 changed files with 122 additions and 20 deletions
--- a/pkgs/flake-module.nix
+++ b/pkgs/flake-module.nix
@ -1,26 +1,30 @@
 { ... }: {
  perSystem = { pkgs, config, ... }: {
-    packages = {
-      inherit (pkgs.callPackage ./renovate { }) renovate;
-      gitea = pkgs.callPackage ./gitea { };
+    packages =
+      let
+        writers = pkgs.callPackage ./writers.nix { };
+      in
+      {
+        inherit (pkgs.callPackage ./renovate { }) renovate;
+        gitea = pkgs.callPackage ./gitea { };

-      action-create-pr = pkgs.callPackage ./action-create-pr {
-        inherit (config.writers) writePureShellScriptBin;
+        action-create-pr = pkgs.callPackage ./action-create-pr {
+          inherit (writers) writePureShellScriptBin;
+        };
+        action-ensure-tea-login = pkgs.callPackage ./action-ensure-tea-login {
+          inherit (writers) writePureShellScriptBin;
+        };
+        action-flake-update = pkgs.callPackage ./action-flake-update {
+          inherit (writers) writePureShellScriptBin;
+        };
+        action-flake-update-pr-clan = pkgs.callPackage ./action-flake-update-pr-clan {
+          inherit (writers) writePureShellScriptBin;
+          inherit (config.packages) action-ensure-tea-login action-create-pr action-flake-update;
+        };
+        inherit (pkgs.callPackages ./job-flake-updates {
+          inherit (writers) writePureShellScriptBin;
+          inherit (config.packages) action-flake-update-pr-clan;
+        }) job-flake-update-clan-core job-flake-update-clan-homepage job-flake-update-clan-infra;
      };
-      action-ensure-tea-login = pkgs.callPackage ./action-ensure-tea-login {
-        inherit (config.writers) writePureShellScriptBin;
-      };
-      action-flake-update = pkgs.callPackage ./action-flake-update {
-        inherit (config.writers) writePureShellScriptBin;
-      };
-      action-flake-update-pr-clan = pkgs.callPackage ./action-flake-update-pr-clan {
-        inherit (config.writers) writePureShellScriptBin;
-        inherit (config.packages) action-ensure-tea-login action-create-pr action-flake-update;
-      };
-      inherit (pkgs.callPackages ./job-flake-updates {
-        inherit (config.writers) writePureShellScriptBin;
-        inherit (config.packages) action-flake-update-pr-clan;
-      }) job-flake-update-clan-core job-flake-update-clan-homepage job-flake-update-clan-infra;
-    };
  };
 }
--- a/pkgs/writers.nix
+++ b/pkgs/writers.nix
@ -0,0 +1,98 @@
+{ lib
+, bash
+, coreutils
+, gawk
+, path
+, # nixpkgs path
+  writeScript
+, writeScriptBin
+, ...
+}:
+let
+  # Create a script that runs in a `pure` environment, in the sense that:
+  #   - the behavior is similar to `nix-shell --pure`
+  #   - `PATH` only contains exactly the packages passed via the `PATH` arg
+  #   - `NIX_PATH` is set to the path of the current `pkgs`
+  #   - `TMPDIR` is set up and cleaned up even if the script fails
+  #   - out, if set, is kept as-is
+  #   - all environment variables are unset, except:
+  #     - the ones listed in `keepVars` defined in ./default.nix
+  #     - the ones listed via the `KEEP_VARS` variable
+  writePureShellScript = PATH: script:
+    writeScript "script.sh" (mkScript PATH script);
+
+  # Creates a script in a `bin/` directory in the output; suitable for use with `lib.makeBinPath`, etc.
+  # See {option}`writers.writePureShellScript`
+  writePureShellScriptBin = binName: PATH: script:
+    writeScriptBin binName (mkScript PATH script);
+
+  mkScript = PATH: scriptText: ''
+    #!${bash}/bin/bash
+    set -Eeuo pipefail
+
+    export PATH="${lib.makeBinPath PATH}"
+    export NIX_PATH=nixpkgs=${path}
+
+    export TMPDIR=$(${coreutils}/bin/mktemp -d)
+
+    trap "${coreutils}/bin/chmod -R +w '$TMPDIR'; ${coreutils}/bin/rm -rf '$TMPDIR'" EXIT
+
+    if [ -z "''${IMPURE:-}" ]; then
+      ${cleanEnv}
+    fi
+
+    ${scriptText}
+  '';
+
+  # list taken from nix source: src/nix-build/nix-build.cc
+  keepVars = lib.concatStringsSep " " [
+    "HOME"
+    "XDG_RUNTIME_DIR"
+    "USER"
+    "LOGNAME"
+    "DISPLAY"
+    "WAYLAND_DISPLAY"
+    "WAYLAND_SOCKET"
+    "PATH"
+    "TERM"
+    "IN_NIX_SHELL"
+    "NIX_SHELL_PRESERVE_PROMPT"
+    "TZ"
+    "PAGER"
+    "NIX_BUILD_SHELL"
+    "SHLVL"
+    "http_proxy"
+    "https_proxy"
+    "ftp_proxy"
+    "all_proxy"
+    "no_proxy"
+
+    # We want to keep our own variables as well
+    "out"
+    "IMPURE"
+    "KEEP_VARS"
+    "NIX_PATH"
+    "TMPDIR"
+  ];
+
+  cleanEnv = ''
+
+    KEEP_VARS="''${KEEP_VARS:-}"
+
+    unsetVars=$(
+      ${coreutils}/bin/comm \
+        <(${gawk}/bin/awk 'BEGIN{for(v in ENVIRON) print v}' | ${coreutils}/bin/cut -d = -f 1 | ${coreutils}/bin/sort) \
+        <(echo "${keepVars} $KEEP_VARS" | ${coreutils}/bin/tr " " "\n" | ${coreutils}/bin/sort) \
+        -2 \
+        -3
+    )
+
+    unset $unsetVars
+  '';
+in
+{
+  inherit
+    writePureShellScript
+    writePureShellScriptBin
+    ;
+}