From 93ac4a7dea8e2ac6b0b24b74565f758065786f72 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Thu, 3 Aug 2023 17:22:30 +0200
Subject: [PATCH] vendor writePureShellScriptBin

---
 pkgs/flake-module.nix | 44 ++++++++++---------
 pkgs/writers.nix      | 98 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 122 insertions(+), 20 deletions(-)
 create mode 100644 pkgs/writers.nix

diff --git a/pkgs/flake-module.nix b/pkgs/flake-module.nix
index 5d9985e..32605a4 100644
--- a/pkgs/flake-module.nix
+++ b/pkgs/flake-module.nix
@@ -1,26 +1,30 @@
 { ... }: {
   perSystem = { pkgs, config, ... }: {
-    packages = {
-      inherit (pkgs.callPackage ./renovate { }) renovate;
-      gitea = pkgs.callPackage ./gitea { };
+    packages =
+      let
+        writers = pkgs.callPackage ./writers.nix { };
+      in
+      {
+        inherit (pkgs.callPackage ./renovate { }) renovate;
+        gitea = pkgs.callPackage ./gitea { };
 
-      action-create-pr = pkgs.callPackage ./action-create-pr {
-        inherit (config.writers) writePureShellScriptBin;
+        action-create-pr = pkgs.callPackage ./action-create-pr {
+          inherit (writers) writePureShellScriptBin;
+        };
+        action-ensure-tea-login = pkgs.callPackage ./action-ensure-tea-login {
+          inherit (writers) writePureShellScriptBin;
+        };
+        action-flake-update = pkgs.callPackage ./action-flake-update {
+          inherit (writers) writePureShellScriptBin;
+        };
+        action-flake-update-pr-clan = pkgs.callPackage ./action-flake-update-pr-clan {
+          inherit (writers) writePureShellScriptBin;
+          inherit (config.packages) action-ensure-tea-login action-create-pr action-flake-update;
+        };
+        inherit (pkgs.callPackages ./job-flake-updates {
+          inherit (writers) writePureShellScriptBin;
+          inherit (config.packages) action-flake-update-pr-clan;
+        }) job-flake-update-clan-core job-flake-update-clan-homepage job-flake-update-clan-infra;
       };
-      action-ensure-tea-login = pkgs.callPackage ./action-ensure-tea-login {
-        inherit (config.writers) writePureShellScriptBin;
-      };
-      action-flake-update = pkgs.callPackage ./action-flake-update {
-        inherit (config.writers) writePureShellScriptBin;
-      };
-      action-flake-update-pr-clan = pkgs.callPackage ./action-flake-update-pr-clan {
-        inherit (config.writers) writePureShellScriptBin;
-        inherit (config.packages) action-ensure-tea-login action-create-pr action-flake-update;
-      };
-      inherit (pkgs.callPackages ./job-flake-updates {
-        inherit (config.writers) writePureShellScriptBin;
-        inherit (config.packages) action-flake-update-pr-clan;
-      }) job-flake-update-clan-core job-flake-update-clan-homepage job-flake-update-clan-infra;
-    };
   };
 }
diff --git a/pkgs/writers.nix b/pkgs/writers.nix
new file mode 100644
index 0000000..a50c04e
--- /dev/null
+++ b/pkgs/writers.nix
@@ -0,0 +1,98 @@
+{ lib
+, bash
+, coreutils
+, gawk
+, path
+, # nixpkgs path
+  writeScript
+, writeScriptBin
+, ...
+}:
+let
+  # Create a script that runs in a `pure` environment, in the sense that:
+  #   - the behavior is similar to `nix-shell --pure`
+  #   - `PATH` only contains exactly the packages passed via the `PATH` arg
+  #   - `NIX_PATH` is set to the path of the current `pkgs`
+  #   - `TMPDIR` is set up and cleaned up even if the script fails
+  #   - out, if set, is kept as-is
+  #   - all environment variables are unset, except:
+  #     - the ones listed in `keepVars` defined in ./default.nix
+  #     - the ones listed via the `KEEP_VARS` variable
+  writePureShellScript = PATH: script:
+    writeScript "script.sh" (mkScript PATH script);
+
+  # Creates a script in a `bin/` directory in the output; suitable for use with `lib.makeBinPath`, etc.
+  # See {option}`writers.writePureShellScript`
+  writePureShellScriptBin = binName: PATH: script:
+    writeScriptBin binName (mkScript PATH script);
+
+  mkScript = PATH: scriptText: ''
+    #!${bash}/bin/bash
+    set -Eeuo pipefail
+
+    export PATH="${lib.makeBinPath PATH}"
+    export NIX_PATH=nixpkgs=${path}
+
+    export TMPDIR=$(${coreutils}/bin/mktemp -d)
+
+    trap "${coreutils}/bin/chmod -R +w '$TMPDIR'; ${coreutils}/bin/rm -rf '$TMPDIR'" EXIT
+
+    if [ -z "''${IMPURE:-}" ]; then
+      ${cleanEnv}
+    fi
+
+    ${scriptText}
+  '';
+
+  # list taken from nix source: src/nix-build/nix-build.cc
+  keepVars = lib.concatStringsSep " " [
+    "HOME"
+    "XDG_RUNTIME_DIR"
+    "USER"
+    "LOGNAME"
+    "DISPLAY"
+    "WAYLAND_DISPLAY"
+    "WAYLAND_SOCKET"
+    "PATH"
+    "TERM"
+    "IN_NIX_SHELL"
+    "NIX_SHELL_PRESERVE_PROMPT"
+    "TZ"
+    "PAGER"
+    "NIX_BUILD_SHELL"
+    "SHLVL"
+    "http_proxy"
+    "https_proxy"
+    "ftp_proxy"
+    "all_proxy"
+    "no_proxy"
+
+    # We want to keep our own variables as well
+    "out"
+    "IMPURE"
+    "KEEP_VARS"
+    "NIX_PATH"
+    "TMPDIR"
+  ];
+
+  cleanEnv = ''
+
+    KEEP_VARS="''${KEEP_VARS:-}"
+
+    unsetVars=$(
+      ${coreutils}/bin/comm \
+        <(${gawk}/bin/awk 'BEGIN{for(v in ENVIRON) print v}' | ${coreutils}/bin/cut -d = -f 1 | ${coreutils}/bin/sort) \
+        <(echo "${keepVars} $KEEP_VARS" | ${coreutils}/bin/tr " " "\n" | ${coreutils}/bin/sort) \
+        -2 \
+        -3
+    )
+
+    unset $unsetVars
+  '';
+in
+{
+  inherit
+    writePureShellScript
+    writePureShellScriptBin
+    ;
+}