From f7a0d5a3d011b598138be1a464da3e3d9faad978 Mon Sep 17 00:00:00 2001
From: sterni <sternenseemann@systemli.org>
Date: Fri, 4 Feb 2022 19:46:48 +0100
Subject: refactor(rust-crates-advisory): split code for buildkite and report

Rename check-all-our-lock-files to tree-lock-file-report and pull out
all the buildkite-specific code which makes the code less awkward.
check-all-our-lock-files is then only executed in extraSteps and runs
tree-lock-file-report on depot, adding it as a warning to the pipeline
if it is non-empty.

Change-Id: If6bd236d90cc680cba0ed4e988f2f28ddb8012d6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5229
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
---
 tools/rust-crates-advisory/default.nix | 48 ++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 20 deletions(-)

diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix
index 3b38aa9b91..41a8da9165 100644
--- a/tools/rust-crates-advisory/default.nix
+++ b/tools/rust-crates-advisory/default.nix
@@ -4,6 +4,7 @@ let
 
   bins =
     depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" "s6-dirname" ]
+    // depot.nix.getBins pkgs.coreutils [ "printf" ]
     // depot.nix.getBins pkgs.lr [ "lr" ]
     // depot.nix.getBins pkgs.cargo-audit [ "cargo-audit" ]
     // depot.nix.getBins pkgs.jq [ "jq" ]
@@ -161,13 +162,16 @@ let
     exit "''${PIPESTATUS[0]}" # inherit exit code from cargo-audit
   '';
 
-  check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
+  tree-lock-file-report = depot.nix.writeExecline "tree-lock-file-report"
+    {
+      readNArgs = 1;
+    } [
     "backtick"
     "-E"
     "report"
     [
       "pipeline"
-      [ bins.find "." "-name" "Cargo.lock" "-and" "-type" "f" "-print0" ]
+      [ bins.find "$1" "-name" "Cargo.lock" "-and" "-type" "f" "-print0" ]
       "forstdin"
       "-E"
       "-0"
@@ -187,27 +191,31 @@ let
       "false"
     ]
     "if"
-    [ depot.tools.eprintf "%s\n" "$report" ]
-    "ifelse"
-    [ bins.s6-test "-z" "$report" ]
+    [ bins.printf "%s\n" "$report" ]
     # empty report implies success (no advisories)
-    [ "exit" "0" ]
-    # If we reach this point, we know that the report is non-empty, so we should
-    # only continue without one if we are running in buildkite.
-    "if"
+    bins.s6-test
+    "-z"
+    "$report"
+  ];
+
+  check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
+    "backtick"
+    "-EI"
+    "report"
+    [
+      tree-lock-file-report
+      "."
+    ]
+    "ifelse"
     [
-      "importas"
-      "-D"
-      ""
-      "BUILDKITE_BUILD_ID"
-      "BUILDKITE_BUILD_ID"
       bins.s6-test
-      "-n"
-      "$BUILDKITE_BUILD_ID"
+      "-z"
+      "$report"
+    ]
+    [
+      "exit"
+      "0"
     ]
-    # If we're running in buildkite, annotate the pipeline run with the report
-    # as a warning. Only fail if something goes wrong with buildkite-agent
-    # which is assumed to be in PATH.
     "pipeline"
     [
       "printf"
@@ -236,7 +244,7 @@ depot.nix.readTree.drvTargets {
     ;
 
 
-  check-all-our-lock-files = check-all-our-lock-files // {
+  tree-lock-file-report = tree-lock-file-report // {
     meta.ci.extraSteps.run = {
       label = "Check Cargo.lock files in depot for advisories";
       alwaysRun = true;
-- 
cgit 1.4.1