diff --git a/.gitea/workflows/nix.yml b/.gitea/workflows/build.yml similarity index 56% rename from .gitea/workflows/nix.yml rename to .gitea/workflows/build.yml index 36651a5..3b7cfe7 100644 --- a/.gitea/workflows/nix.yml +++ b/.gitea/workflows/build.yml @@ -1,12 +1,12 @@ -name: Nix +name: Build on: - push - pull_request jobs: - tests: - name: NixOS tests + dist: + name: Create distribution runs-on: ubuntu-latest steps: - name: Checkout @@ -30,17 +30,21 @@ jobs: - name: Restore Nix store uses: nix-community/cache-nix-action@v5 with: - primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }} - restore-prefixes-first-match: nix-${{ runner.os }}- + primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }} + restore-prefixes-first-match: nix-small-${{ runner.os }}- - - name: Run tests - run: | - nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems - nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests + - name: Build for test + id: build-test + run: >- + export FORTIFY_REV="$(git rev-parse --short HEAD)" && + sed -i.old 's/version = /version = "0.0.0-'$FORTIFY_REV'"; # version = /' package.nix && + nix build --print-out-paths --print-build-logs .#dist && + mv package.nix.old package.nix && + echo "rev=$FORTIFY_REV" >> $GITHUB_OUTPUT - - name: Upload test output + - name: Upload test build uses: actions/upload-artifact@v3 with: - name: "result" + name: "fortify-${{ steps.build-test.outputs.rev }}" path: result/* retention-days: 1 diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index 545274d..40827d2 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -1,53 +1,52 @@ -name: Create distribution +name: Release on: push: tags: - - '*' + - 'v*' jobs: release: - name: Release + name: Create release runs-on: ubuntu-latest - container: - image: node:16-bookworm-slim steps: - - name: Get dependencies - run: >- - echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list && - apt-get update && - apt-get install -y - acl - git - gcc - pkg-config - libwayland-dev - wayland-protocols/bookworm-backports - libxcb1-dev - libacl1-dev - if: ${{ runner.os == 'Linux' }} - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup go uses: https://github.com/actions/setup-go@v5 with: go-version: '>=1.23.0' - - name: Go generate + - name: Install Nix + uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + # explicitly enable sandbox + install_options: --daemon + extra_nix_config: | + sandbox = true + system-features = nixos-test benchmark big-parallel kvm + enable_kvm: true + + - name: Ensure environment run: >- - go generate ./... + apt-get update && apt-get install -y sqlite3 + if: ${{ runner.os == 'Linux' }} + + - name: Restore Nix store + uses: nix-community/cache-nix-action@v5 + with: + primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }} + restore-prefixes-first-match: nix-small-${{ runner.os }}- - name: Build for release - run: FORTIFY_VERSION='${{ github.ref_name }}' ./dist/release.sh + id: build-test + run: nix build --print-out-paths --print-build-logs .#dist - name: Release id: use-go-action uses: https://gitea.com/actions/release-action@main with: files: |- - dist/fortify-** + result/fortify-** api_key: '${{secrets.RELEASE_TOKEN}}' diff --git a/.gitea/workflows/test.yml b/.gitea/workflows/test.yml index 9add0f4..4d7a871 100644 --- a/.gitea/workflows/test.yml +++ b/.gitea/workflows/test.yml @@ -1,62 +1,46 @@ -name: Tests +name: Test on: - push - pull_request jobs: - test: - name: Go tests + tests: + name: Run NixOS test runs-on: ubuntu-latest - container: - image: node:16-bookworm-slim steps: - - name: Enable backports - run: >- - echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list - if: ${{ runner.os == 'Linux' }} + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Install Nix + uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + with: + # explicitly enable sandbox + install_options: --daemon + extra_nix_config: | + sandbox = true + system-features = nixos-test benchmark big-parallel kvm + enable_kvm: true - name: Ensure environment run: >- - apt-get update && apt-get install -y curl wget sudo libxml2 + apt-get update && apt-get install -y sqlite3 if: ${{ runner.os == 'Linux' }} - - name: Get dependencies - uses: awalsh128/cache-apt-pkgs-action@latest + - name: Restore Nix store + uses: nix-community/cache-nix-action@v5 with: - packages: acl git gcc pkg-config libwayland-dev wayland-protocols/bookworm-backports libxcb1-dev libacl1-dev - version: 1.0 - #execute_install_scripts: true - if: ${{ runner.os == 'Linux' }} - - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Setup go - uses: https://github.com/actions/setup-go@v5 - with: - go-version: '>=1.23.0' - - - name: Go generate - run: >- - go generate ./... + primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }} + restore-prefixes-first-match: nix-${{ runner.os }}- - name: Run tests - run: >- - go test ./... + run: | + nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems + nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests - - name: Build for test - id: build-test - run: >- - FORTIFY_VERSION="$(git rev-parse --short HEAD)" - bash -c './dist/release.sh && - echo "rev=$FORTIFY_VERSION" >> $GITHUB_OUTPUT' - - - name: Upload test build + - name: Upload test output uses: actions/upload-artifact@v3 with: - name: "fortify-${{ steps.build-test.outputs.rev }}" - path: dist/fortify-* + name: "result" + path: result/* retention-days: 1 diff --git a/acl/c.go b/acl/c.go index 4bbc549..7609e14 100644 --- a/acl/c.go +++ b/acl/c.go @@ -9,7 +9,7 @@ import ( ) /* -#cgo linux pkg-config: libacl +#cgo linux pkg-config: --static libacl #include #include diff --git a/dist/release.sh b/dist/release.sh index 9d2ca3f..15d7d9f 100755 --- a/dist/release.sh +++ b/dist/release.sh @@ -8,7 +8,8 @@ mkdir -p "${out}" cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}" cp -rv "comp" "${out}" -go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w +go generate ./... +go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static' -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION} -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu diff --git a/flake.nix b/flake.nix index 7e156a3..0277975 100644 --- a/flake.nix +++ b/flake.nix @@ -95,72 +95,114 @@ packages = forAllSystems ( system: let + inherit (self.packages.${system}) fortify; pkgs = nixpkgsFor.${system}; in { default = self.packages.${system}.fortify; - fortify = pkgs.callPackage ./package.nix { }; + + dist = + pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; } + '' + # go requires XDG_CACHE_HOME for the build cache + export XDG_CACHE_HOME="$(mktemp -d)" + + # get a different workdir as go does not like /build + cd $(mktemp -d) && cp -r ${fortify.src}/. . && chmod -R +w . + + export FORTIFY_VERSION="v${fortify.version}" + ./dist/release.sh && mkdir $out && cp -v "dist/fortify-$FORTIFY_VERSION.tar.gz"* $out + ''; + + fhs = pkgs.buildFHSEnv { + pname = "fortify-fhs"; + inherit (fortify) version; + targetPkgs = + pkgs: + with pkgs; + [ + go + gcc + pkg-config + wayland-scanner + ] + ++ ( + with pkgs.pkgsStatic; + [ + musl + libffi + acl + wayland + wayland-protocols + ] + ++ (with xorg; [ + libxcb + libXau + libXdmcp + + xorgproto + ]) + ); + extraOutputsToInstall = [ "dev" ]; + profile = '' + export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH" + ''; + }; } ); - devShells = forAllSystems (system: { - default = nixpkgsFor.${system}.mkShell { - buildInputs = with nixpkgsFor.${system}; self.packages.${system}.fortify.buildInputs; - }; - - fhs = nixpkgsFor.${system}.buildFHSEnv { - pname = "fortify-fhs"; - inherit (self.packages.${system}.fortify) version; - targetPkgs = - pkgs: with pkgs; [ - go - gcc - pkg-config - acl - wayland - wayland-scanner - wayland-protocols - xorg.libxcb - ]; - extraOutputsToInstall = [ "dev" ]; - profile = '' - export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH" - ''; - }; - - withPackage = nixpkgsFor.${system}.mkShell { - buildInputs = - with nixpkgsFor.${system}; - self.packages.${system}.fortify.buildInputs ++ [ self.packages.${system}.fortify ]; - }; - - generateDoc = - let - pkgs = nixpkgsFor.${system}; - inherit (pkgs) lib; - - doc = - let - eval = lib.evalModules { - specialArgs = { - inherit pkgs; - }; - modules = [ ./options.nix ]; - }; - cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval; - in - pkgs.nixosOptionsDoc { inherit (cleanEval) options; }; - docText = pkgs.runCommand "fortify-module-docs.md" { } '' - cat ${doc.optionsCommonMark} > $out - sed -i '/*Declared by:*/,+1 d' $out - ''; - in - nixpkgsFor.${system}.mkShell { - shellHook = '' - exec cat ${docText} > options.md - ''; + devShells = forAllSystems ( + system: + let + inherit (self.packages.${system}) fortify fhs; + pkgs = nixpkgsFor.${system}; + in + { + default = pkgs.mkShell { + buildInputs = + with pkgs; + [ + go + gcc + ] + ++ fortify.buildInputs + ++ fortify.nativeBuildInputs; }; - }); + + fhs = fhs.env; + + withPackage = nixpkgsFor.${system}.mkShell { + buildInputs = [ self.packages.${system}.fortify ] ++ self.devShells.${system}.default.buildInputs; + }; + + generateDoc = + let + pkgs = nixpkgsFor.${system}; + inherit (pkgs) lib; + + doc = + let + eval = lib.evalModules { + specialArgs = { + inherit pkgs; + }; + modules = [ ./options.nix ]; + }; + cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval; + in + pkgs.nixosOptionsDoc { inherit (cleanEval) options; }; + docText = pkgs.runCommand "fortify-module-docs.md" { } '' + cat ${doc.optionsCommonMark} > $out + sed -i '/*Declared by:*/,+1 d' $out + ''; + in + nixpkgsFor.${system}.mkShell { + shellHook = '' + exec cat ${docText} > options.md + ''; + }; + } + ); }; } diff --git a/package.nix b/package.nix index 51e29c6..85a3859 100644 --- a/package.nix +++ b/package.nix @@ -1,15 +1,11 @@ { lib, buildGoModule, - makeBinaryWrapper, xdg-dbus-proxy, bubblewrap, + pkgsStatic, pkg-config, - acl, - wayland, wayland-scanner, - wayland-protocols, - xorg, }: buildGoModule rec { @@ -27,19 +23,13 @@ buildGoModule rec { lib.attrsets.foldlAttrs ( ldflags: name: value: - ldflags - ++ [ - "-X" - "git.gensokyo.uk/security/fortify/internal.${name}=${value}" - ] + ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ] ) [ - "-s" - "-w" - "-X" - "main.Fmain=${placeholder "out"}/libexec/fortify" - "-X" - "main.Fshim=${placeholder "out"}/libexec/fshim" + "-s -w" + "-extldflags '-static'" + "-X main.Fmain=${placeholder "out"}/libexec/fortify" + "-X main.Fshim=${placeholder "out"}/libexec/fshim" ] { Version = "v${version}"; @@ -51,17 +41,26 @@ buildGoModule rec { # nix build environment does not allow acls GO_TEST_SKIP_ACL = 1; - buildInputs = [ - acl - wayland - wayland-protocols - xorg.libxcb - ]; + buildInputs = + # cannot find a cleaner way to do this + with pkgsStatic; + [ + musl + libffi + acl + wayland + wayland-protocols + ] + ++ (with xorg; [ + libxcb + libXau + libXdmcp + ]); nativeBuildInputs = [ pkg-config wayland-scanner - makeBinaryWrapper + pkgsStatic.makeBinaryWrapper ]; preConfigure = '' diff --git a/test.nix b/test.nix index d25a187..837927a 100644 --- a/test.nix +++ b/test.nix @@ -51,7 +51,7 @@ nixosTest { mako # For go tests: - self.devShells.${system}.fhs + self.packages.${system}.fhs ]; variables = { diff --git a/wl/c.go b/wl/c.go index 97c641b..b571e06 100644 --- a/wl/c.go +++ b/wl/c.go @@ -4,12 +4,13 @@ package wl //go:generate sh -c "wayland-scanner private-code `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.c" /* -#cgo linux pkg-config: wayland-client +#cgo linux pkg-config: --static wayland-client #cgo freebsd openbsd LDFLAGS: -lwayland-client #include #include #include +#include #include #include diff --git a/xcb/c.go b/xcb/c.go index 3138c1d..f2703f9 100644 --- a/xcb/c.go +++ b/xcb/c.go @@ -6,7 +6,7 @@ import ( ) /* -#cgo linux pkg-config: xcb +#cgo linux pkg-config: --static xcb #include #include