From 8c33651e0c074c6b3855f6303e6bdca41ee3f77b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 22 Jul 2020 15:57:46 +0100 Subject: [PATCH 1/7] ci: add macOS support --- .github/workflows/test.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5d4f066..a26d532 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,7 +11,8 @@ jobs: nixPath: - nixpkgs=channel:nixos-20.03 - nixpkgs=channel:nixpkgs-unstable - runs-on: ubuntu-latest + os: [ ubuntu-latest, macos-latest ] + runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v2 - uses: cachix/install-nix-action@v10 @@ -29,9 +30,11 @@ jobs: if: matrix.nixPath == 'nixpkgs=channel:nixpkgs-unstable' - name: Build nix packages run: nix run nixpkgs.nix-build-uncached -c nix-build-uncached default.nix - - name: Add keys group (needed for go tests) - run: sudo groupadd keys - - name: Run sops-install-secrets tests - run: nix-shell --pure --run "$(command -v sudo) unshare --mount --fork go test ./pkgs/sops-install-secrets" - name: Run sops-pgp-hook tests run: nix-shell --pure --run "NIX_PATH=nixpkgs=$(nix-instantiate --find-file nixpkgs) go test ./pkgs/sops-pgp-hook" + - name: Add keys group (needed for go tests) + run: sudo groupadd keys + if: matrix.os == 'ubuntu-latest' + - name: Run sops-install-secrets tests + run: nix-shell --pure --run "$(command -v sudo) unshare --mount --fork go test ./pkgs/sops-install-secrets" + if: matrix.os == 'ubuntu-latest' From 0d885b439f9bd178b5932f19b815075c0b898380 Mon Sep 17 00:00:00 2001 From: Andreas Fuchs Date: Wed, 22 Jul 2020 09:11:42 -0400 Subject: [PATCH 2/7] Create a temporary GNUPGHOME dir This should prevent the paths from getting unwieldy, we'll see. --- pkgs/ssh-to-pgp/main_test.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/ssh-to-pgp/main_test.go b/pkgs/ssh-to-pgp/main_test.go index bc39c78..d33860b 100644 --- a/pkgs/ssh-to-pgp/main_test.go +++ b/pkgs/ssh-to-pgp/main_test.go @@ -27,6 +27,10 @@ func TestCli(t *testing.T) { ok(t, err) defer os.RemoveAll(tempdir) + gpgHome := path.Join(tempdir, "gpg-home") + gpgEnv := append(os.Environ(), fmt.Sprintf("GNUPGHOME=%s", gpgHome)) + ok(t, os.Mkdir(gpgHome, os.FileMode(0700))) + out := path.Join(tempdir, "out") privKey := path.Join(assets, "id_rsa") cmds := [][]string{ @@ -41,6 +45,7 @@ func TestCli(t *testing.T) { cmd := exec.Command("gpg", "--with-fingerprint", "--show-key", out) cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr + cmd.Env = gpgEnv ok(t, cmd.Run()) } } From 1279274ddc570c7c4065160ed80bafab8436aa96 Mon Sep 17 00:00:00 2001 From: Andreas Fuchs Date: Wed, 22 Jul 2020 09:14:03 -0400 Subject: [PATCH 3/7] Use /tmp as the temporary dir for ssh-to-gpg This isn't great: but it might prevent the agent from complaining. --- pkgs/ssh-to-pgp/main_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/ssh-to-pgp/main_test.go b/pkgs/ssh-to-pgp/main_test.go index d33860b..784a678 100644 --- a/pkgs/ssh-to-pgp/main_test.go +++ b/pkgs/ssh-to-pgp/main_test.go @@ -23,7 +23,7 @@ func ok(tb testing.TB, err error) { func TestCli(t *testing.T) { _, filename, _, _ := runtime.Caller(0) assets := path.Join(path.Dir(filename), "test-assets") - tempdir, err := ioutil.TempDir("", "testdir") + tempdir, err := ioutil.TempDir("/tmp", "testdir") ok(t, err) defer os.RemoveAll(tempdir) From 5e95616f0fe9ee920218815e0ffb103f633de780 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 22 Jul 2020 15:41:43 +0100 Subject: [PATCH 4/7] use a shorter tempdir on macOS By default macOS does something like this: /var/folders/08/j4g_jn953lngpvgmyg8dygk00000gn/T/ breaking unix socket paths of gnupg. --- pkgs/ssh-to-pgp/main_test.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pkgs/ssh-to-pgp/main_test.go b/pkgs/ssh-to-pgp/main_test.go index 784a678..3a29217 100644 --- a/pkgs/ssh-to-pgp/main_test.go +++ b/pkgs/ssh-to-pgp/main_test.go @@ -20,10 +20,19 @@ func ok(tb testing.TB, err error) { } } +func TempRoot() string { + if runtime.GOOS == "darwin" { + // macOS make its TEMPDIR long enough for unix socket to break + return "/tmp" + } else { + return os.TempDir() + } +} + func TestCli(t *testing.T) { _, filename, _, _ := runtime.Caller(0) assets := path.Join(path.Dir(filename), "test-assets") - tempdir, err := ioutil.TempDir("/tmp", "testdir") + tempdir, err := ioutil.TempDir(TempRoot(), "testdir") ok(t, err) defer os.RemoveAll(tempdir) From 4a41039ab3ffaa5749f880d2e2a558337d65b43a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 22 Jul 2020 23:12:13 +0100 Subject: [PATCH 5/7] mark sops-install-secrets as Linux only --- pkgs/sops-install-secrets/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/sops-install-secrets/default.nix b/pkgs/sops-install-secrets/default.nix index bf7025f..fd25a6d 100644 --- a/pkgs/sops-install-secrets/default.nix +++ b/pkgs/sops-install-secrets/default.nix @@ -19,6 +19,6 @@ buildGoModule { homepage = "https://github.com/Mic92/sops-nix"; license = licenses.mit; maintainers = with maintainers; [ mic92 ]; - platforms = platforms.unix; + platforms = platforms.linux; }; } From 71db50d5eb27a4e01b466336c4ba114b49f487ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 22 Jul 2020 23:20:24 +0100 Subject: [PATCH 6/7] add a release.nix --- .github/workflows/test.yml | 2 +- release.nix | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 release.nix diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a26d532..947e168 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,7 +29,7 @@ jobs: run: nix-shell --pure --run "golangci-lint run" if: matrix.nixPath == 'nixpkgs=channel:nixpkgs-unstable' - name: Build nix packages - run: nix run nixpkgs.nix-build-uncached -c nix-build-uncached default.nix + run: nix-build release.nix - name: Run sops-pgp-hook tests run: nix-shell --pure --run "NIX_PATH=nixpkgs=$(nix-instantiate --find-file nixpkgs) go test ./pkgs/sops-pgp-hook" - name: Add keys group (needed for go tests) diff --git a/release.nix b/release.nix new file mode 100644 index 0000000..451d933 --- /dev/null +++ b/release.nix @@ -0,0 +1,13 @@ +# This file filters out all the broken packages from your package set. +# It's what gets built by CI, so if you correctly mark broken packages as +# broken your CI will not try to build them and the non-broken packages will +# be added to the cache. +{ pkgs ? import {} }: + +pkgs.lib.filter (p: + (builtins.isAttrs p) + && !((builtins.hasAttr "meta" p) + && (((builtins.hasAttr "broken" p.meta) && (p.meta.broken)) + || (builtins.hasAttr "available" p.meta && !p.meta.available)) + && !((builtins.hasAttr "disabled" p) && (p.disabled)))) + (pkgs.lib.collect (pkgs.lib.isDerivation) (import ./default.nix { inherit pkgs; })) From b8d91d61aca5f0c1e85346cbeeda89b8fda4aa88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 22 Jul 2020 23:46:05 +0100 Subject: [PATCH 7/7] restrict sops-install-secrets to linux ramfs is not available elswhere. --- pkgs/sops-install-secrets/main.go | 2 ++ pkgs/sops-install-secrets/main_test.go | 2 ++ 2 files changed, 4 insertions(+) diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go index d5ff75c..0e4c722 100644 --- a/pkgs/sops-install-secrets/main.go +++ b/pkgs/sops-install-secrets/main.go @@ -1,3 +1,5 @@ +// +build linux + package main import ( diff --git a/pkgs/sops-install-secrets/main_test.go b/pkgs/sops-install-secrets/main_test.go index abb6b22..31f3938 100644 --- a/pkgs/sops-install-secrets/main_test.go +++ b/pkgs/sops-install-secrets/main_test.go @@ -1,3 +1,5 @@ +// +build linux + package main import (