Merge pull request #101 from DeterminateSystems/gustavderdrache/write-correlation

Write correlation data to /var/lib/determinate

Author: gustavderdrache

dist/index.d.ts

@@ -13,11 +13,13 @@ export type AnonymizedCorrelationHashes = {
   run?: string;
   run_differentiator?: string;
   workflow?: string;
+  job?: string;
   groups: Record<string, string | undefined>;
+  is_ci: boolean;
 };
 
 export function identify(projectName: string): AnonymizedCorrelationHashes {
-  const ident = {
+  const ident: AnonymizedCorrelationHashes = {
     correlation_source: "github-actions",
 
     repository: hashEnvironmentVariables("GHR", [
@@ -76,6 +78,7 @@ export function identify(projectName: string): AnonymizedCorrelationHashes {
         "GITHUB_REPOSITORY_OWNER_ID",
       ]),
     },
+    is_ci: true,
   };
 
   actionsCore.debug("Correlation data:");

dist/index.js

@@ -38,6 +38,7 @@ const EVENT_ARTIFACT_CACHE_HIT = "artifact_cache_hit";
 const EVENT_ARTIFACT_CACHE_MISS = "artifact_cache_miss";
 const EVENT_ARTIFACT_CACHE_PERSIST = "artifact_cache_persist";
 const EVENT_PREFLIGHT_REQUIRE_NIX_DENIED = "preflight-require-nix-denied";
+const EVENT_STORE_IDENTITY_FAILED = "store_identity_failed";
 
 const FACT_ARTIFACT_FETCHED_FROM_CACHE = "artifact_fetched_from_cache";
 const FACT_ENDED_WITH_EXCEPTION = "ended_with_exception";
@@ -172,6 +173,64 @@ export type DiagnosticEvent = {
   uuid: UUID;
 };
 
+const determinateStateDir = "/var/lib/determinate";
+const determinateIdentityFile = path.join(determinateStateDir, "identity.json");
+
+const isRoot = os.userInfo().uid === 0;
+
+/** Create the Determinate state directory by escalating via sudo */
+async function sudoEnsureDeterminateStateDir(): Promise<void> {
+  const code = await actionsExec.exec("sudo", [
+    "mkdir",
+    "-p",
+    determinateStateDir,
+  ]);
+
+  if (code !== 0) {
+    throw new Error(`sudo mkdir -p exit: ${code}`);
+  }
+}
+
+/** Ensures the Determinate state directory exists, escalating if necessary */
+async function ensureDeterminateStateDir(): Promise<void> {
+  if (isRoot) {
+    await mkdir(determinateStateDir, { recursive: true });
+  } else {
+    return sudoEnsureDeterminateStateDir();
+  }
+}
+
+/** Writes correlation hashes to the Determinate state directory by writing to a `sudo tee` pipe */
+async function sudoWriteCorrelationHashes(hashes: string): Promise<void> {
+  const buffer = Buffer.from(hashes);
+
+  const code = await actionsExec.exec(
+    "sudo",
+    ["tee", determinateIdentityFile],
+    {
+      input: buffer,
+
+      // Ignore output from tee
+      outStream: createWriteStream("/dev/null"),
+    },
+  );
+
+  if (code !== 0) {
+    throw new Error(`sudo tee exit: ${code}`);
+  }
+}
+
+/** Writes correlation hashes to the Determinate state directory, escalating if necessary */
+async function writeCorrelationHashes(hashes: string): Promise<void> {
+  await ensureDeterminateStateDir();
+
+  if (isRoot) {
+    await fs.writeFile(determinateIdentityFile, hashes, "utf-8");
+  } else {
+    return sudoWriteCorrelationHashes(hashes);
+  }
+}
+
 export abstract class DetSysAction {
   nixStoreTrust: NixStoreTrust;
   strictMode: boolean;
@@ -428,9 +487,13 @@ export abstract class DetSysAction {
     try {
       await this.checkIn();
 
-      process.env.DETSYS_CORRELATION = JSON.stringify(
-        this.getCorrelationHashes(),
-      );
+      const correlationHashes = JSON.stringify(this.getCorrelationHashes());
+      process.env.DETSYS_CORRELATION = correlationHashes;
+      try {
+        await writeCorrelationHashes(correlationHashes);
+      } catch (error) {
+        this.recordEvent(EVENT_STORE_IDENTITY_FAILED, { error: String(error) });
+      }
 
       if (!(await this.preflightRequireNix())) {
         this.recordEvent(EVENT_PREFLIGHT_REQUIRE_NIX_DENIED);