Merge pull request #603 from onekey-sec/nix-dependency-updater

Nix dependency updater

Author: qkaiser

.github/workflows/update-nix.yml

@@ -20,7 +20,26 @@ jobs:
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@v19
         with:
+          token: ${{ secrets.CREATE_PR_TOKEN }}
           pr-title: "Update flake.lock" # Title of PR to be created
           pr-labels: | # Labels to be set on the PR
             dependencies
             automated
+
+  update-vendored:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: cachix/install-nix-action@v20
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+          extra_nix_config: |
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+      - uses: cachix/cachix-action@v12
+        with:
+          name: unblob
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+      - name: Update vendored package versions
+        env:
+          GITHUB_TOKEN: ${{ secrets.CREATE_PR_TOKEN }}
+        run: .github/workflows/update-vendored-nix-dependencies.py

.github/workflows/update-vendored-nix-dependencies.py

@@ -0,0 +1,96 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i python3 -p "python3.withPackages (ps: with ps; [ PyGithub ])" nvfetcher
+# pyright: reportMissingImports=false
+import subprocess
+from os import environ as env
+from pathlib import Path
+from tempfile import NamedTemporaryFile
+
+from github import Github
+from github.GithubException import GithubException
+from github.Repository import Repository
+
+API_TOKEN = env["GITHUB_TOKEN"]
+REPOSITORY = env["GITHUB_REPOSITORY"]
+BASE_BRANCH = env.get("GITHUB_BASE_BRANCH", "main")
+DRY_RUN = bool(env.get("GITHUB_DRY_RUN", False))
+
+USER_NAME = "github-actions[bot]"
+USER_EMAIL = "github-actions[bot]@users.noreply.github.com"
+
+
+def create_pr(
+    repo: Repository,
+    pr_branch_name: str,
+    pr_title: str,
+    pr_body: str,
+):
+    try:
+        repo.get_branch(pr_branch_name)
+        print(f"Branch '{pr_branch_name}' already exist. Skipping update.")
+    except GithubException as ex:
+        if ex.status != 404:
+            raise
+    else:
+        return
+
+    subprocess.run(["git", "add", "."], check=True)
+    subprocess.run(
+        ["git", "commit", "-m", f"{pr_title}\n\n{pr_body}"],
+        check=True,
+        env={
+            "GIT_AUTHOR_NAME": USER_NAME,
+            "GIT_COMMITTER_NAME": USER_NAME,
+            "GIT_AUTHOR_EMAIL": USER_EMAIL,
+            "GIT_COMMITTER_EMAIL": USER_EMAIL,
+        },
+    )
+    subprocess.run(["git", "push", "origin", f"+HEAD:{pr_branch_name}"], check=True)
+    pr = repo.create_pull(
+        title=pr_title, body=pr_body, head=pr_branch_name, base=BASE_BRANCH
+    )
+    pr.add_to_labels("automated", "dependencies")
+
+
+def update_dependencies():
+    with NamedTemporaryFile() as log:
+        subprocess.run(
+            ["nvfetcher", "--build-dir", "nix/_sources", "--changelog", log.name]
+        )
+        return Path(log.name).read_text()
+
+
+def main():
+    github = Github(API_TOKEN)
+
+    repo = github.get_repo(REPOSITORY)
+
+    changes = update_dependencies()
+    if not changes:
+        print("-- Everything is up-to date")
+        return
+
+    title = "chore(deps): Updating vendored nix dependencies"
+
+    body = f"""\
+### Changes in dependencies:
+
+{changes}
+"""
+
+    print(f"-- Creating PR\nTitle: {title}\nBody:\n{body}")
+    if DRY_RUN:
+        print("DRY-RUN: NOT creating PR...")
+        return
+
+    pr_branch_name = "refs/heads/update/nix-vendored-dependencies"
+    create_pr(
+        repo,
+        pr_branch_name,
+        title,
+        body,
+    )
+
+
+if __name__ == "__main__":
+    main()

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
-exclude: ^tests/integration|\.patch$
+exclude: ^tests/integration|\.patch|nix/_sources$
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.4.0

default.nix

@@ -0,0 +1,10 @@
+let
+  lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+  flake-compat = fetchTarball {
+    url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+    sha256 = lock.nodes.flake-compat.locked.narHash;
+  };
+
+  src = ./.;
+in
+(import flake-compat { inherit src; }).defaultNix.legacyPackages.${builtins.currentSystem}

flake.lock

@@ -15,8 +15,12 @@
     url = "github:onekey-sec/sasquatch";
     inputs.nixpkgs.follows = "nixpkgs";
   };
+  inputs.flake-compat = {
+    url = "github:edolstra/flake-compat";
+    flake = false;
+  };
 
-  outputs = { self, nixpkgs, filter, unblob-native, pyperscan, sasquatch }:
+  outputs = { self, nixpkgs, filter, unblob-native, pyperscan, sasquatch, ... }:
     let
       # System types to support.
       supportedSystems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" ];
@@ -48,9 +52,23 @@
       checks = forAllSystems (system: nixpkgsFor.${system}.unblob.tests);
 
       devShells = forAllSystems
-        (system: {
-          default = import ./shell.nix { pkgs = nixpkgsFor.${system}; };
-        });
+        (system:
+          with nixpkgsFor.${system}; {
+            default = mkShell {
+              packages = [
+                unblob.runtimeDeps
+                ruff
+                pyright
+                python3Packages.pytest
+                python3Packages.pytest-cov
+                poetry
+
+                nvfetcher
+              ];
+
+              env.LD_LIBRARY_PATH = lib.makeLibraryPath [ file ];
+            };
+          });
 
       legacyPackages = forAllSystems (system: nixpkgsFor.${system});
     };

flake.nix

@@ -0,0 +1,72 @@
+{
+    "jefferson": {
+        "cargoLocks": null,
+        "date": null,
+        "extract": null,
+        "name": "jefferson",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "name": null,
+            "sha256": "sha256-RHEXbKRQWTyPWIzSRLwW82u/TsDgiL7L5o+cUWgLLk0=",
+            "type": "url",
+            "url": "https://pypi.org/packages/source/j/jefferson/jefferson-0.4.4.tar.gz"
+        },
+        "version": "0.4.4"
+    },
+    "lzallright": {
+        "cargoLocks": {
+            "Cargo.lock": [
+                "./lzallright-v0.2.2/Cargo.lock",
+                {}
+            ]
+        },
+        "date": null,
+        "extract": null,
+        "name": "lzallright",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "owner": "vlaci",
+            "repo": "lzallright",
+            "rev": "v0.2.2",
+            "sha256": "sha256-MOTIUC/G92tB2ZOp3OzgKq3d9zGN6bfv83vXOK3deFI=",
+            "type": "github"
+        },
+        "version": "v0.2.2"
+    },
+    "treelib": {
+        "cargoLocks": null,
+        "date": null,
+        "extract": null,
+        "name": "treelib",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "name": null,
+            "sha256": "sha256-HL//stK3XMrCfQIAzuBQe2+7Bybgr7n64Bet5dLOh4g=",
+            "type": "url",
+            "url": "https://pypi.org/packages/source/t/treelib/treelib-1.6.1.tar.gz"
+        },
+        "version": "1.6.1"
+    },
+    "ubi_reader": {
+        "cargoLocks": null,
+        "date": null,
+        "extract": null,
+        "name": "ubi_reader",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "name": null,
+            "sha256": "sha256-b6Jp8xB6jie35F/oLEea1RF+F8J64AiiQE3/ufwu1mE=",
+            "type": "url",
+            "url": "https://pypi.org/packages/source/u/ubi_reader/ubi_reader-0.8.9.tar.gz"
+        },
+        "version": "0.8.9"
+    }
+}

nix/_sources/generated.json

@@ -0,0 +1,43 @@
+# This file was generated by nvfetcher, please do not modify it manually.
+{ fetchgit, fetchurl, fetchFromGitHub, dockerTools }:
+{
+  jefferson = {
+    pname = "jefferson";
+    version = "0.4.4";
+    src = fetchurl {
+      url = "https://pypi.org/packages/source/j/jefferson/jefferson-0.4.4.tar.gz";
+      sha256 = "sha256-RHEXbKRQWTyPWIzSRLwW82u/TsDgiL7L5o+cUWgLLk0=";
+    };
+  };
+  lzallright = {
+    pname = "lzallright";
+    version = "v0.2.2";
+    src = fetchFromGitHub {
+      owner = "vlaci";
+      repo = "lzallright";
+      rev = "v0.2.3";
+      fetchSubmodules = false;
+      sha256 = "sha256-MOTIUC/G92tB2ZOp3OzgKq3d9zGN6bfv83vXOK3deFI=";
+    };
+    cargoLock."Cargo.lock" = {
+      lockFile = ./lzallright-v0.2.2/Cargo.lock;
+      outputHashes = { };
+    };
+  };
+  treelib = {
+    pname = "treelib";
+    version = "1.6.1";
+    src = fetchurl {
+      url = "https://pypi.org/packages/source/t/treelib/treelib-1.6.1.tar.gz";
+      sha256 = "sha256-HL//stK3XMrCfQIAzuBQe2+7Bybgr7n64Bet5dLOh4g=";
+    };
+  };
+  ubi_reader = {
+    pname = "ubi_reader";
+    version = "0.8.9";
+    src = fetchurl {
+      url = "https://pypi.org/packages/source/u/ubi_reader/ubi_reader-0.8.9.tar.gz";
+      sha256 = "sha256-b6Jp8xB6jie35F/oLEea1RF+F8J64AiiQE3/ufwu1mE=";
+    };
+  };
+}