vuls: init at 0.27.0
[NixPkgs.git] / ci / nixpkgs-vet.sh
blob7aabdfb6b8c56aa9e185af81de3bd6be1114a9d4
1 #!/usr/bin/env nix-shell
2 #!nix-shell -i bash -p jq
4 set -o pipefail -o errexit -o nounset
6 trace() { echo >&2 "$@"; }
8 tmp=$(mktemp -d)
9 cleanup() {
10 # Don't exit early if anything fails to cleanup
11 set +o errexit
13 trace -n "Cleaning up.. "
15 [[ -e "$tmp/base" ]] && git worktree remove --force "$tmp/base"
16 [[ -e "$tmp/merged" ]] && git worktree remove --force "$tmp/merged"
18 rm -rf "$tmp"
20 trace "Done"
22 trap cleanup exit
25 repo=https://github.com/NixOS/nixpkgs.git
27 if (( $# != 0 )); then
28 baseBranch=$1
29 shift
30 else
31 trace "Usage: $0 BASE_BRANCH [REPOSITORY]"
32 trace "BASE_BRANCH: The base branch to use, e.g. master or release-23.11"
33 trace "REPOSITORY: The repository to fetch the base branch from, defaults to $repo"
34 exit 1
37 if (( $# != 0 )); then
38 repo=$1
39 shift
42 if [[ -n "$(git status --porcelain)" ]]; then
43 trace -e "\e[33mWarning: Dirty tree, uncommitted changes won't be taken into account\e[0m"
45 headSha=$(git rev-parse HEAD)
46 trace -e "Using HEAD commit \e[34m$headSha\e[0m"
48 trace -n "Creating Git worktree for the HEAD commit in $tmp/merged.. "
49 git worktree add --detach -q "$tmp/merged" HEAD
50 trace "Done"
52 trace -n "Fetching base branch $baseBranch to compare against.. "
53 git fetch -q "$repo" refs/heads/"$baseBranch"
54 baseSha=$(git rev-parse FETCH_HEAD)
55 trace -e "\e[34m$baseSha\e[0m"
57 trace -n "Creating Git worktree for the base branch in $tmp/base.. "
58 git worktree add -q "$tmp/base" "$baseSha"
59 trace "Done"
61 trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "
62 git -C "$tmp/merged" merge -q --no-edit "$baseSha"
63 trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"
64 trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
65 toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
66 trace -e "\e[34m$toolVersion\e[0m"
68 trace -n "Building tool.. "
69 nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build
70 trace "Running nixpkgs-vet.."
71 "$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"