forked from Deuxfleurs/garage
Fail if compiled binary is dynamic
This commit is contained in:
parent
ac03fa7937
commit
4d269787b2
3 changed files with 98 additions and 65 deletions
45
.drone.yml
45
.drone.yml
|
@ -25,7 +25,7 @@ steps:
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- cp nix/nix.conf /etc/nix/nix.conf
|
- cp nix/nix.conf /etc/nix/nix.conf
|
||||||
- nix-build --no-build-output --no-out-link shell.nix --arg release false -A inputDerivation
|
- nix-build --no-build-output --no-out-link shell.nix -A rust.inputDerivation -A integration.inputDerivation -A release.inputDerivation
|
||||||
|
|
||||||
- name: code quality
|
- name: code quality
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -35,8 +35,8 @@ steps:
|
||||||
- name: nix_config
|
- name: nix_config
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- nix-shell --arg release false --run "cargo fmt -- --check"
|
- nix-shell --attr rust --run "cargo fmt -- --check"
|
||||||
- nix-shell --arg release false --run "cargo clippy -- --deny warnings"
|
- nix-shell --attr rust --run "cargo clippy -- --deny warnings"
|
||||||
|
|
||||||
- name: build
|
- name: build
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -47,6 +47,7 @@ steps:
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- nix-build --no-build-output --option log-lines 100 --argstr target x86_64-unknown-linux-musl --arg release false --argstr git_version $DRONE_COMMIT
|
- nix-build --no-build-output --option log-lines 100 --argstr target x86_64-unknown-linux-musl --arg release false --argstr git_version $DRONE_COMMIT
|
||||||
|
- nix-shell --attr rust --run "./script/not-dynamic.sh result/bin/garage"
|
||||||
|
|
||||||
- name: unit + func tests
|
- name: unit + func tests
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -82,7 +83,7 @@ steps:
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- nix-build --no-build-output --argstr target x86_64-unknown-linux-musl --arg release false --argstr git_version $DRONE_COMMIT
|
- nix-build --no-build-output --argstr target x86_64-unknown-linux-musl --arg release false --argstr git_version $DRONE_COMMIT
|
||||||
- nix-shell --arg release false --run ./script/test-smoke.sh || (cat /tmp/garage.log; false)
|
- nix-shell --attr integration --run ./script/test-smoke.sh || (cat /tmp/garage.log; false)
|
||||||
|
|
||||||
trigger:
|
trigger:
|
||||||
event:
|
event:
|
||||||
|
@ -120,7 +121,7 @@ steps:
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- cp nix/nix.conf /etc/nix/nix.conf
|
- cp nix/nix.conf /etc/nix/nix.conf
|
||||||
- nix-build --no-build-output --no-out-link shell.nix -A inputDerivation
|
- nix-build --no-build-output --no-out-link shell.nix -A rust.inputDerivation -A integration.inputDerivation -A release.inputDerivation
|
||||||
|
|
||||||
- name: build
|
- name: build
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -131,6 +132,7 @@ steps:
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- nix-build --no-build-output --argstr target $TARGET --arg release true --argstr git_version $DRONE_COMMIT
|
- nix-build --no-build-output --argstr target $TARGET --arg release true --argstr git_version $DRONE_COMMIT
|
||||||
|
- nix-shell --attr rust --run "./script/not-dynamic.sh result/bin/garage"
|
||||||
|
|
||||||
- name: integration
|
- name: integration
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -140,7 +142,7 @@ steps:
|
||||||
- name: nix_config
|
- name: nix_config
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- nix-shell --run ./script/test-smoke.sh || (cat /tmp/garage.log; false)
|
- nix-shell --attr integration --run ./script/test-smoke.sh || (cat /tmp/garage.log; false)
|
||||||
|
|
||||||
- name: push static binary
|
- name: push static binary
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -155,7 +157,7 @@ steps:
|
||||||
AWS_SECRET_ACCESS_KEY:
|
AWS_SECRET_ACCESS_KEY:
|
||||||
from_secret: garagehq_aws_secret_access_key
|
from_secret: garagehq_aws_secret_access_key
|
||||||
commands:
|
commands:
|
||||||
- nix-shell --arg rust false --arg integration false --run "to_s3"
|
- nix-shell --attr release --run "to_s3"
|
||||||
|
|
||||||
- name: docker build and publish
|
- name: docker build and publish
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -174,7 +176,7 @@ steps:
|
||||||
- mkdir -p /kaniko/.docker
|
- mkdir -p /kaniko/.docker
|
||||||
- echo $DOCKER_AUTH > /kaniko/.docker/config.json
|
- echo $DOCKER_AUTH > /kaniko/.docker/config.json
|
||||||
- export CONTAINER_TAG=${DRONE_TAG:-$DRONE_COMMIT}
|
- export CONTAINER_TAG=${DRONE_TAG:-$DRONE_COMMIT}
|
||||||
- nix-shell --arg rust false --arg integration false --run "to_docker"
|
- nix-shell --attr release --run "to_docker"
|
||||||
|
|
||||||
|
|
||||||
trigger:
|
trigger:
|
||||||
|
@ -210,7 +212,7 @@ steps:
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- cp nix/nix.conf /etc/nix/nix.conf
|
- cp nix/nix.conf /etc/nix/nix.conf
|
||||||
- nix-build --no-build-output --no-out-link shell.nix -A inputDerivation
|
- nix-build --no-build-output --no-out-link shell.nix -A rust.inputDerivation -A integration.inputDerivation -A release.inputDerivation
|
||||||
|
|
||||||
- name: build
|
- name: build
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -221,6 +223,7 @@ steps:
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- nix-build --no-build-output --argstr target $TARGET --arg release true --argstr git_version $DRONE_COMMIT
|
- nix-build --no-build-output --argstr target $TARGET --arg release true --argstr git_version $DRONE_COMMIT
|
||||||
|
- nix-shell --attr rust --run "./script/not-dynamic.sh result/bin/garage"
|
||||||
|
|
||||||
- name: integration
|
- name: integration
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -230,7 +233,7 @@ steps:
|
||||||
- name: nix_config
|
- name: nix_config
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- nix-shell --run ./script/test-smoke.sh || (cat /tmp/garage.log; false)
|
- nix-shell --attr integration --run ./script/test-smoke.sh || (cat /tmp/garage.log; false)
|
||||||
|
|
||||||
- name: push static binary
|
- name: push static binary
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -245,7 +248,7 @@ steps:
|
||||||
AWS_SECRET_ACCESS_KEY:
|
AWS_SECRET_ACCESS_KEY:
|
||||||
from_secret: garagehq_aws_secret_access_key
|
from_secret: garagehq_aws_secret_access_key
|
||||||
commands:
|
commands:
|
||||||
- nix-shell --arg rust false --arg integration false --run "to_s3"
|
- nix-shell --attr release --run "to_s3"
|
||||||
|
|
||||||
- name: docker build and publish
|
- name: docker build and publish
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -264,7 +267,7 @@ steps:
|
||||||
- mkdir -p /kaniko/.docker
|
- mkdir -p /kaniko/.docker
|
||||||
- echo $DOCKER_AUTH > /kaniko/.docker/config.json
|
- echo $DOCKER_AUTH > /kaniko/.docker/config.json
|
||||||
- export CONTAINER_TAG=${DRONE_TAG:-$DRONE_COMMIT}
|
- export CONTAINER_TAG=${DRONE_TAG:-$DRONE_COMMIT}
|
||||||
- nix-shell --arg rust false --arg integration false --run "to_docker"
|
- nix-shell --attr release --run "to_docker"
|
||||||
|
|
||||||
trigger:
|
trigger:
|
||||||
event:
|
event:
|
||||||
|
@ -299,7 +302,7 @@ steps:
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- cp nix/nix.conf /etc/nix/nix.conf
|
- cp nix/nix.conf /etc/nix/nix.conf
|
||||||
- nix-build --no-build-output --no-out-link ./shell.nix --arg rust false --arg integration false -A inputDerivation
|
- nix-build --no-build-output --no-out-link shell.nix -A rust.inputDerivation -A integration.inputDerivation -A release.inputDerivation
|
||||||
|
|
||||||
- name: build
|
- name: build
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -310,6 +313,7 @@ steps:
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- nix-build --no-build-output --argstr target $TARGET --arg release true --argstr git_version $DRONE_COMMIT
|
- nix-build --no-build-output --argstr target $TARGET --arg release true --argstr git_version $DRONE_COMMIT
|
||||||
|
- nix-shell --attr rust --run "./script/not-dynamic.sh result/bin/garage"
|
||||||
|
|
||||||
- name: push static binary
|
- name: push static binary
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -324,7 +328,7 @@ steps:
|
||||||
AWS_SECRET_ACCESS_KEY:
|
AWS_SECRET_ACCESS_KEY:
|
||||||
from_secret: garagehq_aws_secret_access_key
|
from_secret: garagehq_aws_secret_access_key
|
||||||
commands:
|
commands:
|
||||||
- nix-shell --arg rust false --arg integration false --run "to_s3"
|
- nix-shell --attr release --run "to_s3"
|
||||||
|
|
||||||
- name: docker build and publish
|
- name: docker build and publish
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -343,7 +347,7 @@ steps:
|
||||||
- mkdir -p /kaniko/.docker
|
- mkdir -p /kaniko/.docker
|
||||||
- echo $DOCKER_AUTH > /kaniko/.docker/config.json
|
- echo $DOCKER_AUTH > /kaniko/.docker/config.json
|
||||||
- export CONTAINER_TAG=${DRONE_TAG:-$DRONE_COMMIT}
|
- export CONTAINER_TAG=${DRONE_TAG:-$DRONE_COMMIT}
|
||||||
- nix-shell --arg rust false --arg integration false --run "to_docker"
|
- nix-shell --attr release --run "to_docker"
|
||||||
|
|
||||||
trigger:
|
trigger:
|
||||||
event:
|
event:
|
||||||
|
@ -378,7 +382,7 @@ steps:
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- cp nix/nix.conf /etc/nix/nix.conf
|
- cp nix/nix.conf /etc/nix/nix.conf
|
||||||
- nix-build --no-build-output --no-out-link --arg rust false --arg integration false -A inputDerivation
|
- nix-build --no-build-output --no-out-link shell.nix -A rust.inputDerivation -A integration.inputDerivation -A release.inputDerivation
|
||||||
|
|
||||||
- name: build
|
- name: build
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -389,6 +393,7 @@ steps:
|
||||||
path: /etc/nix
|
path: /etc/nix
|
||||||
commands:
|
commands:
|
||||||
- nix-build --no-build-output --argstr target $TARGET --arg release true --argstr git_version $DRONE_COMMIT
|
- nix-build --no-build-output --argstr target $TARGET --arg release true --argstr git_version $DRONE_COMMIT
|
||||||
|
- nix-shell --attr rust --run "./script/not-dynamic.sh result/bin/garage"
|
||||||
|
|
||||||
- name: push static binary
|
- name: push static binary
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -403,7 +408,7 @@ steps:
|
||||||
AWS_SECRET_ACCESS_KEY:
|
AWS_SECRET_ACCESS_KEY:
|
||||||
from_secret: garagehq_aws_secret_access_key
|
from_secret: garagehq_aws_secret_access_key
|
||||||
commands:
|
commands:
|
||||||
- nix-shell --arg integration false --arg rust false --run "to_s3"
|
- nix-shell --attr release --run "to_s3"
|
||||||
|
|
||||||
- name: docker build and publish
|
- name: docker build and publish
|
||||||
image: nixpkgs/nix:nixos-21.05
|
image: nixpkgs/nix:nixos-21.05
|
||||||
|
@ -422,7 +427,7 @@ steps:
|
||||||
- mkdir -p /kaniko/.docker
|
- mkdir -p /kaniko/.docker
|
||||||
- echo $DOCKER_AUTH > /kaniko/.docker/config.json
|
- echo $DOCKER_AUTH > /kaniko/.docker/config.json
|
||||||
- export CONTAINER_TAG=${DRONE_TAG:-$DRONE_COMMIT}
|
- export CONTAINER_TAG=${DRONE_TAG:-$DRONE_COMMIT}
|
||||||
- nix-shell --arg rust false --arg integration false --run "to_docker"
|
- nix-shell --attr release --run "to_docker"
|
||||||
|
|
||||||
trigger:
|
trigger:
|
||||||
event:
|
event:
|
||||||
|
@ -455,7 +460,7 @@ steps:
|
||||||
from_secret: garagehq_aws_secret_access_key
|
from_secret: garagehq_aws_secret_access_key
|
||||||
commands:
|
commands:
|
||||||
- mkdir -p /etc/nix && cp nix/nix.conf /etc/nix/nix.conf
|
- mkdir -p /etc/nix && cp nix/nix.conf /etc/nix/nix.conf
|
||||||
- nix-shell --arg integration false --arg rust false --run "refresh_index"
|
- nix-shell --attr release --run "refresh_index"
|
||||||
|
|
||||||
depends_on:
|
depends_on:
|
||||||
- release-linux-x86_64
|
- release-linux-x86_64
|
||||||
|
@ -473,6 +478,6 @@ node:
|
||||||
|
|
||||||
---
|
---
|
||||||
kind: signature
|
kind: signature
|
||||||
hmac: 3fc19d6f9a3555519c8405e3281b2e74289bb802f644740d5481d53df3a01fa4
|
hmac: 60fad5d78c12616be848aae35703f250300abab5f2eda08eb48fe3afd6cc58c8
|
||||||
|
|
||||||
...
|
...
|
||||||
|
|
14
script/not-dynamic.sh
Executable file
14
script/not-dynamic.sh
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
if [ "$#" -ne 1 ]; then
|
||||||
|
echo "[fail] usage: $0 binary"
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
if file $1 | grep 'dynamically linked' 2>&1; then
|
||||||
|
echo "[fail] $1 is dynamic"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo "[ok] $1 is probably static"
|
98
shell.nix
98
shell.nix
|
@ -1,8 +1,5 @@
|
||||||
{
|
{
|
||||||
system ? builtins.currentSystem,
|
system ? builtins.currentSystem,
|
||||||
rust ? true,
|
|
||||||
integration ? true,
|
|
||||||
release ? true,
|
|
||||||
}:
|
}:
|
||||||
|
|
||||||
with import ./nix/common.nix;
|
with import ./nix/common.nix;
|
||||||
|
@ -16,8 +13,58 @@ let
|
||||||
winscp = (import ./nix/winscp.nix) pkgs;
|
winscp = (import ./nix/winscp.nix) pkgs;
|
||||||
|
|
||||||
in
|
in
|
||||||
|
{
|
||||||
|
|
||||||
pkgs.mkShell {
|
/* --- Rust Shell ---
|
||||||
|
* Use it to compile Garage
|
||||||
|
*/
|
||||||
|
rust = pkgs.mkShell {
|
||||||
|
shellHook = ''
|
||||||
|
function refresh_toolchain {
|
||||||
|
nix copy \
|
||||||
|
--to 's3://nix?endpoint=garage.deuxfleurs.fr®ion=garage&secret-key=/etc/nix/signing-key.sec' \
|
||||||
|
$(nix-store -qR \
|
||||||
|
$(nix-build --quiet --no-build-output --no-out-link nix/toolchain.nix))
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
|
nativeBuildInputs = [
|
||||||
|
pkgs.rustPlatform.rust.rustc
|
||||||
|
pkgs.rustPlatform.rust.cargo
|
||||||
|
pkgs.clippy
|
||||||
|
pkgs.rustfmt
|
||||||
|
pkgs.perl
|
||||||
|
pkgs.protobuf
|
||||||
|
pkgs.pkg-config
|
||||||
|
pkgs.openssl
|
||||||
|
pkgs.file
|
||||||
|
cargo2nix.packages.x86_64-linux.cargo2nix
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
/* --- Integration shell ---
|
||||||
|
* Use it to test Garage with common S3 clients
|
||||||
|
*/
|
||||||
|
integration = pkgs.mkShell {
|
||||||
|
nativeBuildInputs = [
|
||||||
|
winscp
|
||||||
|
pkgs.s3cmd
|
||||||
|
pkgs.awscli2
|
||||||
|
pkgs.minio-client
|
||||||
|
pkgs.rclone
|
||||||
|
pkgs.socat
|
||||||
|
pkgs.psmisc
|
||||||
|
pkgs.which
|
||||||
|
pkgs.openssl
|
||||||
|
pkgs.curl
|
||||||
|
pkgs.jq
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
/* --- Release shell ---
|
||||||
|
* A shell built to make releasing easier
|
||||||
|
*/
|
||||||
|
release = pkgs.mkShell {
|
||||||
shellHook = ''
|
shellHook = ''
|
||||||
function to_s3 {
|
function to_s3 {
|
||||||
aws \
|
aws \
|
||||||
|
@ -62,45 +109,12 @@ function refresh_index {
|
||||||
result/share/_releases.html \
|
result/share/_releases.html \
|
||||||
s3://garagehq.deuxfleurs.fr/
|
s3://garagehq.deuxfleurs.fr/
|
||||||
}
|
}
|
||||||
|
|
||||||
function refresh_toolchain {
|
|
||||||
nix copy \
|
|
||||||
--to 's3://nix?endpoint=garage.deuxfleurs.fr®ion=garage&secret-key=/etc/nix/signing-key.sec' \
|
|
||||||
$(nix-store -qR \
|
|
||||||
$(nix-build --quiet --no-build-output --no-out-link nix/toolchain.nix))
|
|
||||||
}
|
|
||||||
'';
|
'';
|
||||||
|
nativeBuildInputs = [
|
||||||
nativeBuildInputs =
|
|
||||||
(if rust then [
|
|
||||||
pkgs.rustPlatform.rust.rustc
|
|
||||||
pkgs.rustPlatform.rust.cargo
|
|
||||||
pkgs.clippy
|
|
||||||
pkgs.rustfmt
|
|
||||||
pkgs.perl
|
|
||||||
pkgs.protobuf
|
|
||||||
pkgs.pkg-config
|
|
||||||
pkgs.openssl
|
|
||||||
cargo2nix.packages.x86_64-linux.cargo2nix
|
|
||||||
] else [])
|
|
||||||
++
|
|
||||||
(if integration then [
|
|
||||||
winscp
|
|
||||||
pkgs.s3cmd
|
|
||||||
pkgs.awscli2
|
|
||||||
pkgs.minio-client
|
|
||||||
pkgs.rclone
|
|
||||||
pkgs.socat
|
|
||||||
pkgs.psmisc
|
|
||||||
pkgs.which
|
|
||||||
pkgs.openssl
|
|
||||||
pkgs.curl
|
|
||||||
pkgs.jq
|
|
||||||
] else [])
|
|
||||||
++
|
|
||||||
(if release then [
|
|
||||||
pkgs.awscli2
|
pkgs.awscli2
|
||||||
kaniko
|
kaniko
|
||||||
] else [])
|
];
|
||||||
;
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue