chore(3p/gerrit): create buildBazelPackageNG and migrate gerrit to it
This bumps Gerrit to 3.10.0, and also introduces a new mechanism for building it that should hopefully have some more stable hashes than the previous bodgery. In this world, we only cache what we explicitly want to. There are some hooks implemented for `rules_java` and `rules_nodejs` (before version 6) that force use of local binaries; this means we can drop the use of the FHSUserEnv and use the java and nodejs binaries provided by nixpkgs instead. detzip is deleted; it hasn't been used in yonks. We also add https://gerrit-review.googlesource.com/c/gerrit/+/431977, which bumps the SSHd version so that we can have U2F-based SSH keys. Change-Id: Ie12a9a33bbb1e4bd96aa252580aca3b8bc4a1205 Reviewed-on: https://cl.tvl.fyi/c/depot/+/11963 Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: lukegb <lukegb@tvl.fyi> Tested-by: BuildkiteCI
This commit is contained in:
		
							parent
							
								
									d17c3d96b6
								
							
						
					
					
						commit
						c05bf02a85
					
				
					 27 changed files with 455 additions and 260 deletions
				
			
		
							
								
								
									
										0
									
								
								nix/buildBazelPackageNG/.skip-subtree
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										0
									
								
								nix/buildBazelPackageNG/.skip-subtree
									
										
									
									
									
										Normal file
									
								
							
							
								
								
									
										8
									
								
								nix/buildBazelPackageNG/bazelRulesJavaHook/default.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								nix/buildBazelPackageNG/bazelRulesJavaHook/default.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,8 @@ | |||
| { makeSetupHook }: | ||||
| 
 | ||||
| makeSetupHook { | ||||
|   name = "rules_java_bazel_hook"; | ||||
|   substitutions = { | ||||
|     local_java = ./local_java; | ||||
|   }; | ||||
| } ./setup-hook.sh | ||||
|  | @ -0,0 +1,3 @@ | |||
| alias(name = "jdk", actual = "@local_jdk//:jdk") | ||||
| alias(name = "toolchain", actual = "@local_jdk//:toolchain") | ||||
| alias(name = "bootstrap_runtime_toolchain", actual = "@local_jdk//:bootstrap_runtime_toolchain") | ||||
|  | @ -0,0 +1 @@ | |||
| workspace(name = "local_java") | ||||
							
								
								
									
										17
									
								
								nix/buildBazelPackageNG/bazelRulesJavaHook/setup-hook.sh
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								nix/buildBazelPackageNG/bazelRulesJavaHook/setup-hook.sh
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,17 @@ | |||
| prePatchHooks+=(_setupLocalJavaRepo) | ||||
| 
 | ||||
| javaVersions=(11 17 21) | ||||
| javaPlatforms=( | ||||
|   "linux" "linux_aarch64" "linux_ppc64le" "linux_s390x" | ||||
|   "macos" "macos_aarch64" | ||||
|   "win" "win_arm64") | ||||
| 
 | ||||
| _setupLocalJavaRepo() { | ||||
| 	for javaVersion in ${javaVersions[@]}; do | ||||
| 		for javaPlatform in ${javaPlatforms[@]}; do | ||||
| 			bazelFlagsArray+=( | ||||
| 				"--override_repository=remotejdk${javaVersion}_${javaPlatform}=@local_java@" | ||||
| 			) | ||||
| 		done | ||||
| 	done | ||||
| } | ||||
							
								
								
									
										53
									
								
								nix/buildBazelPackageNG/bazelRulesNodeJS5Hook/default.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										53
									
								
								nix/buildBazelPackageNG/bazelRulesNodeJS5Hook/default.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,53 @@ | |||
| { stdenvNoCC | ||||
| , lib | ||||
| , makeSetupHook | ||||
| , fetchFromGitHub | ||||
| , coreutils | ||||
| , gnugrep | ||||
| , nodejs | ||||
| , yarn | ||||
| , git | ||||
| , cacert | ||||
| }: | ||||
| let | ||||
|   rulesNodeJS = stdenvNoCC.mkDerivation rec { | ||||
|     pname = "bazelbuild-rules_nodejs"; | ||||
|     version = "5.8.5"; | ||||
| 
 | ||||
|     src = fetchFromGitHub { | ||||
|       owner = "bazelbuild"; | ||||
|       repo = "rules_nodejs"; | ||||
|       rev = version; | ||||
|       hash = "sha256-6UbYRrOnS93+pK4VI016gQZv2jLCzkJn6wJ4vZNCNjY="; | ||||
|     }; | ||||
| 
 | ||||
|     dontBuild = true; | ||||
| 
 | ||||
|     postPatch = '' | ||||
|       shopt -s globstar | ||||
|       for i in **/*.bzl **/*.sh **/*.cjs; do | ||||
|         substituteInPlace "$i" \ | ||||
|           --replace-quiet '#!/usr/bin/env bash' '#!${stdenvNoCC.shell}' \ | ||||
|           --replace-quiet '#!/bin/bash' '#!${stdenvNoCC.shell}' | ||||
|       done | ||||
|       sed -i '/^#!/a export PATH=${lib.makeBinPath [ coreutils gnugrep ]}:$PATH' internal/node/launcher.sh | ||||
|     ''; | ||||
| 
 | ||||
|     installPhase = '' | ||||
|       cp -R . $out | ||||
|     ''; | ||||
|   }; | ||||
| in makeSetupHook { | ||||
|   name = "bazelbuild-rules_nodejs-5-hook"; | ||||
|   propagatedBuildInputs = [ | ||||
|     nodejs | ||||
|     yarn | ||||
|     git | ||||
|     cacert | ||||
|   ]; | ||||
|   substitutions = { | ||||
|     inherit nodejs yarn cacert rulesNodeJS; | ||||
|     local_node = ./local_node; | ||||
|     local_yarn = ./local_yarn; | ||||
|   }; | ||||
| } ./setup-hook.sh | ||||
|  | @ -0,0 +1,20 @@ | |||
| load("@build_bazel_rules_nodejs//nodejs:toolchain.bzl", _node_toolchain = "node_toolchain") | ||||
| 
 | ||||
| package(default_visibility = ["//visibility:public"]) | ||||
| 
 | ||||
| exports_files([ | ||||
|     "bin/node", | ||||
|     "bin/npm", | ||||
| ]) | ||||
| 
 | ||||
| _node_toolchain( | ||||
|     name = "node_toolchain", | ||||
|     target_tool_path = "__NODEJS__/bin/node", | ||||
|     npm_path = "__NODEJS__/bin/npm", | ||||
| ) | ||||
| 
 | ||||
| toolchain( | ||||
|     name = "nodejs", | ||||
|     toolchain = ":node_toolchain", | ||||
|     toolchain_type = "@build_bazel_rules_nodejs//nodejs:toolchain_type", | ||||
| ) | ||||
|  | @ -0,0 +1 @@ | |||
| workspace(name = "nodejs") | ||||
|  | @ -0,0 +1,3 @@ | |||
| #!/bin/sh | ||||
| 
 | ||||
| exec "__NODEJS__/bin/node" "$@" | ||||
|  | @ -0,0 +1,3 @@ | |||
| #!/bin/sh | ||||
| 
 | ||||
| exec "__NODEJS__/bin/npm" "$@" | ||||
|  | @ -0,0 +1 @@ | |||
| workspace(name = "yarn") | ||||
|  | @ -0,0 +1,2 @@ | |||
| #!/bin/sh | ||||
| exec "__YARN__/bin/yarn" "$@" | ||||
							
								
								
									
										63
									
								
								nix/buildBazelPackageNG/bazelRulesNodeJS5Hook/setup-hook.sh
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										63
									
								
								nix/buildBazelPackageNG/bazelRulesNodeJS5Hook/setup-hook.sh
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,63 @@ | |||
| prePatchHooks+=(_setupLocalNodeRepos) | ||||
| preBuildHooks+=(_setupYarnCache) | ||||
| 
 | ||||
| case "$bazelPhase" in | ||||
| 	cache) | ||||
| 		postInstallHooks+=(_copyYarnCache) | ||||
| 		;; | ||||
| 	build) | ||||
| 		preBuildHooks+=(_linkYarnCache) | ||||
| 		;; | ||||
| 	*) | ||||
| 		echo "Unexpected bazelPhase '$bazelPhase' (want cache or build)" >&2 | ||||
| 		exit 1 | ||||
| 		;; | ||||
| esac | ||||
| 
 | ||||
| 
 | ||||
| _setupLocalNodeRepos() { | ||||
| 	cp -R @local_node@ $HOME/local_node | ||||
| 	chmod -R +w $HOME/local_node | ||||
| 	substituteInPlace $HOME/local_node/bin/node \ | ||||
| 		--replace-fail '__NODEJS__' '@nodejs@' | ||||
| 	substituteInPlace $HOME/local_node/bin/npm \ | ||||
| 		--replace-fail '__NODEJS__' '@nodejs@' | ||||
| 	substituteInPlace $HOME/local_node/BUILD \ | ||||
| 		--replace-fail '__NODEJS__' '@nodejs@' | ||||
| 	chmod -R +x $HOME/local_node/bin/* | ||||
| 
 | ||||
| 	cp -R @local_yarn@ $HOME/local_yarn | ||||
| 	chmod -R +w $HOME/local_yarn | ||||
| 	substituteInPlace $HOME/local_yarn/bin/yarn \ | ||||
| 		--replace-fail '__YARN__' '@yarn@' | ||||
| 	chmod -R +x $HOME/local_yarn/bin/* | ||||
| 
 | ||||
| 	bazelFlagsArray+=( | ||||
| 		"--override_repository=build_bazel_rules_nodejs=@rulesNodeJS@" | ||||
| 
 | ||||
| 		"--override_repository=nodejs_linux_amd64=$HOME/local_node" | ||||
| 		"--override_repository=nodejs_linux_arm64=$HOME/local_node" | ||||
| 		"--override_repository=nodejs_linux_s390x=$HOME/local_node" | ||||
| 		"--override_repository=nodejs_linux_ppc64le=$HOME/local_node" | ||||
| 		"--override_repository=nodejs_darwin_amd64=$HOME/local_node" | ||||
| 		"--override_repository=nodejs_darwin_arm64=$HOME/local_node" | ||||
| 		"--override_repository=nodejs_windows_amd64=$HOME/local_node" | ||||
| 		"--override_repository=nodejs_windows_arm64=$HOME/local_node" | ||||
| 		"--override_repository=nodejs=$HOME/local_node" | ||||
| 
 | ||||
| 		"--override_repository=yarn=$HOME/local_yarn" | ||||
| 	) | ||||
| } | ||||
| 
 | ||||
| _setupYarnCache() { | ||||
| 	@yarn@/bin/yarn config set cafile "@cacert@/etc/ssl/certs/ca-bundle.crt" | ||||
| 	@yarn@/bin/yarn config set yarn-offline-mirror "$HOME/yarn-offline-mirror" | ||||
| } | ||||
| 
 | ||||
| _copyYarnCache() { | ||||
| 	cp -R "$HOME/yarn-offline-mirror" "$out/yarn-offline-mirror" | ||||
| } | ||||
| 
 | ||||
| _linkYarnCache() { | ||||
| 	ln -sf "$cache/yarn-offline-mirror" "$HOME/yarn-offline-mirror" | ||||
| } | ||||
							
								
								
									
										105
									
								
								nix/buildBazelPackageNG/buildBazelPackageNG.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										105
									
								
								nix/buildBazelPackageNG/buildBazelPackageNG.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,105 @@ | |||
| { stdenv | ||||
| , lib | ||||
| , pkgs | ||||
| , coreutils | ||||
| }: | ||||
| 
 | ||||
| { name ? "${baseAttrs.pname}-${baseAttrs.version}" | ||||
| , bazelTargets | ||||
| , bazel ? pkgs.bazel | ||||
| , depsHash | ||||
| , extraCacheInstall ? "" | ||||
| , extraBuildSetup ? "" | ||||
| , extraBuildInstall ? "" | ||||
| , ... | ||||
| }@baseAttrs: | ||||
| 
 | ||||
| let | ||||
|   cleanAttrs = lib.flip removeAttrs [ | ||||
|     "bazelTargets" "depsHash" "extraCacheInstall" "extraBuildSetup" "extraBuildInstall" | ||||
|   ]; | ||||
|   attrs = cleanAttrs baseAttrs; | ||||
| 
 | ||||
|   base = stdenv.mkDerivation (attrs // { | ||||
|     nativeBuildInputs = (attrs.nativeBuildInputs or []) ++ [ | ||||
|       bazel | ||||
|     ]; | ||||
| 
 | ||||
|     preUnpack = '' | ||||
|       if [[ ! -d $HOME ]]; then | ||||
|         export HOME=$NIX_BUILD_TOP/home | ||||
|         mkdir -p $HOME | ||||
|       fi | ||||
|     ''; | ||||
| 
 | ||||
|     bazelTargetNames = builtins.attrNames bazelTargets; | ||||
|   }); | ||||
| 
 | ||||
|   cache = base.overrideAttrs (base: { | ||||
|     name = "${name}-deps"; | ||||
| 
 | ||||
|     bazelPhase = "cache"; | ||||
| 
 | ||||
|     buildPhase = '' | ||||
|       runHook preBuild | ||||
| 
 | ||||
|       bazel sync --repository_cache=repository-cache $bazelFlags "''${bazelFlagsArray[@]}" | ||||
|       bazel build --repository_cache=repository-cache --nobuild $bazelFlags "''${bazelFlagsArray[@]}" $bazelTargetNames | ||||
| 
 | ||||
|       runHook postBuild | ||||
|     ''; | ||||
| 
 | ||||
|     installPhase = '' | ||||
|       runHook preInstall | ||||
| 
 | ||||
|       mkdir $out | ||||
|       echo "${bazel.version}" > $out/bazel_version | ||||
|       cp -R repository-cache $out/repository-cache | ||||
|       ${extraCacheInstall} | ||||
| 
 | ||||
|       runHook postInstall | ||||
|     ''; | ||||
| 
 | ||||
|     outputHashMode = "recursive"; | ||||
|     outputHash = depsHash; | ||||
|   }); | ||||
| 
 | ||||
|   build = base.overrideAttrs (base: { | ||||
|     bazelPhase = "build"; | ||||
| 
 | ||||
|     inherit cache; | ||||
| 
 | ||||
|     nativeBuildInputs = (base.nativeBuildInputs or []) ++ [ | ||||
|       coreutils | ||||
|     ]; | ||||
| 
 | ||||
|     buildPhase = '' | ||||
|       runHook preBuild | ||||
| 
 | ||||
|       ${extraBuildSetup} | ||||
|       bazel build --repository_cache=$cache/repository-cache $bazelFlags "''${bazelFlagsArray[@]}" $bazelTargetNames | ||||
| 
 | ||||
|       runHook postBuild | ||||
|     ''; | ||||
| 
 | ||||
|     installPhase = '' | ||||
|       runHook preInstall | ||||
| 
 | ||||
|       ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (target: outPath: lib.optionalString (outPath != null) '' | ||||
|         TARGET_OUTPUTS="$(bazel cquery --repository_cache=$cache/repository-cache $bazelFlags "''${bazelFlagsArray[@]}" --output=files "${target}")" | ||||
|         if [[ "$(echo "$TARGET_OUTPUTS" | wc -l)" -gt 1 ]]; then | ||||
|           echo "Installing ${target}'s outputs ($TARGET_OUTPUTS) into ${outPath} as a directory" | ||||
|           mkdir -p "${outPath}" | ||||
|           cp $TARGET_OUTPUTS "${outPath}" | ||||
|         else | ||||
|           echo "Installing ${target}'s output ($TARGET_OUTPUTS) to ${outPath}" | ||||
|           mkdir -p "${dirOf outPath}" | ||||
|           cp "$TARGET_OUTPUTS" "${outPath}" | ||||
|         fi | ||||
|       '') bazelTargets)} | ||||
|       ${extraBuildInstall} | ||||
| 
 | ||||
|       runHook postInstall | ||||
|     ''; | ||||
|   }); | ||||
| in build | ||||
							
								
								
									
										6
									
								
								nix/buildBazelPackageNG/default.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								nix/buildBazelPackageNG/default.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,6 @@ | |||
| { pkgs, ... }: | ||||
| 
 | ||||
| (pkgs.callPackage ./buildBazelPackageNG.nix { }) // { | ||||
|   bazelRulesJavaHook = pkgs.callPackage ./bazelRulesJavaHook { }; | ||||
|   bazelRulesNodeJS5Hook = pkgs.callPackage ./bazelRulesNodeJS5Hook { }; | ||||
| } | ||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue