From 19e39dd2ca22af97a75c13d93e206cedc5b0c600 Mon Sep 17 00:00:00 2001 From: Joseph LaFreniere Date: Fri, 16 Aug 2024 11:32:39 -0400 Subject: [PATCH] Add Nix flake along with usage instructions --- .editorconfig | 5 +- .envrc | 4 + .gitignore | 3 + README.md | 17 +++- flake.lock | 245 +++++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 101 ++++++++++++++++++++ gomod2nix.toml | 24 +++++ 7 files changed, 391 insertions(+), 8 deletions(-) create mode 100644 .envrc create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 gomod2nix.toml diff --git a/.editorconfig b/.editorconfig index a7d293f..81bd15e 100644 --- a/.editorconfig +++ b/.editorconfig @@ -2,14 +2,11 @@ root = true [*] charset = utf-8 -indent_style = space -indent_size = 4 end_of_line = lf insert_final_newline = true trim_trailing_whitespace = true [*.md] -insert_final_newline = false trim_trailing_whitespace = false [*.go] @@ -21,5 +18,5 @@ indent_size = 2 [*.xml] indent_size = 2 -[Makefile] +[{Makefile,.envrc}] indent_style = tab diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..fcf07e4 --- /dev/null +++ b/.envrc @@ -0,0 +1,4 @@ +if command -v nix &>/dev/null; then + use flake + PATH_add "$PWD/result/bin" +fi diff --git a/.gitignore b/.gitignore index 4d98a8c..f26d5e4 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,6 @@ vendor/ bin/ dist/ + +/result +/.pre-commit-config.yaml diff --git a/README.md b/README.md index 5f3e2fc..86b0d06 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,9 @@ All files are located inside Jenkins home directory: I've tested this on Jenkins 1.625.1 and 2.141 -### Run using a binary +## Usage + +### Pre-Built Binary Mac (Intel CPU only): @@ -61,7 +63,7 @@ Or if you have the files locally: -c credentials.xml \ -o json -### Run using docker +### Docker If you are worried about the binary sending your credentials over the network (it does not do that) then run a container with disabled network: @@ -97,8 +99,15 @@ With files locally: -s hudson.util.Secret \ -c credentials.xml \ -o json - -### Build the binary yourself + +### Nix + +Assuming you have enabled [Flakes](https://nixos.wiki/wiki/Flakes) in your Nix configuration, you can use the provided [`flake.nix`](./flake.nix) to build and run this project. + +- To build and run the binary without installing it: `nix run github:hoto/jenkins-credentials-decryptor -- --help` +- To install in the current profile: `nix profile install github:hoto/jenkins-credentials-decryptor` + +### Build Locally If you are worried about executing a random binary from the internet then: diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..27d87a6 --- /dev/null +++ b/flake.lock @@ -0,0 +1,245 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1693611461, + "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-root": { + "locked": { + "lastModified": 1692742795, + "narHash": "sha256-f+Y0YhVCIJ06LemO+3Xx00lIcqQxSKJHXT/yk1RTKxw=", + "owner": "srid", + "repo": "flake-root", + "rev": "d9a70d9c7a5fd7f3258ccf48da9335e9b47c3937", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "flake-root", + "type": "github" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1723803910, + "narHash": "sha256-yezvUuFiEnCFbGuwj/bQcqg7RykIEqudOy/RBrId0pc=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "bfef0ada09e2c8ac55bbcd0831bd0c9d42e651ba", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gomod2nix": { + "inputs": { + "nixpkgs": "nixpkgs", + "utils": "utils" + }, + "locked": { + "lastModified": 1677459247, + "narHash": "sha256-JbakfAiPYmCCV224yAMq/XO0udN5coWv/oazblMKdoY=", + "owner": "nix-community", + "repo": "gomod2nix", + "rev": "3cbf3a51fe32e2f57af4c52744e7228bab22983d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "gomod2nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1658285632, + "narHash": "sha256-zRS5S/hoeDGUbO+L95wXG9vJNwsSYcl93XiD0HQBXLk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5342fc6fb59d0595d26883c3cadff16ce58e44f3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1693471703, + "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1720386169, + "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1723804784, + "narHash": "sha256-Dy7Xzw26Sm971htE0MVG5MIDVoLI0F/IRAB/pIHIYFw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8e51cda889592f83ebb9e4ba942825e587bfd187", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-parts": "flake-parts", + "flake-root": "flake-root", + "git-hooks": "git-hooks", + "gomod2nix": "gomod2nix", + "nixpkgs": "nixpkgs_2", + "systems": "systems", + "treefmt-nix": "treefmt-nix" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1693817438, + "narHash": "sha256-fg3+n4Ky1gCzDtPm0MomMTFw0YkH05Y8ojy5t7bkfHg=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "b8d3a059f5487d6767d07c3716386753e3132d9f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "utils": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..90f36c3 --- /dev/null +++ b/flake.nix @@ -0,0 +1,101 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/release-24.05"; + flake-parts.url = "github:hercules-ci/flake-parts"; + flake-root.url = "github:srid/flake-root"; + gomod2nix.url = "github:nix-community/gomod2nix"; + git-hooks = { + url = "github:cachix/git-hooks.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + systems.url = "github:nix-systems/default"; + treefmt-nix = { + url = "github:numtide/treefmt-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = inputs: + inputs.flake-parts.lib.mkFlake {inherit inputs;} { + systems = inputs.nixpkgs.lib.trivial.id (import inputs.systems); + imports = [ + inputs.flake-root.flakeModule + inputs.git-hooks.flakeModule + inputs.treefmt-nix.flakeModule + ]; + perSystem = { + config, + self', + inputs', + system, + ... + }: let + pkgs = import inputs.nixpkgs { + inherit system; + overlays = [inputs.gomod2nix.overlays.default (final: prev: {})]; + config = {}; + }; + version = inputs.self.shortRev or "development"; + jenkins-credentials-decryptor = pkgs.buildGoApplication { + inherit version; + pname = "jenkins-credentials-decryptor"; + src = ./.; + ldflags = ["-X github.com/lafrenierejm/gron/cmd.Version=${version}"]; + modules = ./gomod2nix.toml; + meta = with pkgs.lib; { + description = "Command line tool for decrypting and dumping Jenkins credentials"; + homepage = "https://github.com/hoto/jenkins-credentials-decryptor"; + license = licenses.mit; + maintainers = with maintainers; [lafrenierejm]; + }; + }; + in { + # Per-system attributes can be defined here. The self' and inputs' + # module parameters provide easy access to attributes of the same + # system. + packages = { + inherit jenkins-credentials-decryptor; + default = jenkins-credentials-decryptor; + }; + + apps = { + inherit jenkins-credentials-decryptor; + default = jenkins-credentials-decryptor; + }; + + # Auto formatters. + treefmt.config = { + projectRootFile = ".git/config"; + package = pkgs.treefmt; + flakeCheck = false; # use pre-commit's check instead + programs = { + alejandra.enable = true; + }; + }; + + pre-commit = { + check.enable = true; + settings.hooks = { + editorconfig-checker.enable = true; + treefmt.enable = true; + typos.enable = true; + }; + }; + + devShells.default = pkgs.mkShell { + # Inherit all of the pre-commit hooks. + inputsFrom = [config.pre-commit.devShell]; + packages = + config.pre-commit.settings.enabledPackages + ++ (with pkgs; [ + go-tools + godef + gomod2nix + gopls + gotools + (mkGoEnv {pwd = ./.;}) + ]); + }; + }; + }; +} diff --git a/gomod2nix.toml b/gomod2nix.toml new file mode 100644 index 0000000..b8e9d2c --- /dev/null +++ b/gomod2nix.toml @@ -0,0 +1,24 @@ +schema = 3 + +[mod] + [mod."github.com/beevik/etree"] + version = "v1.1.0" + hash = "sha256-tvvc/RbFjTppdAKs1xUnMhfTXiW4Yr4CQ9NmrhF8uIk=" + [mod."github.com/davecgh/go-spew"] + version = "v1.1.0" + hash = "sha256-zNSuzjr5n7zhK8VOciSigLMfbnHbmyzsWdTcMlV1kjQ=" + [mod."github.com/pmezard/go-difflib"] + version = "v1.0.0" + hash = "sha256-/FtmHnaGjdvEIKAJtrUfEhV7EVo5A/eYrtdnUkuxLDA=" + [mod."github.com/stretchr/objx"] + version = "v0.1.0" + hash = "sha256-az0Vd4MG3JXfaYbj0Q6AOmNkrXgmXDeQm8+BBiDXmdA=" + [mod."github.com/stretchr/testify"] + version = "v1.6.1" + hash = "sha256-GwrZr9lU8698GFal0l/sFQ/TYP/eQIeNnnYJWpe3/IE=" + [mod."gopkg.in/check.v1"] + version = "v0.0.0-20161208181325-20d25e280405" + hash = "sha256-1w5mgYaZUC52uzDnpXXVqle/9AVkH4WePSrQFOVANUw=" + [mod."gopkg.in/yaml.v3"] + version = "v3.0.0-20200313102051-9f266ea9e77c" + hash = "sha256-ZXiVLum4UY7Xg2LUMJOk3m248lOrab5FBxWU9emIaq0="