diff options
Diffstat (limited to 'nixpkgs/pkgs/development/tools/infisical')
-rw-r--r-- | nixpkgs/pkgs/development/tools/infisical/default.nix | 136 | ||||
-rw-r--r-- | nixpkgs/pkgs/development/tools/infisical/hashes.json | 6 | ||||
-rwxr-xr-x | nixpkgs/pkgs/development/tools/infisical/update.sh | 41 |
3 files changed, 129 insertions, 54 deletions
diff --git a/nixpkgs/pkgs/development/tools/infisical/default.nix b/nixpkgs/pkgs/development/tools/infisical/default.nix index a12142d2b733..5c4b4ca9e3e4 100644 --- a/nixpkgs/pkgs/development/tools/infisical/default.nix +++ b/nixpkgs/pkgs/development/tools/infisical/default.nix @@ -1,59 +1,87 @@ -{ stdenv, lib, callPackage, fetchurl }: +{ stdenv, lib, fetchurl, testers, infisical, installShellFiles }: + +# this expression is mostly automated, and you are STRONGLY +# RECOMMENDED to use to nix-update for updating this expression when new +# releases come out, which runs the sibling `update.sh` script. +# +# from the root of the nixpkgs git repository, run: +# +# nix-shell maintainers/scripts/update.nix \ +# --argstr commit true \ +# --argstr package infisical let - inherit (stdenv.hostPlatform) system; - throwSystem = throw "Unsupported system: ${system}"; - - plat = { - x86_64-linux = "linux_amd64"; - x86_64-darwin = "darwin_amd64"; - aarch64-linux = "linux_arm64"; - aarch64-darwin = "darwin_arm64"; - }.${system} or throwSystem; - - archive_fmt = "tar.gz"; - - sha256 = { - x86_64-linux = "e85c5f2ddca89caa6b44c61554c1dffeacdabc96c25a7e6881dc5722515270d1"; - x86_64-darwin = "eddbcde10271f791eb1473ba00b85b442aa059cdfee38021b8f8880f33754821"; - aarch64-linux = "9793a6db476492802ffec7f933d7f8f107a1c89fee09c8eb6bdb975b1fccecea"; - aarch64-darwin = "46c8a82a71da5731c108d24b4a960a507af66d91bba7b7246dd3a3415afaf7d3"; - }.${system} or throwSystem; + # build hashes, which correspond to the hashes of the precompiled binaries procured by GitHub Actions. + buildHashes = builtins.fromJSON (builtins.readFile ./hashes.json); + + # the version of infisical + version = "0.14.3"; + + # the platform-specific, statically linked binary + src = + let + suffix = { + # map the platform name to the golang toolchain suffix + # NOTE: must be synchronized with update.sh! + x86_64-linux = "linux_amd64"; + x86_64-darwin = "darwin_amd64"; + aarch64-linux = "linux_arm64"; + aarch64-darwin = "darwin_arm64"; + }."${stdenv.hostPlatform.system}" or (throw "Unsupported system: ${stdenv.hostPlatform.system}"); + + name = "infisical_${version}_${suffix}.tar.gz"; + hash = buildHashes."${stdenv.hostPlatform.system}"; + url = "https://github.com/Infisical/infisical/releases/download/infisical-cli%2Fv${version}/${name}"; + in + fetchurl { inherit name url hash; }; + in - stdenv.mkDerivation (finalAttrs: { - pname = "infisical"; - version = "0.14.2"; - - src = fetchurl { - url = "https://github.com/Infisical/infisical/releases/download/infisical-cli%2Fv${finalAttrs.version}/infisical_${finalAttrs.version}_${plat}.tar.gz"; - inherit sha256; - }; - - sourceRoot = "."; - installPhase = '' - mkdir -p $out/bin/ $out/share/completions/ $out/share/man/ - cp completions/* $out/share/completions/ - cp manpages/* $out/share/man/ - cp infisical $out/bin - ''; +stdenv.mkDerivation { + pname = "infisical"; + version = version; + inherit src; - postInstall = '' - installManPage share/man/infisical.1.gz - installShellCompletion share/completions/infisical.{bash,fish,zsh} - chmod +x bin/infisical - ''; + nativeBuildInputs = [ installShellFiles ]; + + doCheck = true; + dontConfigure = true; + dontStrip = true; + + sourceRoot = "."; + buildPhase = "chmod +x ./infisical"; + checkPhase = "./infisical --version"; + installPhase = '' + mkdir -p $out/bin/ $out/share/completions/ $out/share/man/ + cp infisical $out/bin + cp completions/* $out/share/completions/ + cp manpages/* $out/share/man/ + ''; + postInstall = '' + installManPage share/man/infisical.1.gz + installShellCompletion share/completions/infisical.{bash,fish,zsh} + ''; - meta = with lib; { - description = "The official Infisical CLI"; - longDescription = '' - Infisical is an Open Source, End-to-End encrypted platform that lets you - securely sync secrets and configs across your team, devices, and infrastructure - ''; - mainProgram = "infisical"; - homepage = "https://infisical.com/"; - downloadPage = "https://github.com/Infisical/infisical/releases/"; - license = licenses.mit; - maintainers = [ maintainers.ivanmoreau maintainers.jgoux ]; - platforms = [ "x86_64-linux" "x86_64-darwin" "aarch64-darwin" "aarch64-linux" ]; - }; - }) + passthru = { + updateScript = ./update.sh; + tests.version = testers.testVersion { package = infisical; }; + }; + + meta = with lib; { + description = "The official Infisical CLI"; + longDescription = '' + Infisical is the open-source secret management platform: + Sync secrets across your team/infrastructure and prevent secret leaks. + ''; + homepage = "https://infisical.com"; + changelog = "https://github.com/infisical/infisical/releases/tag/infisical-cli%2Fv${version}"; + license = licenses.mit; + mainProgram = "infisical"; + maintainers = [ maintainers.ivanmoreau maintainers.jgoux ]; + platforms = [ + "x86_64-linux" + "aarch64-linux" + "aarch64-darwin" + "x86_64-darwin" + ]; + }; +} diff --git a/nixpkgs/pkgs/development/tools/infisical/hashes.json b/nixpkgs/pkgs/development/tools/infisical/hashes.json new file mode 100644 index 000000000000..0e79f2a1e00c --- /dev/null +++ b/nixpkgs/pkgs/development/tools/infisical/hashes.json @@ -0,0 +1,6 @@ +{ "_comment": "@generated by pkgs/development/tools/infisical/update.sh" +, "x86_64-linux": "sha256-sTfwooMN5ckdaxpd4R3yQvDEYT7muYZTyFEm0exM33M=" +, "x86_64-darwin": "sha256-B94+mF5Wu0pHKIo8CuHAbrorzIxK2U64Np3JFlTc1kk=" +, "aarch64-linux": "sha256-eGuKnC6h1YPW0UdY5wcChbiSzATAcSmHZ6mKBI2sR80=" +, "aarch64-darwin": "sha256-s4s1la165cQ5I296ZCeW3ZIyYapTfRxa20QdZmXvido=" +} diff --git a/nixpkgs/pkgs/development/tools/infisical/update.sh b/nixpkgs/pkgs/development/tools/infisical/update.sh new file mode 100755 index 000000000000..5810d2ee48b4 --- /dev/null +++ b/nixpkgs/pkgs/development/tools/infisical/update.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env nix-shell +#!nix-shell -I nixpkgs=./. -i bash -p curl jq nix-prefetch common-updater-scripts nix coreutils +# shellcheck shell=bash +set -euo pipefail + +RELEASE_NAME=$(curl -s https://api.github.com/repos/infisical/infisical/releases \ + | jq -r 'sort_by(.created_at) | reverse | + (map + (select ((.prerelease == false) and (.draft == false))) | + first + ) | .name') +VERSION=$(echo "$RELEASE_NAME" | sed -E 's/^infisical-cli\/v//') + +echo "Latest infisical release: $VERSION" + +ARCHS=( + "x86_64-linux:linux_amd64" + "x86_64-darwin:darwin_amd64" + "aarch64-linux:linux_arm64" + "aarch64-darwin:darwin_arm64" +) + +NFILE=pkgs/development/tools/infisical/default.nix +HFILE=pkgs/development/tools/infisical/hashes.json +rm -f "$HFILE" && touch "$HFILE" + +printf "{ \"_comment\": \"@generated by pkgs/development/tools/infisical/update.sh\"\n" >> "$HFILE" + +for arch in "${ARCHS[@]}"; do + IFS=: read -r arch_name arch_target <<< "$arch" + sha256hash="$(nix-prefetch-url --type sha256 "https://github.com/infisical/infisical/releases/download/${RELEASE_NAME}/infisical_${VERSION}_${arch_target}.tar.gz")" + srihash="$(nix hash to-sri --type sha256 "$sha256hash")" + echo ", \"$arch_name\": \"$srihash\"" >> "$HFILE" +done +echo "}" >> "$HFILE" + +sed -i \ + '0,/version\s*=\s*".*";/s//version = "'"$VERSION"'";/' \ + "$NFILE" + +echo "Done; wrote $HFILE and updated version in $NFILE." |