Merge pull request #311799 from cameronraysmith/add-ratchet

ratchet: init at 0.9.2
2024-05-18 21:31:07 +08:00 · 2024-05-18 21:31:07 +08:00 · c7829cdc44
commit c7829cdc44
parent 7aee1dba3d 59921e79a2
3 changed files with 97 additions and 0 deletions
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@ -3207,6 +3207,16 @@
    githubId = 3212452;
    name = "Cameron Nemo";
  };
+  cameronraysmith = {
+    email = "cameronraysmith@gmail.com";
+    matrix = "@cameronraysmith:matrix.org";
+    github = "cameronraysmith";
+    githubId = 420942;
+    name = "Cameron Smith";
+    keys = [{
+      fingerprint = "3F14 C258 856E 88AE E0F9  661E FF04 3B36 8811 DD1C";
+    }];
+  };
  camillemndn = {
    email = "camillemondon@free.fr";
    github = "camillemndn";
--- a/pkgs/by-name/ra/ratchet/package.nix
+++ b/pkgs/by-name/ra/ratchet/package.nix
@ -0,0 +1,70 @@
+{
+  lib,
+  buildGoModule,
+  fetchFromGitHub,
+  callPackage,
+}:
+buildGoModule rec {
+  pname = "ratchet";
+  version = "0.9.2";
+
+  # ratchet uses the git sha-1 in the version string, e.g.
+  #
+  # $ ./ratchet --version
+  # ratchet 0.9.2 (d57cc1a53c022d3f87c4820bc6b64384a06c8a07, darwin/arm64)
+  #
+  # so we need to either hard-code the sha-1 corresponding to the version tag
+  # head or retain the git metadata folder and extract it using the git cli.
+  # We currently hard-code it.
+  src = fetchFromGitHub {
+    owner = "sethvargo";
+    repo = "ratchet";
+    rev = "d57cc1a53c022d3f87c4820bc6b64384a06c8a07";
+    hash = "sha256-gQ98uD9oPUsECsduv/lqGdYNmtHetU49ETfWCE8ft8U=";
+  };
+
+  proxyVendor = true;
+  vendorHash = "sha256-J7LijbhpKDIfTcQMgk2x5FVaYG7Kgkba/1aSTmgs5yw=";
+
+  subPackages = [ "." ];
+
+  ldflags =
+    let
+      package_url = "github.com/sethvargo/ratchet";
+    in
+    [
+      "-s"
+      "-w"
+      "-X ${package_url}/internal/version.name=${pname}"
+      "-X ${package_url}/internal/version.version=${version}"
+      "-X ${package_url}/internal/version.commit=${src.rev}"
+    ];
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    $out/bin/ratchet --version 2>&1 | grep ${version};
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/bin
+    install -Dm755 "$GOPATH/bin/ratchet" -T $out/bin/ratchet
+    runHook postInstall
+  '';
+
+  passthru.tests = {
+    execution = callPackage ./tests.nix { };
+  };
+
+  meta = with lib; {
+    description = "A tool for securing CI/CD workflows with version pinning.";
+    mainProgram = "ratchet";
+    downloadPage = "https://github.com/sethvargo/ratchet";
+    homepage = "https://github.com/sethvargo/ratchet";
+    license = licenses.asl20;
+    maintainers = with maintainers; [
+      cameronraysmith
+      ryanccn
+    ];
+  };
+}
--- a/pkgs/by-name/ra/ratchet/tests.nix
+++ b/pkgs/by-name/ra/ratchet/tests.nix
@ -0,0 +1,17 @@
+{
+  lib,
+  runCommand,
+  ratchet,
+}: let
+  inherit (ratchet) pname version;
+in
+  runCommand "${pname}-tests" {meta.timeout = 60;}
+  ''
+    set -euo pipefail
+
+    # Ensure ratchet is executable
+    ${ratchet}/bin/ratchet --version
+    ${ratchet}/bin/ratchet --help
+
+    touch $out
+  ''