2022-12-17 10:02:37 +00:00
|
|
|
#!/usr/bin/env nix-shell
|
2023-07-15 17:15:38 +00:00
|
|
|
#!nix-shell -i bash -p curl gnused jq nix-prefetch
|
2022-12-17 10:02:37 +00:00
|
|
|
|
|
|
|
set -euxo pipefail
|
|
|
|
|
|
|
|
# provide a github token so you don't get rate limited
|
|
|
|
# if you use gh cli you can use:
|
|
|
|
# `export GITHUB_TOKEN="$(cat ~/.config/gh/config.yml | yq '.hosts."github.com".oauth_token' -r)"`
|
|
|
|
# or just set your token by hand:
|
|
|
|
# `read -s -p "Enter your token: " GITHUB_TOKEN; export GITHUB_TOKEN`
|
|
|
|
# (we use read so it doesn't show in our shell history and in secret mode so the token you paste isn't visible)
|
|
|
|
if [ -z "${GITHUB_TOKEN:-}" ]; then
|
|
|
|
echo "no GITHUB_TOKEN provided - you could meet API request limiting" >&2
|
|
|
|
fi
|
|
|
|
|
|
|
|
ROOT="$(dirname "$(readlink -f "$0")")"
|
|
|
|
NIXPKGS_ROOT="$ROOT/../../../.."
|
|
|
|
|
|
|
|
COMMON_FILE="$ROOT/common.nix"
|
|
|
|
|
|
|
|
instantiateClean() {
|
|
|
|
nix-instantiate -A "$1" --eval --strict | cut -d\" -f2
|
|
|
|
}
|
|
|
|
|
|
|
|
# get latest version
|
|
|
|
NEW_VERSION=$(
|
2024-02-29 20:09:43 +00:00
|
|
|
curl -s -L -H \
|
2022-12-17 10:02:37 +00:00
|
|
|
"Accept: application/vnd.github.v3+json" \
|
|
|
|
${GITHUB_TOKEN:+ -H "Authorization: bearer $GITHUB_TOKEN"} \
|
2024-02-29 20:09:43 +00:00
|
|
|
https://api.github.com/repos/semgrep/semgrep/releases/latest \
|
2022-12-17 10:02:37 +00:00
|
|
|
| jq -r '.tag_name'
|
|
|
|
)
|
|
|
|
# trim v prefix
|
|
|
|
NEW_VERSION="${NEW_VERSION:1}"
|
2023-07-15 17:15:38 +00:00
|
|
|
OLD_VERSION="$(instantiateClean semgrep.passthru.common.version)"
|
2022-12-17 10:02:37 +00:00
|
|
|
|
|
|
|
if [[ "$OLD_VERSION" == "$NEW_VERSION" ]]; then
|
|
|
|
echo "Already up to date"
|
|
|
|
exit
|
|
|
|
fi
|
|
|
|
|
|
|
|
replace() {
|
|
|
|
sed -i "s@$1@$2@g" "$3"
|
|
|
|
}
|
|
|
|
|
|
|
|
fetchgithub() {
|
|
|
|
set +eo pipefail
|
|
|
|
nix-build -A "$1" 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g'
|
|
|
|
set -eo pipefail
|
|
|
|
}
|
|
|
|
|
2023-07-15 17:15:38 +00:00
|
|
|
fetch_arch() {
|
|
|
|
VERSION=$1
|
|
|
|
PLATFORM=$2
|
|
|
|
nix-prefetch "{ fetchPypi }:
|
|
|
|
fetchPypi rec {
|
|
|
|
pname = \"semgrep\";
|
|
|
|
version = \"$VERSION\";
|
|
|
|
format = \"wheel\";
|
|
|
|
dist = python;
|
2024-02-29 20:09:43 +00:00
|
|
|
python = \"cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311\";
|
2023-07-15 17:15:38 +00:00
|
|
|
platform = \"$PLATFORM\";
|
|
|
|
}
|
|
|
|
"
|
2022-12-17 10:02:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
replace "$OLD_VERSION" "$NEW_VERSION" "$COMMON_FILE"
|
|
|
|
|
|
|
|
echo "Updating src"
|
|
|
|
|
2023-07-15 17:15:38 +00:00
|
|
|
OLD_HASH="$(instantiateClean semgrep.passthru.common.srcHash)"
|
2022-12-17 10:02:37 +00:00
|
|
|
echo "Old hash $OLD_HASH"
|
|
|
|
TMP_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
|
|
|
|
replace "$OLD_HASH" "$TMP_HASH" "$COMMON_FILE"
|
2023-07-15 17:15:38 +00:00
|
|
|
NEW_HASH="$(fetchgithub semgrep.src)"
|
2022-12-17 10:02:37 +00:00
|
|
|
echo "New hash $NEW_HASH"
|
|
|
|
replace "$TMP_HASH" "$NEW_HASH" "$COMMON_FILE"
|
|
|
|
|
|
|
|
echo "Updated src"
|
|
|
|
|
|
|
|
|
2023-07-15 17:15:38 +00:00
|
|
|
update_core_platform() {
|
|
|
|
SYSTEM=$1
|
|
|
|
echo "Updating core src $SYSTEM"
|
|
|
|
|
|
|
|
PLATFORM="$(instantiateClean "semgrep.passthru.common.core.$SYSTEM.platform")"
|
2022-12-17 10:02:37 +00:00
|
|
|
|
2023-07-15 17:15:38 +00:00
|
|
|
OLD_HASH="$(instantiateClean "semgrep.passthru.common.core.$SYSTEM.hash")"
|
|
|
|
echo "Old core hash $OLD_HASH"
|
|
|
|
NEW_HASH="$(fetch_arch "$NEW_VERSION" "$PLATFORM")"
|
|
|
|
echo "New core hash $NEW_HASH"
|
2022-12-17 10:02:37 +00:00
|
|
|
replace "$OLD_HASH" "$NEW_HASH" "$COMMON_FILE"
|
|
|
|
|
2023-07-15 17:15:38 +00:00
|
|
|
echo "Updated core src $SYSTEM"
|
|
|
|
}
|
|
|
|
|
|
|
|
update_core_platform "x86_64-linux"
|
|
|
|
update_core_platform "x86_64-darwin"
|
|
|
|
update_core_platform "aarch64-darwin"
|
2022-12-17 10:02:37 +00:00
|
|
|
|
|
|
|
OLD_PWD=$PWD
|
|
|
|
TMPDIR="$(mktemp -d)"
|
|
|
|
# shallow clone to check submodule commits, don't actually need the submodules
|
2024-02-29 20:09:43 +00:00
|
|
|
git clone https://github.com/semgrep/semgrep "$TMPDIR/semgrep" --depth 1 --branch "v$NEW_VERSION"
|
2022-12-17 10:02:37 +00:00
|
|
|
|
|
|
|
get_submodule_commit() {
|
|
|
|
OLD_PWD=$PWD
|
|
|
|
(
|
|
|
|
cd "$TMPDIR/semgrep"
|
|
|
|
git ls-tree --object-only HEAD "$1"
|
|
|
|
cd "$OLD_PWD"
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
# loop through submodules
|
|
|
|
nix-instantiate -E "with import $NIXPKGS_ROOT {}; builtins.attrNames semgrep.passthru.common.submodules" --eval --strict --json \
|
|
|
|
| jq '.[]' -r \
|
|
|
|
| while read -r SUBMODULE; do
|
|
|
|
echo "Updating $SUBMODULE"
|
|
|
|
OLD_REV=$(instantiateClean semgrep.passthru.common.submodules."$SUBMODULE".rev)
|
|
|
|
echo "Old commit $OLD_REV"
|
2023-07-15 17:15:38 +00:00
|
|
|
OLD_HASH=$(instantiateClean semgrep.passthru.common.submodules."$SUBMODULE".hash)
|
2022-12-17 10:02:37 +00:00
|
|
|
echo "Old hash $OLD_HASH"
|
|
|
|
|
|
|
|
NEW_REV=$(get_submodule_commit "$SUBMODULE")
|
|
|
|
echo "New commit $NEW_REV"
|
|
|
|
|
|
|
|
if [[ "$OLD_REV" == "$NEW_REV" ]]; then
|
|
|
|
echo "$SUBMODULE already up to date"
|
|
|
|
continue
|
|
|
|
fi
|
|
|
|
|
2023-03-15 16:39:30 +00:00
|
|
|
TMP_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
|
2022-12-17 10:02:37 +00:00
|
|
|
replace "$OLD_REV" "$NEW_REV" "$COMMON_FILE"
|
|
|
|
replace "$OLD_HASH" "$TMP_HASH" "$COMMON_FILE"
|
2023-07-15 17:15:38 +00:00
|
|
|
NEW_HASH="$(fetchgithub semgrep.passthru.submodulesSubset."$SUBMODULE")"
|
2022-12-17 10:02:37 +00:00
|
|
|
echo "New hash $NEW_HASH"
|
|
|
|
replace "$TMP_HASH" "$NEW_HASH" "$COMMON_FILE"
|
|
|
|
|
|
|
|
echo "Updated $SUBMODULE"
|
|
|
|
done
|
|
|
|
|
|
|
|
rm -rf "$TMPDIR"
|
|
|
|
|
|
|
|
echo "Finished"
|
|
|
|
|