nix-community · jaen · May 24, 2024 · May 25, 2024 · May 25, 2024 · Jun 7, 2024
diff --git a/.envrc b/.envrc
@@ -0,0 +1,14 @@
+# shellcheck shell=bash
+if has nix; then
+  # Are flake supported and enabled?
+  if nix show-config | grep experimental-features | grep -q flakes; then
+    # Do we have nix-direnv?
+    if ! has nix_direnv_version || ! nix_direnv_version 3.0.4; then
+      source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.4/direnvrc" "sha256-gMHkKyEOq/T0XmHKgz+pN+fUQC/1EKPAuOtYM95lLnU="
+    fi
+
+    use flake
+  else
+    use nix
+  fi
+fi
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -1,8 +1,9 @@
 name: Generate documentation
 
 on:
-  push:
-    branches: [ master ]
+  workflow_dispatch: {}
+  # push:
+  #   branches: [ master ]
 
 jobs:
   docs:

diff --git a/.github/workflows/grapheneos-update.yml b/.github/workflows/grapheneos-update.yml
@@ -1,6 +1,8 @@
 name: "Update GrapheneOS"
 
-on: { schedule: [{ cron: '0 0 * * 0' }], workflow_dispatch }
+on: 
+  workflow_dispatch: {}
+  # schedule: [{ cron: '0 0 * * 0' }]
 
 jobs:
   updates:
@@ -17,19 +19,19 @@ jobs:
          # buildNumber is the only quoted string inside upstream-params.nix so we can
          # just use grep to extract the first quoted string and use xargs to strip the
          # quotes
-         OLD_BUILD_NUMBER=$(grep -o -m 1 '"[^"]*"' ./flavors/grapheneos/upstream-params.nix | xargs)
-         echo "OLD_BUILD_NUMBER=$OLD_BUILD_NUMBER" | tee -a $GITHUB_ENV
+         OLD_BUILD_NUMBER="$(grep -o -m 1 '"[^"]*"' ./flavors/grapheneos/upstream-params.nix | xargs)"
+         echo "OLD_BUILD_NUMBER=$OLD_BUILD_NUMBER" | tee -a "$GITHUB_ENV"
 
          nix develop -c ./flavors/grapheneos/extract-upstream-params.sh
 
-         NEW_BUILD_NUMBER=$(grep -o -m 1 '"[^"]*"' ./flavors/grapheneos/upstream-params.nix | xargs)
-         echo "NEW_BUILD_NUMBER=$NEW_BUILD_NUMBER" | tee -a $GITHUB_ENV
+         NEW_BUILD_NUMBER="$(grep -o -m 1 '"[^"]*"' ./flavors/grapheneos/upstream-params.nix | xargs)"
+         echo "NEW_BUILD_NUMBER=$NEW_BUILD_NUMBER" | tee -a "$GITHUB_ENV"
     - name: "Update devices"
       if: env.OLD_BUILD_NUMBER != env.NEW_BUILD_NUMBER
       run: |
         for DEVICE in crosshatch sunfish oriole; do
-            METADATA=$(curl -sSfL "https://releases.grapheneos.org/$DEVICE-beta")
-            BUILD_PREFIX=$(echo "$METADATA" | cut -d" " -f3)
+            METADATA="(curl -sSfL "https://releases.grapheneos.org/$DEVICE-beta")"
+            BUILD_PREFIX="$(echo "$METADATA" | cut -d" " -f3)"
             git mv "./flavors/grapheneos/repo-$BUILD_PREFIX.$OLD_BUILD_NUMBER.json" \
                    "./flavors/grapheneos/repo-$BUILD_PREFIX.$NEW_BUILD_NUMBER.json"
             nix develop -c ./flavors/grapheneos/update.sh "$BUILD_PREFIX.$NEW_BUILD_NUMBER"

diff --git a/.github/workflows/instantiate.yml b/.github/workflows/instantiate.yml
@@ -3,8 +3,10 @@
 
 name: "Basic Tests"
 on:
-  pull_request:
-  push:
+  workflow_dispatch: {}
+  # pull_request:
+  # push:
+
 jobs:
   nix-instantiate:
     runs-on: ubuntu-latest
@@ -15,19 +17,19 @@ jobs:
         extra_nix_config: |
           experimental-features = nix-command flakes
     - run: |
-        nix run github:nix-community/nix-eval-jobs/3f305f4538e056e6f6f775e1f75410b6d4d8d9aa -- --workers $(nproc) --option allow-import-from-derivation false --show-trace ./release.nix | tee eval.json
+        nix run github:nix-community/nix-eval-jobs/3f305f4538e056e6f6f775e1f75410b6d4d8d9aa -- --workers "$(nproc)" --option allow-import-from-derivation false --show-trace ./release.nix | tee eval.json
         jq -c 'select(.error)' eval.json | tee errors.json
-        if [[ "$(wc -l < errors.json)" > 0 ]]; then exit 1; fi
+        if [[ "$(wc -l < errors.json)" -gt 0 ]]; then exit 1; fi
   robotnix-eval-tests:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2.3.5
     - uses: cachix/install-nix-action@v12
     - run: |
-        OUTPUT=$(nix-instantiate --eval --strict tests/eval.nix)
+        OUTPUT="$(nix-instantiate --eval --strict tests/eval.nix)"
         if [[ "$OUTPUT" != "[ ]" ]]; then
           echo "Instantiation tests failed:"
-          echo $OUTPUT
+          echo "$OUTPUT"
         fi
   nixos-tests:
     runs-on: ubuntu-latest
@@ -55,10 +57,10 @@ jobs:
           experimental-features = nix-command flakes
     - run: |
         nix flake check
-        export ORIG_DIR=$PWD
-        cd $(mktemp -d)
-        nix flake init -t $ORIG_DIR
-        nix flake check --override-input robotnix $ORIG_DIR
+        export ORIG_DIR="$PWD"
+        cd "$(mktemp -d)"
+        nix flake init -t "$ORIG_DIR"
+        nix flake check --override-input robotnix "$ORIG_DIR"
   checks:
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/nix-flake-actions.yml b/.github/workflows/nix-flake-actions.yml
@@ -0,0 +1,58 @@
+name: Nix Flake Actions
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+      - main
+
+jobs:
+  nix-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v27
+      - id: set-matrix
+        name: Generate Nix Matrix
+        run: |
+          set -Eeu
+          matrix="$(nix eval --json '.#githubActions.matrix')"
+          echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
+
+  nix-flake-checks:
+    needs: nix-matrix
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix: ${{fromJSON(needs.nix-matrix.outputs.matrix)}}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v27
+      - uses: cachix/cachix-action@v15
+        with:
+          name: jaen-robotnix
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+      - run: nix build -L ".#${{ matrix.attr }}"
+
+  nix-flake-check-template:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v27
+      - uses: cachix/cachix-action@v15
+        with:
+          name: jaen-robotnix
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+      - name: "Check the robotnix flake"
+        run: |
+          # Don't run checks here, the `nix-flake-checks` job takes care of it
+          nix flake check --no-build
+      - name: "Check the templated robotnix flake"
+        run: |
+          export ORIG_DIR="$PWD"
+          cd "$(mktemp -d)"
+
+          nix flake init -t "$ORIG_DIR"
+          nix flake check --override-input robotnix "$ORIG_DIR"
diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,5 @@ __pycache__
 .pytest_cache
 .mypy_cache
 .ruff_cache
+
+.direnv
diff --git a/apks/auditor/default.nix b/apks/auditor/default.nix
@@ -2,18 +2,34 @@
 # SPDX-License-Identifier: MIT
 
 # https://www.reddit.com/r/GrapheneOS/comments/bpcttk/avb_key_auditor_app/
-{ callPackage, lib, stdenv, pkgs, substituteAll, fetchFromGitHub,
-  androidPkgs, jdk11_headless, gradle, gradleToNixPatchedFetchers,
+{
+  callPackage,
+  lib,
+  stdenv,
+  pkgs,
+  substituteAll,
+  fetchFromGitHub,
+  androidPkgs,
+  jdk11_headless,
+  gradle,
+  gradleToNixPatchedFetchers,
   domain ? "example.org",
   applicationName ? "Robotnix Auditor",
   applicationId ? "org.robotnix.auditor",
   signatureFingerprint ? "", # Signature that this app will be signed by.
   device ? "",
-  avbFingerprint ? ""
+  avbFingerprint ? "",
 }:
 let
-  androidsdk = androidPkgs.sdk (p: with p; [ cmdline-tools-latest platform-tools platforms-android-30 build-tools-30-0-3 ]);
-  buildGradle = callPackage ./gradle-env.nix {};
+  androidsdk = androidPkgs.sdk (
+    p: with p; [
+      cmdline-tools-latest
+      platform-tools
+      platforms-android-30
+      build-tools-30-0-3
+    ]
+  );
+  buildGradle = callPackage ./gradle-env.nix { };
   supportedDevices = import ./supported-devices.nix;
 in
 buildGradle rec {
@@ -31,12 +47,16 @@ buildGradle rec {
 
   patches = [
     # TODO: Enable support for passing multiple device fingerprints
-    (substituteAll ({
-      src = ./customized-auditor.patch;
-      inherit domain applicationName applicationId ;
-      signatureFingerprint = lib.toUpper signatureFingerprint;
-    }
-    // lib.genAttrs supportedDevices (d: if (device == d) then avbFingerprint else "DISABLED_CUSTOM_${d}")))
+    (substituteAll (
+      {
+        src = ./customized-auditor.patch;
+        inherit domain applicationName applicationId;
+        signatureFingerprint = lib.toUpper signatureFingerprint;
+      }
+      // lib.genAttrs supportedDevices (
+        d: if (device == d) then avbFingerprint else "DISABLED_CUSTOM_${d}"
+      )
+    ))
 
     # TODO: Ugly downgrades due to not being able to update to gradle 7.0.2, since its not working with gradle2nix
     ./build-hacks.patch