From c7826f534e4e2c8bfe5dbccfa935c1527a22e264 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Fri, 13 Nov 2020 10:39:17 +0100
Subject: [PATCH] parallelize CI

---
 .github/workflows/test.yml             | 19 +++----------
 default.nix                            | 39 +++++++++++++++++++++++---
 pkgs/sops-install-secrets/default.nix  | 10 ++++++-
 pkgs/sops-install-secrets/main_test.go |  4 +++
 pkgs/sops-pgp-hook/default.nix         |  2 +-
 pkgs/sops-pgp-hook/hook_test.go        |  7 +++--
 unit-tests.nix                         | 29 +++++++++++++++++++
 7 files changed, 87 insertions(+), 23 deletions(-)
 create mode 100644 unit-tests.nix

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8c037e7..83ebbd0 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -23,21 +23,10 @@ jobs:
       with:
         name: mic92
         signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-    - name: Show nixpkgs version
-      run: nix-instantiate --eval -E '(import <nixpkgs> {}).lib.version'
-    - name: Run golangci-lint
-      run: nix-shell --pure --run "golangci-lint run"
-      if: matrix.nixPath == 'nixpkgs=channel:nixpkgs-unstable'
-    - name: Build nix packages
-      run: nix-build release.nix
-    - name: Run sops-pgp-hook tests
-      run: nix-shell --pure --run "NIX_PATH=nixpkgs=$(nix-instantiate --find-file nixpkgs) go test ./pkgs/sops-pgp-hook"
     - name: Add keys group (needed for go tests)
       run: sudo groupadd keys
       if: matrix.os == 'ubuntu-latest'
-    - name: Run sops-install-secrets tests
-      run: nix-shell --pure --run "$(command -v sudo) unshare --mount --fork go test ./pkgs/sops-install-secrets"
-      if: matrix.os == 'ubuntu-latest'
-    - name: Run NixOS test
-      run: nix-build -A sops-install-secrets.tests
-      if: matrix.os == 'ubuntu-latest'
+    - name: Build nix packages
+      run: nix-build --no-out-link release.nix
+    - name: Run unit tests
+      run: nix-shell --no-out-link ./unit-tests.nix --argstr sudo "$(command -v sudo)" --pure --run 'true'
diff --git a/default.nix b/default.nix
index 9b97904..c474d5f 100644
--- a/default.nix
+++ b/default.nix
@@ -1,13 +1,44 @@
 { pkgs ? import <nixpkgs> {} }: let
   vendorSha256 = "sha256-O0z+oEffOOZa/bn2gV9onLVbPBHsNDH2yq1CZPi8w58=";
-in rec {
-  sops-init-gpg-key = pkgs.callPackage ./pkgs/sops-init-gpg-key {};
+
   sops-install-secrets = pkgs.callPackage ./pkgs/sops-install-secrets {
     inherit vendorSha256;
   };
-  sops-pgp-hook = pkgs.callPackage ./pkgs/sops-pgp-hook {};
+in rec {
+  sops-init-gpg-key = pkgs.callPackage ./pkgs/sops-init-gpg-key {};
+  sops-pgp-hook = pkgs.callPackage ./pkgs/sops-pgp-hook { };
+  inherit sops-install-secrets;
 
   ssh-to-pgp = pkgs.callPackage ./pkgs/ssh-to-pgp {
     inherit vendorSha256;
   };
-}
+
+  inherit (sops-install-secrets);
+
+  # used in the CI only
+  sops-pgp-hook-test = pkgs.buildGoModule {
+    name = "sops-pgp-hook-test";
+    src = ./.;
+    inherit vendorSha256;
+    buildPhase = ''
+      go test -c ./pkgs/sops-pgp-hook
+      install -D sops-pgp-hook.test $out/bin/sops-pgp-hook.test
+    '';
+  };
+
+  unit-tests = pkgs.callPackage ./unit-tests.nix {};
+
+  lint = ssh-to-pgp.overrideAttrs (old: {
+    name = "golangci-lint";
+    nativeBuildInputs = old.nativeBuildInputs ++ [ pkgs.golangci-lint ];
+    buildPhase = ''
+      HOME=$TMPDIR golangci-lint run
+    '';
+    installPhase = ''
+      touch $out
+    '';
+    fixupPhase = ":";
+  });
+
+# integration tests
+} // pkgs.lib.optionalAttrs (pkgs.stdenv.isLinux) sops-install-secrets.tests
diff --git a/pkgs/sops-install-secrets/default.nix b/pkgs/sops-install-secrets/default.nix
index 07acce5..16eb681 100644
--- a/pkgs/sops-install-secrets/default.nix
+++ b/pkgs/sops-install-secrets/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, buildGoModule, path, pkgs, vendorSha256 }:
+{ stdenv, buildGoModule, path, pkgs, vendorSha256, go }:
 buildGoModule {
   pname = "sops-install-secrets";
   version = "0.0.1";
@@ -15,6 +15,14 @@ buildGoModule {
     inherit pkgs;
   };
 
+  outputs = [ "out" "unittest" ];
+
+  postBuild = ''
+    go test -c ./pkgs/sops-install-secrets
+    install -D ./sops-install-secrets.test $unittest/bin/sops-install-secrets.test
+    remove-references-to -t ${go} $unittest/bin/sops-install-secrets.test
+  '';
+
   inherit vendorSha256;
 
   meta = with stdenv.lib; {
diff --git a/pkgs/sops-install-secrets/main_test.go b/pkgs/sops-install-secrets/main_test.go
index 31f3938..a5eb85e 100644
--- a/pkgs/sops-install-secrets/main_test.go
+++ b/pkgs/sops-install-secrets/main_test.go
@@ -46,6 +46,10 @@ func writeManifest(t *testing.T, dir string, m *manifest) string {
 }
 
 func testAssetPath() string {
+	assets := os.Getenv("TEST_ASSETS")
+	if assets != "" {
+		return assets
+	}
 	_, filename, _, _ := runtime.Caller(0)
 	return path.Join(path.Dir(filename), "test-assets")
 }
diff --git a/pkgs/sops-pgp-hook/default.nix b/pkgs/sops-pgp-hook/default.nix
index 56241d4..4f7d82e 100644
--- a/pkgs/sops-pgp-hook/default.nix
+++ b/pkgs/sops-pgp-hook/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, makeSetupHook, gnupg, sops, go, nix }:
+{ stdenv, makeSetupHook, gnupg, sops, nix }:
 
 (makeSetupHook {
   substitutions = {
diff --git a/pkgs/sops-pgp-hook/hook_test.go b/pkgs/sops-pgp-hook/hook_test.go
index d4de1a2..caa30a4 100644
--- a/pkgs/sops-pgp-hook/hook_test.go
+++ b/pkgs/sops-pgp-hook/hook_test.go
@@ -23,8 +23,11 @@ func ok(tb testing.TB, err error) {
 }
 
 func TestShellHook(t *testing.T) {
-	_, filename, _, _ := runtime.Caller(0)
-	assets := path.Join(path.Dir(filename), "test-assets")
+	assets := os.Getenv("TEST_ASSETS")
+	if assets == "" {
+		_, filename, _, _ := runtime.Caller(0)
+		assets = path.Join(path.Dir(filename), "test-assets")
+	}
 	tempdir, err := ioutil.TempDir("", "testdir")
 	ok(t, err)
 	defer os.RemoveAll(tempdir)
diff --git a/unit-tests.nix b/unit-tests.nix
new file mode 100644
index 0000000..7483fa0
--- /dev/null
+++ b/unit-tests.nix
@@ -0,0 +1,29 @@
+{ pkgs ? import <nixpkgs> {}
+, sudo ? "sudo"
+}:
+let
+  sopsPkgs = import ./. { inherit pkgs; };
+in pkgs.stdenv.mkDerivation {
+  name = "env";
+  nativeBuildInputs = with pkgs; [
+    bashInteractive
+    gnupg
+    utillinux
+    nix
+    sopsPkgs.sops-pgp-hook-test
+  ] ++ pkgs.lib.optional (pkgs.stdenv.isLinux) sopsPkgs.sops-install-secrets.unittest;
+  # allow to prefetch shell dependencies in build phase
+  dontUnpack = true;
+  installPhase = ''
+    echo $nativeBuildInputs > $out
+  '';
+  shellHook = ''
+    set -x
+    NIX_PATH=nixpkgs=${toString pkgs.path} TEST_ASSETS=$(realpath ./pkgs/sops-pgp-hook/test-assets) \
+      sops-pgp-hook.test
+    ${pkgs.lib.optionalString (pkgs.stdenv.isLinux) ''
+      ${sudo} TEST_ASSETS=$(realpath ./pkgs/sops-install-secrets/test-assets) \
+        unshare --mount --fork sops-install-secrets.test
+    ''}
+  '';
+}