bazel: improve script template resilience

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2025-01-25 23:06:08 -05:00 · 2023-03-29 14:13:26 +02:00 · 2023-03-29 14:13:26 +02:00 · d7fafb92b7
commit d7fafb92b7
parent 909bfb9274
13 changed files with 122 additions and 32 deletions
--- a/bazel/ci/actionlint.sh.in
+++ b/bazel/ci/actionlint.sh.in
@ -1,8 +1,9 @@
 #!/usr/bin/env bash

+###### script header ######
+
 lib=$(realpath @@BASE_LIB@@) || exit 1
-actionlint=$(realpath @@ACTIONLINT@@) || exit 1
-shellcheck=$(realpath @@SHELLCHECK@@ || echo) || exit 1
+stat "${lib}" >> /dev/null || exit 1

 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
@ -10,6 +11,12 @@ if ! source "${lib}"; then
  exit 1
 fi

-cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+actionlint=$(realpath @@ACTIONLINT@@)
+stat "${actionlint}" >> /dev/null
+shellcheck=$(realpath @@SHELLCHECK@@ || echo) # might not exist
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######

 ${actionlint} -shellcheck="${shellcheck}"
--- a/bazel/ci/buf.sh.in
+++ b/bazel/ci/buf.sh.in
@ -1,7 +1,9 @@
 #!/usr/bin/env bash

+###### script header ######
+
 lib=$(realpath @@BASE_LIB@@) || exit 1
-buf=$(realpath @@BUF@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1

 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
@ -9,7 +11,12 @@ if ! source "${lib}"; then
  exit 1
 fi

-cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+buf=$(realpath @@BUF@@)
+stat "${buf}" >> /dev/null
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######

 readarray -t <<< "$(find "$(pwd)" -type f -name "*.proto")"
 protos=("${MAPFILE[@]}")
--- a/bazel/ci/golangci.sh.in
+++ b/bazel/ci/golangci.sh.in
@ -1,8 +1,9 @@
 #!/usr/bin/env bash

+###### script header ######
+
 lib=$(realpath @@BASE_LIB@@) || exit 1
-golangcilint=$(realpath @@GOLANGCI-LINT@@) || exit 1
-go=$(realpath @@GO@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1

 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
@ -10,7 +11,14 @@ if ! source "${lib}"; then
  exit 1
 fi

-cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+golangcilint=$(realpath @@GOLANGCI-LINT@@)
+stat "${golangcilint}" >> /dev/null
+go=$(realpath @@GO@@)
+stat "${go}" >> /dev/null
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######

 readarray -t <<< "$(${go} list -f '{{.Dir}}' -m)"
 modules=("${MAPFILE[@]}")
--- a/bazel/ci/golicenses.sh.in
+++ b/bazel/ci/golicenses.sh.in
@ -2,9 +2,10 @@

 # Compare licenses of Go dependencies against a whitelist.

+###### script header ######
+
 lib=$(realpath @@BASE_LIB@@) || exit 1
-go=$(realpath @@GO@@) || exit 1
-golicenses=$(realpath @@GO_LICENSES@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1

 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
@ -12,7 +13,14 @@ if ! source "${lib}"; then
  exit 1
 fi

-cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+go=$(realpath @@GO@@)
+stat "${go}" >> /dev/null
+golicenses=$(realpath @@GO_LICENSES@@)
+stat "${golicenses}" >> /dev/null
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######

 not_allowed() {
  echo "license not allowed for package: ${line}"
--- a/bazel/ci/govulncheck.sh.in
+++ b/bazel/ci/govulncheck.sh.in
@ -1,8 +1,9 @@
 #!/usr/bin/env bash

+###### script header ######
+
 lib=$(realpath @@BASE_LIB@@) || exit 1
-go=$(realpath @@GO@@) || exit 1
-govulncheck=$(realpath @@GOVULNCHECK@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1

 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
@ -10,7 +11,14 @@ if ! source "${lib}"; then
  exit 1
 fi

-cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+go=$(realpath @@GO@@)
+stat "${go}" >> /dev/null
+govulncheck=$(realpath @@GOVULNCHECK@@)
+stat "${govulncheck}" >> /dev/null
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######

 submodules=$(${go} list -f '{{.Dir}}' -m)

--- a/bazel/ci/licenseheader.sh.in
+++ b/bazel/ci/licenseheader.sh.in
@ -2,7 +2,10 @@

 # Compare licenses of Go dependencies against a whitelist.

+###### script header ######
+
 lib=$(realpath @@BASE_LIB@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1

 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
@ -10,7 +13,9 @@ if ! source "${lib}"; then
  exit 1
 fi

-cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######

 echo "Checking files for missing company license header..."

--- a/bazel/ci/shellcheck.sh.in
+++ b/bazel/ci/shellcheck.sh.in
@ -1,8 +1,9 @@
 #!/usr/bin/env bash

+###### script header ######
+
 lib=$(realpath @@BASE_LIB@@) || exit 1
-shfmt=$(realpath @@SHFMT@@) || exit 1
-shellcheck=$(realpath @@SHELLCHECK@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1

 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
@ -10,7 +11,14 @@ if ! source "${lib}"; then
  exit 1
 fi

-cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+shfmt=$(realpath @@SHFMT@@)
+stat "${shfmt}" >> /dev/null
+shellcheck=$(realpath @@SHELLCHECK@@)
+stat "${shellcheck}" >> /dev/null
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######

 scriptsStr=$(${shfmt} -f "${BUILD_WORKSPACE_DIRECTORY}")
 readarray -t <<< "${scriptsStr}"
--- a/bazel/ci/shfmt.sh.in
+++ b/bazel/ci/shfmt.sh.in
@ -1,7 +1,9 @@
 #!/usr/bin/env bash

+###### script header ######
+
 lib=$(realpath @@BASE_LIB@@) || exit 1
-shfmt=$(realpath @@SHFMT@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1

 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
@ -9,7 +11,12 @@ if ! source "${lib}"; then
  exit 1
 fi

-cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+shfmt=$(realpath @@SHFMT@@)
+stat "${shfmt}" >> /dev/null
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######

 scriptsStr=$(${shfmt} -f "${BUILD_WORKSPACE_DIRECTORY}")
 readarray -t <<< "${scriptsStr}"
--- a/bazel/ci/tf.sh.in
+++ b/bazel/ci/tf.sh.in
@ -1,8 +1,9 @@
 #!/usr/bin/env bash

+###### script header ######
+
 lib=$(realpath @@BASE_LIB@@) || exit 1
-terraform=$(realpath @@TERRAFORM@@) || exit 1
-mode="@@MODE@@" || exit 1
+stat "${lib}" >> /dev/null || exit 1

 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
@ -10,7 +11,13 @@ if ! source "${lib}"; then
  exit 1
 fi

-cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+terraform=$(realpath @@TERRAFORM@@)
+stat "${terraform}" >> /dev/null
+mode="@@MODE@@"
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######

 readarray -t <<< "$(
  find "$(pwd)" -type f -name "*.tf" -exec dirname "{}" \; |
--- a/bazel/ci/tfsec.sh.in
+++ b/bazel/ci/tfsec.sh.in
@ -1,7 +1,9 @@
 #!/usr/bin/env bash

+###### script header ######
+
 lib=$(realpath @@BASE_LIB@@) || exit 1
-tfsec=$(realpath @@TFSEC@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1

 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
@ -9,7 +11,12 @@ if ! source "${lib}"; then
  exit 1
 fi

-cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+tfsec=$(realpath @@TFSEC@@)
+stat "${tfsec}" >> /dev/null
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######

 readarray -t <<< "$(find "$(pwd)" -type f -name "*.tf" -exec dirname "{}" \; | sort -ud)"
 terraformModules=("${MAPFILE[@]}")
--- a/bazel/ci/tidy.sh.in
+++ b/bazel/ci/tidy.sh.in
@ -1,7 +1,9 @@
 #!/usr/bin/env bash

+###### script header ######
+
 lib=$(realpath @@BASE_LIB@@) || exit 1
-go=$(realpath @@GO@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1

 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
@ -9,7 +11,12 @@ if ! source "${lib}"; then
  exit 1
 fi

-cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+go=$(realpath @@GO@@)
+stat "${go}" >> /dev/null
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######

 submodules=$(${go} list -f '{{.Dir}}' -m)

--- a/bazel/devbuild/prepare_developer_workspace.sh.in
+++ b/bazel/devbuild/prepare_developer_workspace.sh.in
@ -3,11 +3,10 @@
 # This script is run from the user's Constellation workspace (BUILD_WORKING_DIRECTORY).
 # It prepares the workspace by symlinking all required binaries into folder.

+###### script header ######
+
 lib=$(realpath @@BASE_LIB@@) || exit 1
-bootstrapper=$(realpath @@BOOTSTRAPPER@@) || exit 1
-upgrade_agent=$(realpath @@UPGRADE_AGENT@@) || exit 1
-cli=$(realpath @@CLI@@) || exit 1
-cdbg=$(realpath @@CDBG@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1

 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
@ -15,7 +14,18 @@ if ! source "${lib}"; then
  exit 1
 fi

-cd "${BUILD_WORKING_DIRECTORY}" || exit 1
+bootstrapper=$(realpath @@BOOTSTRAPPER@@)
+stat "${bootstrapper}" >> /dev/null
+upgrade_agent=$(realpath @@UPGRADE_AGENT@@)
+stat "${upgrade_agent}" >> /dev/null
+cli=$(realpath @@CLI@@)
+stat "${cli}" >> /dev/null
+cdbg=$(realpath @@CDBG@@)
+stat "${cdbg}" >> /dev/null
+
+cd "${BUILD_WORKING_DIRECTORY}"
+
+###### script body ######

 if [[ $# -eq 0 ]]; then
  workdir="."
--- a/internal/attestation/measurements/measurement-generator/generate.go
+++ b/internal/attestation/measurements/measurement-generator/generate.go
@ -1,5 +1,6 @@
 /*
 Copyright (c) Edgeless Systems GmbH
+
 SPDX-License-Identifier: AGPL-3.0-only
 */