Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Build using nix #182

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .envrc.example
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# use https://github.com/nix-community/nix-direnv to load all tools needed to develop in the repository
# $ cp .envrc.example .envrc
# $ direnv allow .
use flake --impure .

# alternatively just use `nix develop` or `nix-shell`
33 changes: 33 additions & 0 deletions .github/workflows/nix-auto.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: Nix Flake actions

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

No explicit permissions set for at the workflow level (...read more)

Datadog’s GitHub organization defines default permissions for the GITHUB_TOKEN to be restricted (contents:read, metadata:read, and packages:read).

Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.

You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.

View in Datadog  Leave us feedback  Documentation


on:
pull_request:
push:
branches:
- master
- main

jobs:
nix-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v27
- id: set-matrix
name: Generate Nix Matrix
run: |
set -Eeu
matrix="$(nix eval --json '.#githubActions.matrix')"
echo "matrix=$matrix" >> "$GITHUB_OUTPUT"

nix:
needs: nix-matrix
runs-on: ${{ matrix.os }}
strategy:
matrix: ${{fromJSON(needs.nix-matrix.outputs.matrix)}}
steps:
- uses: actions/checkout@v4

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

View in Datadog  Leave us feedback  Documentation

- uses: cachix/install-nix-action@v27

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

View in Datadog  Leave us feedback  Documentation

- run: nix build -L '.#githubActions.checks.${{ matrix.attr }}'
7 changes: 7 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,10 @@ htmlcov/
.coverage
.coverage.*
.cache

# Automated dev env setup - see .envrc.example
/.envrc
/.direnv/

# nix
/result
32 changes: 32 additions & 0 deletions ddsketch.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{ python, pkgs, ... }:
python.pkgs.buildPythonPackage rec {
name = "ddsketch";
version = "3.0.1";

src = pkgs.fetchFromGitHub {
owner = "datadog";
repo = "sketches-py";
rev = "refs/tags/v${version}";
hash = "sha256-SmdKq5aXi5B3FNBxPQDNKNBujGGEPXF132YGadGFPpo=";
};

propagatedBuildInputs = with python.pkgs; [
six
protobuf
setuptools
];
nativeBuildInputs = with python.pkgs; [ setuptools_scm ];
checkInputs = with python.pkgs; [
pytest
numpy
];
env.SETUPTOOLS_SCM_PRETEND_VERSION = version;

pythonImportsCheck = [ "ddsketch" ];

postPatch = ''
patchShebangs setup.py
ls -lah
echo version=\"${version}\" > ddsketch/__version.py
'';
}
71 changes: 71 additions & 0 deletions ddtrace.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
{
python,
pkgs,
ddsketch,
...
}:

let
envier = python.pkgs.buildPythonPackage rec {
pname = "envier";
version = "0.5.2";

pyproject = true;
propagatedBuildInputs = with python.pkgs; [
hatchling
hatch-vcs
];

src = pkgs.fetchPypi {
inherit pname version;
sha256 = "sha256-Tn45jLCajdNgUI734SURoVI1VCbSVEuEh6NNrSfMIK0=";
};
};

ddtrace = python.pkgs.buildPythonPackage rec {
pname = "ddtrace";
version = "2.9.2";
pyproject = true;

nativeBuildInputs =
[ pkgs.cmake ]
++ (with python.pkgs; [
cmake
setuptools
setuptools_scm
cython
])
++ pkgs.lib.optionals pkgs.stdenv.isDarwin [ pkgs.darwin.apple_sdk.frameworks.IOKit ];

propagatedBuildInputs = with python.pkgs; [
attrs
cattrs
ddsketch
envier
opentelemetry-api
protobuf
six
xmltodict
bytecode
];

postPatch = ''
substituteInPlace setup.py --replace "cmake>=3.24.2,<3.28" "cmake"

# downloading artifacts is impossible in sandboxed build
substituteInPlace setup.py --replace "cls.download_artifacts()" "pass"

substituteInPlace pyproject.toml --replace "cmake>=3.24.2,<3.28" "cmake"
'';

dontUseCmakeConfigure = true;

src = pkgs.fetchFromGitHub {
owner = "datadog";
repo = "dd-trace-py";
rev = "refs/tags/v${version}";
hash = "sha256-Ax220/uBNwSZNBFYxbxAe0rmLrqYYf3a8K/PIuSE150=";
};
};
in
(ddtrace)
201 changes: 201 additions & 0 deletions flake.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading