golang.org/x/build@v0.0.0-20240506185731-218518f32b70/internal/task/x509bundle.go

golang.org/x/build@v0.0.0-20240506185731-218518f32b70/internal/task/x509bundle.go (about)

     1  // Copyright 2023 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package task
     6  
     7  import (
     8  	"fmt"
     9  
    10  	"golang.org/x/build/gerrit"
    11  	wf "golang.org/x/build/internal/workflow"
    12  )
    13  
    14  // This file contains a workflow definition for updating the X.509 root bundle
    15  // in golang.org/x/crypto/x509roots. It is intended to be recurring, using the
    16  // cron mechanism, in order to keep the bundle up to date with the upstream
    17  // Mozilla NSS source.
    18  
    19  type BundleNSSRootsTask struct {
    20  	Gerrit     GerritClient
    21  	CloudBuild CloudBuildClient
    22  }
    23  
    24  func (x *BundleNSSRootsTask) NewDefinition() *wf.Definition {
    25  	wd := wf.New()
    26  	reviewers := wf.Param(wd, reviewersParam)
    27  
    28  	done := wf.Task1(wd, "Update bundle", x.UpdateBundle, reviewers)
    29  
    30  	// TODO(roland): In the future we may want to block this workflow on the
    31  	// submission of the resulting CL (if there is one), and then tag the
    32  	// x/crypto/x509roots submodule, and possibly also publish a vulndb entry in
    33  	// order to force pickup of the new version. At that point we probably want
    34  	// to use the existing AwaitCL functionality.
    35  
    36  	wf.Output(wd, "done", done)
    37  
    38  	return wd
    39  }
    40  
    41  const clTitle = "x509roots/fallback: update bundle"
    42  
    43  func (x *BundleNSSRootsTask) UpdateBundle(ctx *wf.TaskContext, reviewers []string) (string, error) {
    44  	query := fmt.Sprintf(`message:%q status:open owner:gobot@golang.org repo:crypto -age:14d`, clTitle)
    45  	changes, err := x.Gerrit.QueryChanges(ctx, query)
    46  	if err != nil {
    47  		return "", err
    48  	}
    49  	if len(changes) != 0 {
    50  		return "skipped, existing pending bundle update CL", nil
    51  	}
    52  
    53  	build, err := x.CloudBuild.RunScript(ctx, "cd x509roots && go generate", "crypto", []string{"x509roots/fallback/bundle.go"})
    54  	if err != nil {
    55  		return "", err
    56  	}
    57  	files, err := buildToOutputs(ctx, x.CloudBuild, build)
    58  	if err != nil {
    59  		return "", err
    60  	}
    61  	changeInput := gerrit.ChangeInput{
    62  		Project: "crypto",
    63  		Subject: fmt.Sprintf("%s\n\nThis is an automated CL which updates the NSS root bundle.", clTitle),
    64  		Branch:  "master",
    65  	}
    66  
    67  	changeID, err := x.Gerrit.CreateAutoSubmitChange(ctx, changeInput, reviewers, files)
    68  	if err != nil {
    69  		return "", err
    70  	}
    71  	if changeID == "" {
    72  		return "no diff", nil
    73  	}
    74  	return changeID, nil
    75  }