Merge pull request #1 from grapl-security/cm/initial-implementation

Initial plugin implementation

.buildkite/pipeline.verify.yml

@@ -0,0 +1,65 @@
+---
+env:
+  PANTS_CONFIG_FILES: "['pants.toml', 'pants.ci.toml']"
+  BUILDKITE_PLUGIN_VAULT_ENV_SECRET_PREFIX: "secret/data/buildkite/env"
+
+steps:
+  - label: ":jeans: All files are covered by Pants"
+    command:
+      - ./pants tailor --check
+
+  - group: ":lint-roller: Lints"
+    steps:
+      - label: ":docker: Lint Dockerfile"
+        command:
+          - make lint-docker
+
+      - label: ":jeans: Lint BUILD files"
+        command:
+          - make lint-build-files
+
+      - label: "Lint HCL"
+        command:
+          - make lint-hcl
+
+      - label: ":buildkite: Lint Plugin"
+        command:
+          - make lint-plugin
+
+      - label: ":bash: Lint Shell"
+        command:
+          - make lint-shell
+        plugins:
+          - grapl-security/vault-login#v0.1.2
+          - grapl-security/vault-env#v0.1.0:
+              secrets:
+                - pypi-buildkite-plugin/TOOLCHAIN_AUTH_TOKEN
+
+  - label: ":buildkite: Test Plugin"
+    command:
+      - make test-plugin
+
+  - label: ":buildkite: Plugin Integration Test"
+    key: integration-test
+    plugins:
+      - improbable-eng/metahook#v0.4.1:
+          pre-command: |
+            make --directory=integration build-pkg start-pypiserver
+          # NOTE: post-command runs directly on the agent, not in a container
+          post-command: |
+            pip3 search --index=http://localhost:8080 testpkg
+          pre-exit: |
+            make --directory=integration shutdown-pypiserver
+      - "grapl-security/pypi#${BUILDKITE_COMMIT}":
+          file: integration/dist/*
+          repository-url: http://host.docker.internal:8080
+          username: PyPIUser
+          password-envvar: TEST_USER_PASSWORD
+          # TODO: use the image from *this commit*
+    env:
+      # See integration/auth/README.md
+      TEST_USER_PASSWORD: sooperseekrit
+
+  - label: ":docker: Build Image"
+    command:
+      - make image

.gitignore

@@ -0,0 +1,2 @@
+.pants.d
+.pids

.gitpod.yml

@@ -0,0 +1,16 @@
+---
+image:
+  file: .gitpod/Dockerfile
+  context: .gitpod
+
+tasks:
+  # This will bootstrap Pants, download tools, and pull images
+  - before: make
+
+vscode:
+  extensions:
+    - bungcip.better-toml
+    - eamodio.gitlens
+    - mads-hartmann.bash-ide-vscode
+    - mhutchie.git-graph
+    - ms-azuretools.vscode-docker

.gitpod/.bashrc.d/100-setup

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Customizations to the Bash environment in our Gitpod container.
+#
+# Should be added to `/home/gitpod/.bashrc.d` to take effect.
+########################################################################
+
+# The `gitpod/workspace-full` image currently sets `PIP_USER=yes` in
+# the environment, which causes problems with Pants' bootstrapping
+# logic. The easy fix is to simply unset it.
+#
+# Some background can be found at
+# https://github.com/gitpod-io/gitpod/issues/4886
+unset PIP_USER
+
+# Configure Pants Caches
+########################################################################
+# Normally, Pants stores its caches in your home directory. However,
+# in Gitpod, this directory is not preserved between workspace
+# restarts. This means that each time you open a workspace and run
+# Pants, you have to bootstrap all over again. You also can't benefit
+# from anything that was cached previously.
+#
+# We can set a few environment variables to stash this data in
+# `/workspace`, which *is* preserved. We're also setting these
+# variables here to ensure they are in effect for all users, and at
+# all times (e.g., setting it in `.gitpod.yml` under `tasks[n].env`
+# doesn't quite do what we want because that only covers a single
+# terminal session).
+export PANTS_SETUP_CACHE=/workspace/pants-cache/setup
+export PANTS_LOCAL_STORE_DIR=/workspace/pants-cache/lmdb_store
+export PANTS_NAMED_CACHES_DIR=/workspace/pants-cache/named_caches

.gitpod/BUILD

@@ -0,0 +1,3 @@
+docker_image(
+    name="gitpod-image",
+)

.gitpod/Dockerfile

@@ -0,0 +1,7 @@
+FROM gitpod/workspace-full:2022-04-01-12-31-37
+
+USER gitpod
+
+RUN npm install --global [email protected]
+
+COPY .bashrc.d/* /home/gitpod/.bashrc.d/

BUILD

@@ -0,0 +1,3 @@
+docker_image(
+    name="twine",
+)

Dockerfile

@@ -0,0 +1,7 @@
+FROM python:3.10.4-slim-bullseye
+
+ARG TWINE_VERSION
+RUN pip install --no-cache-dir twine==${TWINE_VERSION}
+
+USER nobody
+ENTRYPOINT ["twine"]

Makefile

@@ -0,0 +1,95 @@
+DOCKER_COMPOSE_CHECK := docker-compose run --rm
+NONROOT_DOCKER_COMPOSE_CHECK := $(DOCKER_COMPOSE_CHECK) --user=$(shell id --user):$(shell id --group)
+
+PANTS_SHELL_FILTER := ./pants filter --target-type=shell_sources,shunit2_tests :: | xargs ./pants
+
+.DEFAULT_GOAL=all
+
+.PHONY: all
+all: format
+all: lint
+all: test
+all: image
+all: ## Run all operations
+
+.PHONY: help
+help: ## Print this help
+	@awk 'BEGIN {FS = ":.*##"; printf "Usage: make <target>\n"} \
+		 /^[a-zA-Z0-9_-]+:.*?##/ { printf "  %-46s %s\n", $$1, $$2 } \
+		 /^##@/ { printf "\n%s\n", substr($$0, 5) } ' \
+		 $(MAKEFILE_LIST)
+	@printf '\n'
+
+##@ Formatting
+########################################################################
+
+.PHONY: format
+format: format-build-files
+format: format-hcl
+format: format-shell
+format: ## Automatically format all code
+
+.PHONY: format-build-files
+format-build-files: ## Format Pants BUILD files
+	./pants update-build-files
+
+.PHONY: format-hcl
+format-hcl: ## Format HCL files
+	$(NONROOT_DOCKER_COMPOSE_CHECK) hcl-formatter
+
+.PHONY: format-shell
+format-shell: ## Format shell scripts
+	$(PANTS_SHELL_FILTER) fmt
+
+##@ Linting
+########################################################################
+
+.PHONY: lint
+lint: lint-docker
+lint: lint-build-files
+lint: lint-hcl
+lint: lint-plugin
+lint: lint-shell
+lint: ## Perform lint checks on all files
+
+.PHONY: lint-build-files
+lint-build-files: ## Lint Pants BUILD files
+	./pants update-build-files --check
+
+.PHONY: lint-docker
+lint-docker:  ## Lint Dockerfiles
+	./pants filter --target-type=docker_image :: | xargs ./pants lint
+
+.PHONY: lint-hcl
+lint-hcl: ## Lint HCL files
+	$(DOCKER_COMPOSE_CHECK) hcl-linter
+
+.PHONY: lint-plugin
+lint-plugin: ## Lint the Buildkite plugin metadata
+	$(DOCKER_COMPOSE_CHECK) plugin-linter
+
+.PHONY: lint-shell
+lint-shell: ## Lint the shell scripts
+	$(PANTS_SHELL_FILTER) lint
+
+##@ Testing
+########################################################################
+
+.PHONY: test
+test: test-plugin
+test: ## Run all tests
+
+.PHONY: test-plugin
+test-plugin:  ## Test the Buildkite plugin locally (does *not* run a Buildkite pipeline)
+	$(DOCKER_COMPOSE_CHECK) plugin-tester
+
+##@ Container Images
+########################################################################
+
+.PHONY: image
+image: ## Build the `twine` container image
+	docker buildx bake
+
+.PHONY: image-push
+image-push: ## Build *and* push the `twine` container image to a repository
+	docker buildx bake --push