🙈 Exclude personal information in generated config (#468)

* Prevent personal info in config - **There is no incident!** Maybe a preparation part for #243 * Split container CI/CD steps for readability * Respect XDG_ structure in stack. Resolves #142 * Fix to handle shell boolean in happy path * Fix to handle in boolean more! * Need to turn off set -e temporal
kachick · Mar 12, 2024 · 6f1b9f7 · 6f1b9f7
1 parent 0e26a09
commit 6f1b9f7
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 11 deletions.
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
@@ -71,19 +71,47 @@ jobs:
           containerfiles: |
             containers/Containerfile
           oci: true
-      - name: Run and commit Nix operations by the user while running the systemd
+      - name: Start systemd
+        id: start-systemd
         run: |
           set -euxo pipefail
           container_id="$(podman run --detach --rm systemd-prepared)"
-          sleep 2 # Wait for the systemd to be ready
-          podman exec --user=user -it "$container_id" /provisioner/needs_systemd.bash
-          podman exec --user=root -it "$container_id" rm -rf /provisioner
-          podman commit "$container_id" home
-          podman kill "$container_id"
+          echo container_id="$container_id" | tee -a "$GITHUB_OUTPUT"
+      - name: Wait for the systemd to be ready
+        run: 'sleep 2'
+      - name: Run Nix commands and cleanup provisioners
+        run: |
+          set -euxo pipefail
+          podman exec --user=user -it '${{ steps.start-systemd.outputs.container_id }}' /provisioner/needs_systemd.bash
+          podman exec --user=root -it '${{ steps.start-systemd.outputs.container_id }}' rm -rf /provisioner
+      - name: Check no personal name in that config
+        run: |
+          # https://unix.stackexchange.com/a/340729
+          assign_stdin_to_global_command_variable() {
+            command="$(cat)"
+          }
+
+          assign_stdin_to_global_command_variable <<'EOF'
+          set -uxo
+          # https://unix.stackexchange.com/questions/311090/how-to-disable-set-x
+          set +e
+          /home/user/.nix-profile/bin/rg --hidden --follow --glob='!.local/state' --glob='!.nix-*' --pcre2 --regexp '${{ github.repository_owner }}(?!/dotfiles)'
+          # Need to check the exit code if we want to make sure "not found" in grep family
+          # https://github.com/BurntSushi/ripgrep/issues/1290#issuecomment-761170095
+
+          ripgrep_exit_code="$?" # Do not directly use the $? to prevent inseting another command as a human error
+          [[ "$ripgrep_exit_code" -eq 1 ]]
+          EOF
+
+          podman exec --user=user --workdir=/home/user -it '${{ steps.start-systemd.outputs.container_id }}' bash -c "$command"
+      - name: Persist the container to image
+        run: |
+          podman commit '${{ steps.start-systemd.outputs.container_id }}' home
+          podman kill '${{ steps.start-systemd.outputs.container_id }}'
           podman tag home home:latest
           podman tag home home:${{ github.sha }}
           podman tag home home:${{ needs.get-meta.outputs.started_at }}
-      - name: Test output image
+      - name: Test the created image
         run: |
           set -euxo pipefail
           container_id="$(podman run --detach --rm home:${{ needs.get-meta.outputs.started_at }})"

diff --git a/home-manager/common.nix b/home-manager/common.nix
@@ -48,6 +48,8 @@
 
       # https://github.com/coreos/bugs/issues/365#issuecomment-105638617
       LESSCHARSET = "utf-8";
+
+      STACK_XDG = "https://github.com/commercialhaskell/stack/blob/72f0a1273dd1121740501a159988fc23df2fb362/doc/stack_root.md?plain=1#L7-L11";
     };
 
     sessionPath = [
@@ -110,10 +112,6 @@
 
   home.file.".hushlogin".text = "This file disables daily login message. Not depend on this text.";
 
-  # - stack manager can not found in https://github.com/nix-community/home-manager/tree/8d243f7da13d6ee32f722a3f1afeced150b6d4da/modules/programs
-  # - https://github.com/kachick/dotfiles/issues/142
-  home.file.".stack/config.yaml".source = ../config/stack/config.yaml;
-
   # Should have `root = true` in the file. - https://github.com/kachick/anylang-template/blob/45d7ef685ac4fd3836c3b32b8ce8fb45e909b771/.editorconfig#L1
   # Intentionally avoided to use https://github.com/nix-community/home-manager/blob/f58889c07efa8e1328fdf93dc1796ec2a5c47f38/modules/misc/editorconfig.nix
   home.file.".editorconfig".source =

diff --git a/home-manager/kachick.nix b/home-manager/kachick.nix
@@ -30,4 +30,10 @@
       default-key = "9BE4016A38165CCB";
     };
   };
+
+  # - stack manager can not found in https://github.com/nix-community/home-manager/tree/8d243f7da13d6ee32f722a3f1afeced150b6d4da/modules/programs
+  xdg.configFile."stack" = {
+    source = ../config/stack;
+    recursive = true;
+  };
 }