From 407c5f07a7cb2652050db0ef28568a6dcb47c7de Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Tue, 18 Mar 2025 15:31:05 -0400 Subject: [PATCH] remove wheel preference, add CI --- .github/workflows/flake-health-checks.yml | 47 +++++++++ .github/workflows/flake-update.yml | 112 ++++++++++++++++++++++ .github/workflows/lock-health-checks.yml | 16 ++++ .github/workflows/nix-fmt.yml | 25 +++++ flake.lock | 10 +- flake.nix | 12 +-- utils/attic-push.bash | 26 +++++ utils/attic-token.bash | 36 +++++++ utils/attic-utils.bash | 13 +++ utils/diff-evals.sh | 13 +++ utils/eval-to-drv.sh | 19 ++++ utils/fetch-docker.sh | 23 +++++ utils/manual-update.sh | 11 +++ utils/new.yaml | 14 +++ utils/old.yaml | 10 ++ utils/requirements.txt | 1 + utils/sops-add-machine.py | 20 ++++ utils/sops-mergetool-new.sh | 67 +++++++++++++ utils/sops-mergetool.sh | 88 +++++++++++++++++ 19 files changed, 552 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/flake-health-checks.yml create mode 100644 .github/workflows/flake-update.yml create mode 100644 .github/workflows/lock-health-checks.yml create mode 100644 .github/workflows/nix-fmt.yml create mode 100755 utils/attic-push.bash create mode 100755 utils/attic-token.bash create mode 100644 utils/attic-utils.bash create mode 100755 utils/diff-evals.sh create mode 100755 utils/eval-to-drv.sh create mode 100755 utils/fetch-docker.sh create mode 100755 utils/manual-update.sh create mode 100644 utils/new.yaml create mode 100644 utils/old.yaml create mode 100644 utils/requirements.txt create mode 100755 utils/sops-add-machine.py create mode 100755 utils/sops-mergetool-new.sh create mode 100755 utils/sops-mergetool.sh diff --git a/.github/workflows/flake-health-checks.yml b/.github/workflows/flake-health-checks.yml new file mode 100644 index 0000000..c0cea76 --- /dev/null +++ b/.github/workflows/flake-health-checks.yml @@ -0,0 +1,47 @@ +name: "Check Nix flake" +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + merge_group: +jobs: + health-check: + name: "Perform Nix flake checks" + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-latest] + steps: + - uses: DeterminateSystems/nix-installer-action@main + - name: Setup Attic cache + uses: ryanccn/attic-action@v0 + with: + endpoint: ${{ secrets.ATTIC_ENDPOINT }} + cache: ${{ secrets.ATTIC_CACHE }} + token: ${{ secrets.ATTIC_TOKEN }} + skip-push: "true" + - uses: actions/checkout@v4 + - run: nix flake check --accept-flake-config + - run: nix ./utils/attic-push.bash + build-checks: + name: "Build nix outputs" + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-latest] + steps: + - uses: DeterminateSystems/nix-installer-action@main + - name: Setup Attic cache + uses: ryanccn/attic-action@v0 + with: + endpoint: ${{ secrets.ATTIC_ENDPOINT }} + cache: ${{ secrets.ATTIC_CACHE }} + token: ${{ secrets.ATTIC_TOKEN }} + skip-push: "true" + - uses: actions/checkout@v4 + - name: Build all outputs + run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build . + - name: Push to Attic + run: nix ./utils/attic-push.bash + continue-on-error: true diff --git a/.github/workflows/flake-update.yml b/.github/workflows/flake-update.yml new file mode 100644 index 0000000..b50bb41 --- /dev/null +++ b/.github/workflows/flake-update.yml @@ -0,0 +1,112 @@ +name: "Update flakes" +on: + repository_dispatch: + workflow_dispatch: + schedule: + - cron: "00 12 * * *" +jobs: + update_lockfile: + runs-on: ubuntu-latest + #if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Install nix + uses: https://github.com/DeterminateSystems/nix-installer-action@main + - name: Setup Attic cache + uses: ryanccn/attic-action@v0 + with: + endpoint: ${{ secrets.ATTIC_ENDPOINT }} + cache: ${{ secrets.ATTIC_CACHE }} + token: ${{ secrets.ATTIC_TOKEN }} + skip-push: "true" + - name: Get pre-snapshot of evaluations + run: nix ./utils/eval-to-drv.sh pre + - name: Update flake.lock + id: update + run: | + nix flake update 2> >(tee /dev/stderr) | awk ' + /^• Updated input/ {in_update = 1; print; next} + in_update && !/^warning:/ {print} + /^$/ {in_update = 0} + ' > update.log + + echo "UPDATE_LOG<> $GITHUB_ENV + cat update.log >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + rm update.log + - name: Get post-snapshot of evaluations + run: nix ./utils/eval-to-drv.sh post + - name: Calculate diff + run: nix ./utils/diff-evals.sh + - name: Read file contents + id: read_file + uses: guibranco/github-file-reader-action-v2@latest + with: + path: "post-diff" + - name: Write PR body template + uses: https://github.com/DamianReeves/write-file-action@v1.3 + with: + path: pr_body.template + contents: | + - The following Nix Flake inputs were updated: + + ``` + ${{ env.UPDATE_LOG }} + ``` + + ``` + ${{ steps.read_file.outputs.contents }} + ``` + + Auto-generated by [update.yml][1] with the help of + [create-pull-request][2]. + + [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml + [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request + - name: Generate PR body + uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0 + with: + files: "pr_body.template" + output-filename: "pr_body.md" + - name: Save PR body + id: pr_body + uses: juliangruber/read-file-action@v1 + with: + path: "pr_body.md" + - name: Remove temporary files + run: | + rm pr_body.template + rm pr_body.md + rm pre.json + rm post.json + rm post-diff + - name: Create Pull Request + id: create-pull-request + # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645 + uses: https://nayeonie.com/ahuston-0/create-pull-request@main + with: + token: ${{ secrets.GH_TOKEN_FOR_UPDATES }} + body: ${{ steps.pr_body.outputs.content }} + author: '"github-actions[bot]" ' + title: 'automated: Update `flake.lock`' + commit-message: | + automated: Update `flake.lock` + + ${{ steps.pr_body.outputs.content }} + branch: update-flake-lock + delete-branch: true + pr-labels: | # Labels to be set on the PR + dependencies + automated + - name: Push to Attic + run: nix ./utils/attic-push.bash + continue-on-error: true + - name: Print PR number + run: | + echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}." + echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" +permissions: + pull-requests: write + contents: write diff --git a/.github/workflows/lock-health-checks.yml b/.github/workflows/lock-health-checks.yml new file mode 100644 index 0000000..38734e2 --- /dev/null +++ b/.github/workflows/lock-health-checks.yml @@ -0,0 +1,16 @@ +name: "Check flake.lock" +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + merge_group: +jobs: + health-check: + name: "Check health of `flake.lock`" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/flake-checker-action@main + with: + fail-mode: true diff --git a/.github/workflows/nix-fmt.yml b/.github/workflows/nix-fmt.yml new file mode 100644 index 0000000..f94cbea --- /dev/null +++ b/.github/workflows/nix-fmt.yml @@ -0,0 +1,25 @@ +name: "Check Nix formatting" +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + merge_group: +jobs: + health-check: + name: "Perform Nix format checks" + runs-on: ubuntu-latest + steps: + - uses: DeterminateSystems/nix-installer-action@main + - name: Setup Attic cache + uses: ryanccn/attic-action@v0 + with: + endpoint: ${{ secrets.ATTIC_ENDPOINT }} + cache: ${{ secrets.ATTIC_CACHE }} + token: ${{ secrets.ATTIC_TOKEN }} + skip-push: "true" + - uses: actions/checkout@v4 + - run: nix fmt -- --check . + - name: Push to Attic + run: nix ./utils/attic-push.bash + continue-on-error: true diff --git a/flake.lock b/flake.lock index 06feeed..22cdeb2 100644 --- a/flake.lock +++ b/flake.lock @@ -96,15 +96,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1741455743, - "narHash": "sha256-raXtjhD9mmNrVdCoJkYoUo0X2lhEyIZYQ6M7uUp/Uuc=", - "owner": "NixOS", + "lastModified": 1742276595, + "narHash": "sha256-bsg9y3NoMGu0jgTI5XbxvzQFc9JtZB51i500WlVws80=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "c1ee2620296430ac1e3ee72583ad0191463a9d60", + "rev": "2b3795787eba0066a2bc8bba7362422e5713840f", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" diff --git a/flake.nix b/flake.nix index 7192131..34ffce7 100644 --- a/flake.nix +++ b/flake.nix @@ -21,7 +21,7 @@ inputs = { flake-utils.url = "github:numtide/flake-utils"; - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small"; poetry2nix = { url = "github:nix-community/poetry2nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -51,13 +51,13 @@ pkgs = nixpkgs.legacyPackages.${system}.extend poetry2nix.overlays.default; overrides = pkgs.poetry2nix.overrides.withDefaults ( - _final: prev: { + _final: _prev: { # prefer binary wheels instead of source distributions for rust based dependencies # avoids needing to build them from source. technically a security risk - polars = prev.polars.override { preferWheel = true; }; - ruff = prev.ruff.override { preferWheel = true; }; - greenlet = prev.greenlet.override { preferWheel = true; }; - sqlalchemy = prev.sqlalchemy.override { preferWheel = true; }; + #polars = prev.polars.override { preferWheel = true; }; + #ruff = prev.ruff.override { preferWheel = true; }; + #greenlet = prev.greenlet.override { preferWheel = true; }; + #sqlalchemy = prev.sqlalchemy.override { preferWheel = true; }; } ); diff --git a/utils/attic-push.bash b/utils/attic-push.bash new file mode 100755 index 0000000..01aa79f --- /dev/null +++ b/utils/attic-push.bash @@ -0,0 +1,26 @@ +#!/usr/bin/env nix +#! nix shell nixpkgs#bash nixpkgs#jq nixpkgs#gnused nixpkgs#nixVersions.latest nixpkgs#attic-client --command bash + +#set -x +#set -v +set -e + +# retrieve all paths under 2G +# nix_paths=$(nix path-info --json --all --closure-size \ +# | jq 'map_values(.closureSize | select(. < 2e9)) | to_entries | sort_by(.value)' \ +# | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g') + +# retrieve all paths +nix_paths=$(nix path-info --json --all --closure-size | + jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' | + jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g') + +readarray -t nix_path_array < <(echo "$nix_paths") + +batchsize=1000 + +for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do + part=("${nix_path_array[@]:i:batchsize}") + + attic push nix-cache "${part[@]}" +done diff --git a/utils/attic-token.bash b/utils/attic-token.bash new file mode 100755 index 0000000..f069375 --- /dev/null +++ b/utils/attic-token.bash @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +if (($# != 3)); then + echo "usage: $0 " + exit 1 +fi + +cache="$1" +cache_pattern="$2" +token_type="$3" + +case $token_type in +"cache-creator") + atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \ + --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \ + --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \ + --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern" + ;; +"admin") + atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \ + --push "$cache_pattern" --configure-cache "$cache_pattern" \ + --configure-cache-retention "$cache_pattern" + ;; +"writer") + atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \ + --push "$cache_pattern" + ;; +"reader") + atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern" + ;; +*) + echo "invalid token type: $token_type" + echo "available options: cache-creator, admin, writer, reader" + exit 1 + ;; +esac diff --git a/utils/attic-utils.bash b/utils/attic-utils.bash new file mode 100644 index 0000000..ebae713 --- /dev/null +++ b/utils/attic-utils.bash @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +cache_name="" +action="" + +case "$action" in + "login") + ;; + *) + echo "" + exit 1 + ;; +esac diff --git a/utils/diff-evals.sh b/utils/diff-evals.sh new file mode 100755 index 0000000..93ddc8a --- /dev/null +++ b/utils/diff-evals.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env nix +#! nix shell nixpkgs#bash nixpkgs#gnugrep nixpkgs#nvd --command bash + +# diffs each derivation + +set -x +set -v +set -e + +script_path=$(dirname "$(readlink -f $0)") +parent_path=$(dirname "$script_path") + +nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --compare-drvs --compare-output-to-file "$parent_path" diff --git a/utils/eval-to-drv.sh b/utils/eval-to-drv.sh new file mode 100755 index 0000000..49634b4 --- /dev/null +++ b/utils/eval-to-drv.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env nix +#! nix shell nixpkgs#bash nixpkgs#gnugrep nixpkgs#nixVersions.latest --command bash + +# diffs each derivation + +set -x +set -v +set -e + +if [ "$#" -ne 1 ]; then + echo "$0 (pre|post)" + exit 1 +fi + +script_path=$(dirname "$(readlink -f $0)") +parent_path=$(dirname "$script_path") +out_path="$parent_path/$1.json" + +nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --evaluate --json "$out_path" "$parent_path" diff --git a/utils/fetch-docker.sh b/utils/fetch-docker.sh new file mode 100755 index 0000000..637b3c6 --- /dev/null +++ b/utils/fetch-docker.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env nix +#! nix shell nixpkgs#bash nixpkgs#nix-prefetch-docker --command bash + +# retrieves the latest image tags + +set -x +set -v +set -e + +script_path=$(dirname "$(readlink -f $0)") +parent_path=$(dirname "$script_path") + +# a list of images to pull +# relpath is the relative path to the parent_path where you want the file written +# format: ,,,, +images=( + "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix" +) +IFS="," +while read -r name tag arch os relpath; do + nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet >"$parent_path/$relpath" + git --no-pager diff "$parent_path/$relpath" +done <<<"${images[@]}" diff --git a/utils/manual-update.sh b/utils/manual-update.sh new file mode 100755 index 0000000..96fe9cb --- /dev/null +++ b/utils/manual-update.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +set -e +set -v +set -x + +git checkout main +git branch -D update_flake_lock_action || true +git checkout -b update_flake_lock_action +nix flake update +nix flake check diff --git a/utils/new.yaml b/utils/new.yaml new file mode 100644 index 0000000..3ac2526 --- /dev/null +++ b/utils/new.yaml @@ -0,0 +1,14 @@ +network: + ethernets: + addresses: + - 155.128.134.198/23 + - 2002:18f0:b009:f84:5200:03ff:fdf7:d0c2/64 + - abc + dhcp4: false + ens3: null + gateway4: 155.128.134.198 + nameservers: + addresses: + - 108.61.10.10 + renderer: networkd + version: 2 diff --git a/utils/old.yaml b/utils/old.yaml new file mode 100644 index 0000000..788a11b --- /dev/null +++ b/utils/old.yaml @@ -0,0 +1,10 @@ +network: + version: 2 + renderer: networkd + ethernets: + ens3: + dhcp4: no + addresses: [155.128.134.198/23,'2002:18f0:b009:f84:5200:03ff:fdf7:d0c2/64'] + gateway4: 155.128.134.198 + nameservers: + addresses: [108.61.10.10] diff --git a/utils/requirements.txt b/utils/requirements.txt new file mode 100644 index 0000000..c3726e8 --- /dev/null +++ b/utils/requirements.txt @@ -0,0 +1 @@ +pyyaml diff --git a/utils/sops-add-machine.py b/utils/sops-add-machine.py new file mode 100755 index 0000000..b579b07 --- /dev/null +++ b/utils/sops-add-machine.py @@ -0,0 +1,20 @@ +#!/usr/bin/env nix +#! nix shell nixpkgs#python312 nixpkgs#python312Packages.pyyaml --command python + +import yaml +import pprint + +with open('.sops.yaml','r') as in_yamlfile: + cur_yaml = yaml.safe_load(in_yamlfile) + +cur_yaml['keys'].append('&test testkey') + +pprint.pprint(cur_yaml) + +# with open('new.yaml','w') as out_yamlfile: +# yaml.safe_dump(cur_yaml, out_yamlfile) + +# with open('new.yaml','r') as inn_yamlfile: +# new_yaml = yaml.safe_load(inn_yamlfile) + +# assert(cur_yaml == new_yaml) diff --git a/utils/sops-mergetool-new.sh b/utils/sops-mergetool-new.sh new file mode 100755 index 0000000..fc425c9 --- /dev/null +++ b/utils/sops-mergetool-new.sh @@ -0,0 +1,67 @@ +#!/usr/bin/env bash + +# Rename CLI parameters to friendlier names +# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver +base="$1" +local_="$2" +remote="$3" +merged="$4" + +# Load the mergetool scripts +TOOL_MODE=merge +source "$(git --exec-path)/git-mergetool--lib" +mergetool=$(get_merge_tool) +setup_tool "${mergetool}" + +# Create file names for decrypted contents +# example_LOCAL_2823.yaml -> example_LOCAL_2823.decrypted.yaml +extension=".${base##*.}" +base_decrypted="${base/$extension/.decrypted$extension}" +local_decrypted="${local_/$extension/.decrypted$extension}" +remote_decrypted="${remote/$extension/.decrypted$extension}" +merged_decrypted="${base_decrypted/_BASE_/_MERGED_}" +backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}" + +# If anything goes wrong, then delete our decrypted files +handle_trap_exit() { + rm $base_decrypted || true + rm $local_decrypted || true + rm $remote_decrypted || true + rm $merged_decrypted || true + rm $backup_decrypted || true +} +trap handle_trap_exit EXIT + +# Decrypt our file contents +sops --decrypt --show-master-keys "$base" >"$base_decrypted" +sops --decrypt --show-master-keys "$local_" >"$local_decrypted" +sops --decrypt --show-master-keys "$remote" >"$remote_decrypted" + +# Create a merge-diff to compare against +git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted" +cp "$merged_decrypted" "$backup_decrypted" + +# Set up variables for the mergetool +# https://github.com/git/git/blob/v2.8.2/mergetools/meld +# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L95-L111 +LOCAL="$local_decrypted" +BASE="$base_decrypted" +REMOTE="$remote_decrypted" +MERGED="$merged_decrypted" +BACKUP="$backup_decrypted" + +# Override `check_unchanged` with a custom script +check_unchanged() { + # If the contents haven't changed, then fail + if test "$MERGED" -nt "$BACKUP"; then + return 0 + else + exit 1 + fi +} + +# Run the mergetool +run_merge_tool "${mergetool}" true + +# Re-encrypt content +sops --encrypt "$merged_decrypted" >"$merged" diff --git a/utils/sops-mergetool.sh b/utils/sops-mergetool.sh new file mode 100755 index 0000000..591562e --- /dev/null +++ b/utils/sops-mergetool.sh @@ -0,0 +1,88 @@ +#!/usr/bin/env bash +# Exit on first error and verify variables have been set/passed via CLI +#set -eu +set -v +set -x + +# Rename our variables to friendlier equivalents +# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver +base="$1" +local_="$2" +remote="$3" +merged="$4" + +echo "$base" +echo "$local_" +echo "$remote" +echo "$merged" + +# Resolve our default mergetool +# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3 +mergetool="$(git config --get merge.tool)" +GIT_DIR="$(git --exec-path)" +if test "$mergetool" = ""; then + echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool `' 1>&2 + exit 1 +fi + +# Create file names for our decrypted contents +# example_LOCAL_2823.yaml -> example_LOCAL_2823.decrypted.yaml +extension=".${base##*.}" +base_decrypted="${base/$extension/.decrypted$extension}" +local_decrypted="${local_/$extension/.decrypted$extension}" +remote_decrypted="${remote/$extension/.decrypted$extension}" +merged_decrypted="${base_decrypted/_BASE_/_MERGED_}" +backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}" + +# If anything goes wrong, then delete our decrypted files +handle_trap_exit() { + rm $base_decrypted || true + rm $local_decrypted || true + rm $remote_decrypted || true + rm $merged_decrypted || true + rm $backup_decrypted || true +} +trap handle_trap_exit EXIT + +# Decrypt our file contents +sops --decrypt --show-master-keys "$base" >"$base_decrypted" +sops --decrypt --show-master-keys "$local_" >"$local_decrypted" +sops --decrypt --show-master-keys "$remote" >"$remote_decrypted" + +# Create a merge-diff to compare against +set +e +git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted" +set -e +cp "$merged_decrypted" "$backup_decrypted" + +# Set up variables for our mergetool +# https://github.com/git/git/blob/v2.8.2/mergetools/meld +# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L95-L111 +export LOCAL="$local_decrypted" +export BASE="$base_decrypted" +export REMOTE="$remote_decrypted" +export MERGED="$merged_decrypted" +export BACKUP="$backup_decrypted" + +# Load our mergetool scripts +source "$GIT_DIR/git-mergetool--lib" +source "$GIT_DIR/mergetools/$mergetool" + +# Override `check_unchanged` with a custom script +check_unchanged() { + # If the contents haven't changed, then fail + if test "$MERGED" -nt "$BACKUP"; then + return 0 + else + exit 1 + fi +} + +# Run our mergetool +set +eu +export merge_tool_path="$(get_merge_tool_path "$mergetool")" +merge_cmd +set -eu + +# Re-encrypt content +sops --encrypt "$merged_decrypted" >"$merged" -- 2.48.1