nixpkgs/pkgs/build-support/fetchgit/default.nix

{lib, stdenvNoCC, git, git-lfs, cacert}: let
  urlToName = url: rev: let
    inherit (lib) removeSuffix splitString last;
    base = last (splitString ":" (baseNameOf (removeSuffix "/" url)));

    matched = builtins.match "(.*)\\.git" base;

    short = builtins.substring 0 7 rev;

    appendShort = lib.optionalString ((builtins.match "[a-f0-9]*" rev) != null) "-${short}";
  in "${if matched == null then base else builtins.head matched}${appendShort}";
in
lib.makeOverridable (lib.fetchers.withNormalizedHash { } (
# NOTE Please document parameter additions or changes in
#   doc/build-helpers/fetchers.chapter.md
{ url, rev ? "HEAD", leaveDotGit ? deepClone
, outputHash ? lib.fakeHash, outputHashAlgo ? null
, fetchSubmodules ? true, deepClone ? false
, branchName ? null
, sparseCheckout ? []
, nonConeMode ? false
, name ? urlToName url rev
, # Shell code executed after the file has been fetched
  # successfully. This can do things like check or transform the file.
  postFetch ? ""
, preferLocalBuild ? true
, fetchLFS ? false
, # Shell code to build a netrc file for BASIC auth
  netrcPhase ? null
, # Impure env vars (https://nixos.org/nix/manual/#sec-advanced-attributes)
  # needed for netrcPhase
  netrcImpureEnvVars ? []
, meta ? {}
, allowedRequisites ? null
}:

/* NOTE:
   fetchgit has one problem: git fetch only works for refs.
   This is because fetching arbitrary (maybe dangling) commits creates garbage collection risks
   and checking whether a commit belongs to a ref is expensive. This may
   change in the future when some caching is added to git (?)
   Usually refs are either tags (refs/tags/*) or branches (refs/heads/*)
   Cloning branches will make the hash check fail when there is an update.
   But not all patches we want can be accessed by tags.

   The workaround is getting the last n commits so that it's likely that they
   still contain the hash we want.

   for now : increase depth iteratively (TODO)

   real fix: ask git folks to add a
   git fetch $HASH contained in $BRANCH
   facility because checking that $HASH is contained in $BRANCH is less
   expensive than fetching --depth $N.
   Even if git folks implemented this feature soon it may take years until
   server admins start using the new version?
*/

assert deepClone -> leaveDotGit;
assert nonConeMode -> (sparseCheckout != []);

if builtins.isString sparseCheckout then
  # Changed to throw on 2023-06-04
  throw "Please provide directories/patterns for sparse checkout as a list of strings. Passing a (multi-line) string is not supported any more."
else
stdenvNoCC.mkDerivation {
  inherit name;
  builder = ./builder.sh;
  fetcher = ./nix-prefetch-git;

  nativeBuildInputs = [ git cacert ]
    ++ lib.optionals fetchLFS [ git-lfs ];

  inherit outputHash outputHashAlgo;
  outputHashMode = "recursive";

  # git-sparse-checkout(1) says:
  # > When the --stdin option is provided, the directories or patterns are read
  # > from standard in as a newline-delimited list instead of from the arguments.
  sparseCheckout = builtins.concatStringsSep "\n" sparseCheckout;

  inherit url rev leaveDotGit fetchLFS fetchSubmodules deepClone branchName nonConeMode postFetch;

  postHook = if netrcPhase == null then null else ''
    ${netrcPhase}
    # required that git uses the netrc file
    mv {,.}netrc
    export NETRC=$PWD/.netrc
    export HOME=$PWD
  '';

  impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ netrcImpureEnvVars ++ [
    "GIT_PROXY_COMMAND" "NIX_GIT_SSL_CAINFO" "SOCKS_SERVER"
  ];


  inherit preferLocalBuild meta allowedRequisites;

  passthru = {
    gitRepoUrl = url;
  };
}
))
treewide: stdenvNoCC.lib -> lib 2021-01-27 05:50:30 +00:00			`{lib, stdenvNoCC, git, git-lfs, cacert}: let`
fetchgit: give output a nicer name Instead of git-export, we get the basename of the repo, plus the shortrev if the commit-ish is a rev. 2015-01-01 13:34:56 +00:00			`urlToName = url: rev: let`
treewide: stdenvNoCC.lib -> lib 2021-01-27 05:50:30 +00:00			`inherit (lib) removeSuffix splitString last;`
fetchgit: support "git@server:repo" URLs Update the code that extracts the base name from a git repo URL so that it can deal with URLs like "git@server:repo". 2017-06-18 11:42:39 +00:00			`base = last (splitString ":" (baseNameOf (removeSuffix "/" url)));`
fetchgit: give output a nicer name Instead of git-export, we get the basename of the repo, plus the shortrev if the commit-ish is a rev. 2015-01-01 13:34:56 +00:00
fetchgit: escape dot in regex This regex should match files ending in `.git`, not any character and `git` after that. 2021-02-03 17:35:42 +00:00			`matched = builtins.match "(.*)\\.git" base;`
fetchgit: give output a nicer name Instead of git-export, we get the basename of the repo, plus the shortrev if the commit-ish is a rev. 2015-01-01 13:34:56 +00:00
			`short = builtins.substring 0 7 rev;`

treewide: use optionalString 2023-02-06 20:49:02 +00:00			`appendShort = lib.optionalString ((builtins.match "[a-f0-9]*" rev) != null) "-${short}";`
fetchgit: give output a nicer name Instead of git-export, we get the basename of the repo, plus the shortrev if the commit-ish is a rev. 2015-01-01 13:34:56 +00:00			`in "${if matched == null then base else builtins.head matched}${appendShort}";`
fetchgit: improve name detection, discard nix-1.8 check The name detection didn't work for e.g. http://git.suckless.org/sinit/. I tested the tarball builds now. @shlevy claimed nixpkgs requires nix-1.8 features anyway, so the additional check with message were superfluous. 2015-01-13 18:43:08 +00:00			`in`
fetchgit: factor-out the hash logic to `lib.fetchers.withNormalizedHash` 2024-09-15 21:13:26 +00:00			`lib.makeOverridable (lib.fetchers.withNormalizedHash { } (`
fetchgit: nudge to update the manual when modifying parameters Many parameters added over the past many years were not documented in the manual. People likely simple didn't think to do that, so let's nudge them. 2024-11-13 14:16:47 +00:00			`# NOTE Please document parameter additions or changes in`
			`# doc/build-helpers/fetchers.chapter.md`
fetchgit: factor-out the hash logic to `lib.fetchers.withNormalizedHash` 2024-09-15 21:13:26 +00:00			`{ url, rev ? "HEAD", leaveDotGit ? deepClone`
			`, outputHash ? lib.fakeHash, outputHashAlgo ? null`
fetchgit: add 'deepClone' argument to disable shallow fetching This patch resolves https://github.com/NixOS/nixpkgs/issues/6395. Deep cloning is useful in combination with 'leaveDotGit' for builds that want to run "git describe" to obtain a proper version string, etc., like the 'haskellngPackages.cabal2nix' package does. 2015-03-10 11:40:19 +00:00			`, fetchSubmodules ? true, deepClone ? false`
fetchgit: Add support for specifying branch name This is useful when `leaveDotGit = true` and some other derivation expects some branch name to exist. Previously, `nix-prefetch-git` always created a branch with a hard-coded name (`fetchgit`). 2015-04-20 12:25:14 +00:00			`, branchName ? null`
fetchgit: make sparseCheckout a list of strings The `sparseCheckout` argument allows the user to specify directories or patterns of files, which Git uses to filter files it should check-out. Git expects a multi-line string on stdin ("newline-delimited list", see `git-sparse-checkout(1)`), but within nixpkgs it is more consistent to use a list of strings instead. The list elements are joined to a multi-line string only before passing it to the builder script. A deprecation warning is emitted if a (multi-line) string is passed to `sparseCheckout`, but for the time being it is still accepted. 2022-11-07 18:42:19 +00:00			`, sparseCheckout ? []`
fetchgit: allow disabling cone mode for sparse checkouts, fix test 2022-08-04 19:26:03 +00:00			`, nonConeMode ? false`
fetchgit: give output a nicer name Instead of git-export, we get the basename of the repo, plus the shortrev if the commit-ish is a rev. 2015-01-01 13:34:56 +00:00			`, name ? urlToName url rev`
fetchgit: add postFetch argument 2017-06-03 18:45:51 +00:00			`, # Shell code executed after the file has been fetched`
			`# successfully. This can do things like check or transform the file.`
			`postFetch ? ""`
prefer-fetch-remote: an overlay to fetch on remote builders This is useful when running tools like NixOps or nix-review on workstations where the upload to the builder is significantly slower then downloading the source on the builder itself. 2018-12-31 07:10:28 +00:00			`, preferLocalBuild ? true`
fetchgit: add lfs support 2020-12-05 07:32:48 +00:00			`, fetchLFS ? false`
fetchgit: add support for netrc file through impure NIX_GIT_SSL_CAINFO env 2021-09-15 14:17:05 +00:00			`, # Shell code to build a netrc file for BASIC auth`
			`netrcPhase ? null`
			`, # Impure env vars (https://nixos.org/nix/manual/#sec-advanced-attributes)`
			`# needed for netrcPhase`
			`netrcImpureEnvVars ? []`
fetchgit: allow passing thru meta 2022-04-18 01:06:02 +00:00			`, meta ? {}`
fetchgit: allow passing allowedRequisites through to stdenv.mkDerivation When maintainers override stages of `fetchgit' (e.g. `postPatch`) it is very easy for them to accidentally leak the outpath-hash of their current `stdenv` into `fetchgit''s output, and therefore into the value they paste into `sha256`. This is a problem, because the resulting expression will break whenever any change is made to `stdenv` or when anybody attempts to build the expression on a different platform than the one used by the original maintainer. Almost as much of a problem is the fact that CI does not catch these problems. The `fetchgit` is run only once, then its output goes into cachix, and all future builds (hydra, CI, ofborg) pull from cachix. Let's offer maintainers the option to check that they aren't making this mistake, by passing through `allowedRequisites`. The default value is `null`, but it might be worth changing that at some point in the future. It is also sometimes difficult to communicate to package maintainers why their expression is problematic. Having `allowedRequisites` passed through makes it easier to do this: "look, when I switch on `allowedRequisites` your package breaks; are you sure you meant to hardcode the hash today's `x86_64-linux.stdenv` into your expression?` For an example use case, see https://github.com/NixOS/nixpkgs/pull/171223 The issue above is part of a larger problem with nixpkgs infra: there large parts of cachix cannot be reproduced easily if they are lost. Once something ends goes into cachix, we never ever again reverify the procedure by which it was placed into cachix. 2022-05-02 09:51:11 +00:00			`, allowedRequisites ? null`
Allow git checkouts to have custom name 2014-09-03 17:48:15 +00:00			`}:`
* fetchgit and nix-prefetch-git svn path=/nixpkgs/trunk/; revision=16035 2009-06-24 12:48:01 +00:00
some fetchgit documentation svn path=/nixpkgs/trunk/; revision=18283 2009-11-08 03:02:10 +00:00			`/* NOTE:`
			`fetchgit has one problem: git fetch only works for refs.`
fetchgit: remove "security" from comment about "security risk" Closes #178410 2022-08-03 12:07:34 +00:00			`This is because fetching arbitrary (maybe dangling) commits creates garbage collection risks`
some fetchgit documentation svn path=/nixpkgs/trunk/; revision=18283 2009-11-08 03:02:10 +00:00			`and checking whether a commit belongs to a ref is expensive. This may`
			`change in the future when some caching is added to git (?)`
			`Usually refs are either tags (refs/tags/) or branches (refs/heads/)`
			`Cloning branches will make the hash check fail when there is an update.`
			`But not all patches we want can be accessed by tags.`

fetchFromGitHub: add fetchSubmodules option This commit extends fetchFromGitHub with ability to fetch GitHub repositories with submodules, so we can use the function consistently with all GitHub repositories. Note it doesn't change the previous behavior. 2016-11-18 10:56:08 +00:00			`The workaround is getting the last n commits so that it's likely that they`
some fetchgit documentation svn path=/nixpkgs/trunk/; revision=18283 2009-11-08 03:02:10 +00:00			`still contain the hash we want.`

			`for now : increase depth iteratively (TODO)`

			`real fix: ask git folks to add a`
			`git fetch $HASH contained in $BRANCH`
			`facility because checking that $HASH is contained in $BRANCH is less`
			`expensive than fetching --depth $N.`
			`Even if git folks implemented this feature soon it may take years until`
			`server admins start using the new version?`
			`*/`

fetchgit: add 'deepClone' argument to disable shallow fetching This patch resolves https://github.com/NixOS/nixpkgs/issues/6395. Deep cloning is useful in combination with 'leaveDotGit' for builds that want to run "git describe" to obtain a proper version string, etc., like the 'haskellngPackages.cabal2nix' package does. 2015-03-10 11:40:19 +00:00			`assert deepClone -> leaveDotGit;`
fetchgit: require sparseCheckout be a list of strings Passing a (multi-line) string was deprecated in #200082 in favour of list of strings, but still supported (with warning). Now, enforce use of list of strings. 2023-06-04 08:04:31 +00:00			`assert nonConeMode -> (sparseCheckout != []);`
fetchgit: Require a content hash Without this, the result will not be a fixed-output derivation and won't work in general. 2014-02-18 18:11:57 +00:00
fetchgit: factor-out the hash logic to `lib.fetchers.withNormalizedHash` 2024-09-15 21:13:26 +00:00			`if builtins.isString sparseCheckout then`
fetchgit: require sparseCheckout be a list of strings Passing a (multi-line) string was deprecated in #200082 in favour of list of strings, but still supported (with warning). Now, enforce use of list of strings. 2023-06-04 08:04:31 +00:00			`# Changed to throw on 2023-06-04`
			`throw "Please provide directories/patterns for sparse checkout as a list of strings. Passing a (multi-line) string is not supported any more."`
fetch-*: remove md5 support fixes #4491 2017-03-13 12:31:44 +00:00			`else`
treewide: Fetchers should use `stdenvNoCC`. 2018-01-09 23:38:19 +00:00			`stdenvNoCC.mkDerivation {`
Allow git checkouts to have custom name 2014-09-03 17:48:15 +00:00			`inherit name;`
* fetchgit and nix-prefetch-git svn path=/nixpkgs/trunk/; revision=16035 2009-06-24 12:48:01 +00:00			`builder = ./builder.sh;`
fetchgit: Remove comment regarding path needing to be a string It was changed in 2019 to be of the actual path type, and has apparently been working since then. Closes #143846 2022-08-18 02:43:26 +00:00			`fetcher = ./nix-prefetch-git;`
fetchgit: add lfs support 2020-12-05 07:32:48 +00:00
treewide: support NIX_SSL_CERT_FILE as an impureEnvVar This envvar is also added to lib.proxyImpureEnvVars since it's typically required for https proxies. This change also updates fetchgit and go module fetching to use this envvar. NIX_GIT_SSL_CAINFO is still supported for backwards compatibility in fetchgit. 2023-11-28 11:15:40 +00:00			`nativeBuildInputs = [ git cacert ]`
treewide: stdenvNoCC.lib -> lib 2021-01-27 05:50:30 +00:00			`++ lib.optionals fetchLFS [ git-lfs ];`
* fetchgit and nix-prefetch-git svn path=/nixpkgs/trunk/; revision=16035 2009-06-24 12:48:01 +00:00
fetchgit: factor-out the hash logic to `lib.fetchers.withNormalizedHash` 2024-09-15 21:13:26 +00:00			`inherit outputHash outputHashAlgo;`
* fetchgit and nix-prefetch-git svn path=/nixpkgs/trunk/; revision=16035 2009-06-24 12:48:01 +00:00			`outputHashMode = "recursive";`

fetchgit: make sparseCheckout a list of strings The `sparseCheckout` argument allows the user to specify directories or patterns of files, which Git uses to filter files it should check-out. Git expects a multi-line string on stdin ("newline-delimited list", see `git-sparse-checkout(1)`), but within nixpkgs it is more consistent to use a list of strings instead. The list elements are joined to a multi-line string only before passing it to the builder script. A deprecation warning is emitted if a (multi-line) string is passed to `sparseCheckout`, but for the time being it is still accepted. 2022-11-07 18:42:19 +00:00			`# git-sparse-checkout(1) says:`
			`# > When the --stdin option is provided, the directories or patterns are read`
			`# > from standard in as a newline-delimited list instead of from the arguments.`
fetchgit: require sparseCheckout be a list of strings Passing a (multi-line) string was deprecated in #200082 in favour of list of strings, but still supported (with warning). Now, enforce use of list of strings. 2023-06-04 08:04:31 +00:00			`sparseCheckout = builtins.concatStringsSep "\n" sparseCheckout;`
fetchgit: make sparseCheckout a list of strings The `sparseCheckout` argument allows the user to specify directories or patterns of files, which Git uses to filter files it should check-out. Git expects a multi-line string on stdin ("newline-delimited list", see `git-sparse-checkout(1)`), but within nixpkgs it is more consistent to use a list of strings instead. The list elements are joined to a multi-line string only before passing it to the builder script. A deprecation warning is emitted if a (multi-line) string is passed to `sparseCheckout`, but for the time being it is still accepted. 2022-11-07 18:42:19 +00:00
			`inherit url rev leaveDotGit fetchLFS fetchSubmodules deepClone branchName nonConeMode postFetch;`
* fetchgit and nix-prefetch-git svn path=/nixpkgs/trunk/; revision=16035 2009-06-24 12:48:01 +00:00
fetchgit: add support for netrc file through impure NIX_GIT_SSL_CAINFO env 2021-09-15 14:17:05 +00:00			`postHook = if netrcPhase == null then null else ''`
			`${netrcPhase}`
			`# required that git uses the netrc file`
			`mv {,.}netrc`
nix-prefetch-git: respect NETRC This script needs to support being run both as part of a `fetchgit` derivation and as a standalone, command-line tool. The use of `$NIX_BUILD_TOP` only works when used in `fetchgit` but not when invoked as a standalone tool. Instead we try to respect `$NETRC` so that the command-line invocation behaves more like standard tools and the `fetchgit` derivation can explicitly set `$NETRC` when `netrcPhase` is used to avoid all ambiguity. 2023-11-10 19:52:31 +00:00			`export NETRC=$PWD/.netrc`
fetchgit: add support for netrc file through impure NIX_GIT_SSL_CAINFO env 2021-09-15 14:17:05 +00:00			`export HOME=$PWD`
			`'';`

			`impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ netrcImpureEnvVars ++ [`
			`"GIT_PROXY_COMMAND" "NIX_GIT_SSL_CAINFO" "SOCKS_SERVER"`
lib/fetchers.nix: factor out impure proxy vars (#18702) Apparently everyone just copied those variables, instead of creating a library constant for them. Some even removed the comment. -.- 2016-09-17 19:50:01 +00:00			`];`
preferLocalBuild: set to true for wrappers and fetchers 2014-02-10 20:03:17 +00:00
fetchgit: allow passing allowedRequisites through to stdenv.mkDerivation When maintainers override stages of `fetchgit' (e.g. `postPatch`) it is very easy for them to accidentally leak the outpath-hash of their current `stdenv` into `fetchgit''s output, and therefore into the value they paste into `sha256`. This is a problem, because the resulting expression will break whenever any change is made to `stdenv` or when anybody attempts to build the expression on a different platform than the one used by the original maintainer. Almost as much of a problem is the fact that CI does not catch these problems. The `fetchgit` is run only once, then its output goes into cachix, and all future builds (hydra, CI, ofborg) pull from cachix. Let's offer maintainers the option to check that they aren't making this mistake, by passing through `allowedRequisites`. The default value is `null`, but it might be worth changing that at some point in the future. It is also sometimes difficult to communicate to package maintainers why their expression is problematic. Having `allowedRequisites` passed through makes it easier to do this: "look, when I switch on `allowedRequisites` your package breaks; are you sure you meant to hardcode the hash today's `x86_64-linux.stdenv` into your expression?` For an example use case, see https://github.com/NixOS/nixpkgs/pull/171223 The issue above is part of a larger problem with nixpkgs infra: there large parts of cachix cannot be reproduced easily if they are lost. Once something ends goes into cachix, we never ever again reverify the procedure by which it was placed into cachix. 2022-05-02 09:51:11 +00:00
			`inherit preferLocalBuild meta allowedRequisites;`
unstableGitUpdater: fix updating fetchzip-based sources a67950f20b97a293b2fefeecc349c6b785321e4b added `url` attribute from `fetchurl` and therefore also from `fetchzip`. We previously relied on `url` from fetchgit-based fetchers to find the repo URL but now it will just return tarballs in the case of `fetchFrom{GitHub,GitLab}`. Let’s add an attribute to `fetch{git,FromGitHub,FromGitLab}` to expose a repo URL consistently. 2022-05-24 16:03:46 +00:00
			`passthru = {`
			`gitRepoUrl = url;`
			`};`
* fetchgit and nix-prefetch-git svn path=/nixpkgs/trunk/; revision=16035 2009-06-24 12:48:01 +00:00			`}`
fetchgit: factor-out the hash logic to `lib.fetchers.withNormalizedHash` 2024-09-15 21:13:26 +00:00			`))`