flowey_lib_common/
use_gh_cli.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

//! Set up `gh` CLI for use with flowey.
//!
//! The executable this node returns will wrap the base `gh` cli executable with
//! some additional logic, notably, ensuring it is includes any necessary
//! authentication.

use flowey::node::prelude::*;
use std::io::Write;

#[derive(Serialize, Deserialize)]
pub enum GhCliAuth<C = VarNotClaimed> {
    /// Prompt user to log-in interactively.
    LocalOnlyInteractive,
    /// Set the value of the `GITHUB_TOKEN` environment variable to the
    /// specified runtime String when invoking the `gh` CLI.
    AuthToken(ReadVar<String, C>),
}

impl ClaimVar for GhCliAuth {
    type Claimed = GhCliAuth<VarClaimed>;

    fn claim(self, ctx: &mut StepCtx<'_>) -> Self::Claimed {
        match self {
            GhCliAuth::LocalOnlyInteractive => GhCliAuth::LocalOnlyInteractive,
            GhCliAuth::AuthToken(v) => GhCliAuth::AuthToken(v.claim(ctx)),
        }
    }
}

flowey_request! {
    pub enum Request {
        /// Specify what authentication to use
        WithAuth(GhCliAuth),
        /// Get a path to `gh` executable
        Get(WriteVar<PathBuf>),
    }
}

new_flow_node!(struct Node);

impl FlowNode for Node {
    type Request = Request;

    fn imports(ctx: &mut ImportCtx<'_>) {
        ctx.import::<crate::download_gh_cli::Node>();
    }

    fn emit(requests: Vec<Self::Request>, ctx: &mut NodeCtx<'_>) -> anyhow::Result<()> {
        let mut get_reqs = Vec::new();
        let mut with_auth_interactive = false;
        let mut with_auth_token = None;

        for req in requests {
            match req {
                Request::WithAuth(v) => match v {
                    GhCliAuth::LocalOnlyInteractive => with_auth_interactive = true,
                    GhCliAuth::AuthToken(v) => {
                        same_across_all_reqs_backing_var("WithAuth", &mut with_auth_token, v)?
                    }
                },
                Request::Get(v) => get_reqs.push(v),
            }
        }

        let get_reqs = get_reqs;
        let auth = match (with_auth_interactive, with_auth_token) {
            (true, None) => GhCliAuth::LocalOnlyInteractive,
            (false, Some(v)) => GhCliAuth::AuthToken(v),
            (true, Some(_)) => {
                anyhow::bail!("`WithAuth` must be consistent across requests")
            }
            (false, None) => anyhow::bail!("Missing essential request: WithAuth"),
        };

        // -- end of req processing -- //

        if get_reqs.is_empty() {
            if let GhCliAuth::AuthToken(tok) = auth {
                tok.claim_unused(ctx);
            }
            return Ok(());
        }

        if !matches!(ctx.backend(), FlowBackend::Local) {
            if matches!(auth, GhCliAuth::LocalOnlyInteractive) {
                anyhow::bail!("cannot use interactive auth on a non-local backend")
            }
        }

        let gh_bin_path = ctx.reqv(crate::download_gh_cli::Request::Get);

        ctx.emit_rust_step("setup gh cli", |ctx| {
            let auth = auth.claim(ctx);
            let get_reqs = get_reqs.claim(ctx);
            let gh_bin_path = gh_bin_path.claim(ctx);
            |rt| {
                let sh = xshell::Shell::new()?;

                let gh_bin_path = rt.read(gh_bin_path).display().to_string();
                let gh_token = match auth {
                    GhCliAuth::LocalOnlyInteractive => String::new(),
                    GhCliAuth::AuthToken(tok) => rt.read(tok),
                };
                // only set GITHUB_TOKEN if there is a value to set it to, otherwise
                // let the user's environment take precedence over authenticating interactively
                let gh_token = if !gh_token.is_empty() {
                    match rt.platform().kind() {
                        FlowPlatformKind::Windows => format!(r#"SET "GITHUB_TOKEN={gh_token}""#),
                        FlowPlatformKind::Unix => format!(r#"GITHUB_TOKEN="{gh_token}""#),
                    }
                } else {
                    String::new()
                };

                let shim_txt = match rt.platform().kind() {
                    FlowPlatformKind::Windows => WINDOWS_SHIM_BAT.trim(),
                    FlowPlatformKind::Unix => UNIX_SHIM_SH.trim(),
                }
                .replace("{GITHUB_TOKEN}", &gh_token)
                .replace("{GH_BIN_PATH}", &gh_bin_path);

                let script_name = match rt.platform().kind() {
                    FlowPlatformKind::Windows => "shim.bat",
                    FlowPlatformKind::Unix => "shim.sh",
                };
                let path = {
                    let dst = std::env::current_dir()?.join(script_name);
                    let mut options = fs_err::OpenOptions::new();
                    #[cfg(unix)]
                    fs_err::os::unix::fs::OpenOptionsExt::mode(&mut options, 0o777); // executable
                    let mut file = options.create_new(true).write(true).open(&dst)?;
                    file.write_all(shim_txt.as_bytes())?;
                    dst.absolute()?
                };
                if !xshell::cmd!(sh, "{path} auth status")
                    .ignore_status()
                    .output()?
                    .status
                    .success()
                {
                    if matches!(rt.backend(), FlowBackend::Local) {
                        xshell::cmd!(sh, "{path} auth login").run()?;
                    } else {
                        anyhow::bail!("unable to authenticate with github - is GhCliAuth valid?")
                    }
                };

                for var in get_reqs {
                    rt.write(var, &path);
                }

                Ok(())
            }
        });

        Ok(())
    }
}

const UNIX_SHIM_SH: &str = r#"
#!/bin/sh
{GITHUB_TOKEN} exec {GH_BIN_PATH} "$@"
"#;

const WINDOWS_SHIM_BAT: &str = r#"
@ECHO OFF
{GITHUB_TOKEN}
{GH_BIN_PATH} %*
"#;