From 1238760df48698c78e87b1094fc1a1fcd3629173 Mon Sep 17 00:00:00 2001
From: Sascha Grunert <sgrunert@redhat.com>
Date: Fri, 8 Sep 2023 10:08:17 +0200
Subject: [PATCH] Add nix-build for multi-arch static binaries

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
---
 .github/workflows/ci.yml | 49 ++++++++++++++++++++++++++++++++++++++++
 .gitignore               |  1 +
 Makefile                 |  4 ++++
 dependencies.yaml        |  6 +++++
 nix/default-amd64.nix    |  1 +
 nix/default-arm64.nix    |  7 ++++++
 nix/default-ppc64le.nix  |  7 ++++++
 nix/default.nix          |  4 ++++
 nix/derivation.nix       | 23 +++++++++++++++++++
 nix/nixpkgs.json         | 12 ++++++++++
 nix/nixpkgs.nix          |  8 +++++++
 nix/overlay.nix          |  5 ++++
 nix/static.nix           | 10 ++++++++
 13 files changed, 137 insertions(+)
 create mode 120000 nix/default-amd64.nix
 create mode 100644 nix/default-arm64.nix
 create mode 100644 nix/default-ppc64le.nix
 create mode 100644 nix/default.nix
 create mode 100644 nix/derivation.nix
 create mode 100644 nix/nixpkgs.json
 create mode 100644 nix/nixpkgs.nix
 create mode 100644 nix/overlay.nix
 create mode 100644 nix/static.nix

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 66602d7cfe..cc91336afa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,6 +10,7 @@ env:
   CARGO_TERM_COLOR: always
   GO_VERSION: '1.20'
   ACTION_MSRV_TOOLCHAIN: 1.69.0
+  NIX_VERSION: '2.17.0'
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -122,6 +123,54 @@ jobs:
           glob: latest-*.txt
           destination: cri-o/conmon-rs
 
+  build-static:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64, ppc64le]
+    name: build-static-${{ matrix.arch }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v23
+        with:
+          install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install
+      - uses: cachix/cachix-action@v12
+        with:
+          name: conmon-rs
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          pushFilter: "(conmon-rs|cargo-vendor)"
+      - run: nix-build nix/default-${{ matrix.arch }}.nix
+      - run: file result/bin/conmonrs | grep static | grep stripped
+      - uses: actions/upload-artifact@v3
+        with:
+          name: build-static-${{ matrix.arch }}
+          path: |
+            result/bin/conmonrs
+      - run: |
+          mkdir ${{ github.sha }}
+          cp result/bin/conmonrs ${{ github.sha }}/conmonrs.${{ matrix.arch }}
+      - uses: sigstore/cosign-installer@v3
+      - name: Sign binary
+        if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags')
+        run: |
+          cd ${{ github.sha }}
+          cosign sign-blob -y conmonrs.${{ matrix.arch }} \
+            --output-signature conmonrs.${{ matrix.arch }}.sig \
+            --output-certificate conmonrs.${{ matrix.arch }}.cert
+      - uses: actions/upload-artifact@v3
+        with:
+          name: conmonrs
+          path: ${{ github.sha }}/*
+      - uses: google-github-actions/auth@v1
+        if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags')
+        with:
+          credentials_json: ${{ secrets.GCS_CRIO_SA }}
+      - uses: google-github-actions/upload-cloud-storage@v1
+        if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags')
+        with:
+          path: ${{ github.sha }}
+          destination: cri-o/conmon-rs
+
   doc:
     runs-on: ubuntu-latest
     steps:
diff --git a/.gitignore b/.gitignore
index d052ecfb44..ca61ab07d8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 *.orig
 *.test
 /target
+/result
 /vendor
 .build
 latest-*.txt
diff --git a/Makefile b/Makefile
index 25a08ea779..6ae9b52ba7 100644
--- a/Makefile
+++ b/Makefile
@@ -108,3 +108,7 @@ install:
 .PHONY: rpm
 rpm:
 	rpkg local
+
+nixpkgs:
+	@nix run -f channel:nixpkgs-unstable nix-prefetch-git -- \
+		--no-deepClone https://github.com/nixos/nixpkgs > nix/nixpkgs.json
diff --git a/dependencies.yaml b/dependencies.yaml
index 058de7d435..8a6657364b 100644
--- a/dependencies.yaml
+++ b/dependencies.yaml
@@ -49,3 +49,9 @@ dependencies:
     refPaths:
       - path: contrib/tracing/start
         match: OTLP_IMG
+
+  - name: nix
+    version: 2.17.0
+    refPaths:
+      - path: .github/workflows/ci.yml
+        match: NIX_VERSION
diff --git a/nix/default-amd64.nix b/nix/default-amd64.nix
new file mode 120000
index 0000000000..73537e478e
--- /dev/null
+++ b/nix/default-amd64.nix
@@ -0,0 +1 @@
+default.nix
\ No newline at end of file
diff --git a/nix/default-arm64.nix b/nix/default-arm64.nix
new file mode 100644
index 0000000000..bd3558e717
--- /dev/null
+++ b/nix/default-arm64.nix
@@ -0,0 +1,7 @@
+(import ./nixpkgs.nix {
+  crossSystem = {
+    config = "aarch64-unknown-linux-gnu";
+  };
+  overlays = [ (import ./overlay.nix) ];
+}).callPackage ./derivation.nix
+{ }
diff --git a/nix/default-ppc64le.nix b/nix/default-ppc64le.nix
new file mode 100644
index 0000000000..7fa1956e65
--- /dev/null
+++ b/nix/default-ppc64le.nix
@@ -0,0 +1,7 @@
+(import ./nixpkgs.nix {
+  crossSystem = {
+    config = "powerpc64le-unknown-linux-gnu";
+  };
+  overlays = [ (import ./overlay.nix) ];
+}).callPackage ./derivation.nix
+{ }
diff --git a/nix/default.nix b/nix/default.nix
new file mode 100644
index 0000000000..51634b4cd8
--- /dev/null
+++ b/nix/default.nix
@@ -0,0 +1,4 @@
+(import ./nixpkgs.nix {
+  overlays = [ (import ./overlay.nix) ];
+}).callPackage ./derivation.nix
+{ }
diff --git a/nix/derivation.nix b/nix/derivation.nix
new file mode 100644
index 0000000000..a77993f29a
--- /dev/null
+++ b/nix/derivation.nix
@@ -0,0 +1,23 @@
+{ pkgs }:
+with pkgs; rustPlatform.buildRustPackage {
+  name = "conmon-rs";
+  src = ./..;
+  doCheck = false;
+  nativeBuildInputs = with buildPackages; [
+    capnproto
+    protobuf
+  ];
+  buildInputs = [
+    glibc
+    glibc.static
+  ];
+  RUSTFLAGS = [
+    "-Ctarget-feature=+crt-static"
+  ];
+  stripAllList = [ "bin" ];
+  cargoLock = {
+    lockFile = lib.cleanSource ./.. + "/Cargo.lock";
+    allowBuiltinFetchGit = true;
+  };
+}
+
diff --git a/nix/nixpkgs.json b/nix/nixpkgs.json
new file mode 100644
index 0000000000..4c6ac397ba
--- /dev/null
+++ b/nix/nixpkgs.json
@@ -0,0 +1,12 @@
+{
+  "url": "https://github.com/nixos/nixpkgs",
+  "rev": "c44317643ebf160b50a86a23d203d99aaee8c133",
+  "date": "2023-09-08T07:22:05+00:00",
+  "path": "/nix/store/gscd59h9fppxwblgz19q24wg0jj8x4gg-nixpkgs",
+  "sha256": "1kr94ygwqirgmfpzyz3qz3wjfp28rqbmz2n565mssrlk0j3khwqx",
+  "hash": "sha256-HXM4hwSTZq1rMcWKXxfOSFwn+fh4fP+vqy9HzJ8nKc8=",
+  "fetchLFS": false,
+  "fetchSubmodules": false,
+  "deepClone": false,
+  "leaveDotGit": false
+}
diff --git a/nix/nixpkgs.nix b/nix/nixpkgs.nix
new file mode 100644
index 0000000000..d0c7d4a85b
--- /dev/null
+++ b/nix/nixpkgs.nix
@@ -0,0 +1,8 @@
+let
+  json = builtins.fromJSON (builtins.readFile ./nixpkgs.json);
+  nixpkgs = import (builtins.fetchTarball {
+    name = "nixos-unstable";
+    url = "${json.url}/tarball/${json.rev}";
+    inherit (json) sha256;
+  });
+in nixpkgs
diff --git a/nix/overlay.nix b/nix/overlay.nix
new file mode 100644
index 0000000000..de93adc69b
--- /dev/null
+++ b/nix/overlay.nix
@@ -0,0 +1,5 @@
+let
+  static = import ./static.nix;
+in
+self: super:
+{ }
diff --git a/nix/static.nix b/nix/static.nix
new file mode 100644
index 0000000000..52e669b600
--- /dev/null
+++ b/nix/static.nix
@@ -0,0 +1,10 @@
+pkg: pkg.overrideAttrs (x: {
+  doCheck = false;
+  configureFlags = (x.configureFlags or [ ]) ++ [
+    "--without-shared"
+    "--disable-shared"
+  ];
+  dontDisableStatic = true;
+  enableSharedExecutables = false;
+  enableStatic = true;
+})