1 files changed, 82 insertions, 54 deletions
diff --git a/pkgs/development/tools/infisical/default.nix b/pkgs/development/tools/infisical/default.nix
index 99411a0904d..5c4b4ca9e3e 100644
--- a/pkgs/development/tools/infisical/default.nix
+++ b/pkgs/development/tools/infisical/default.nix
@@ -1,59 +1,87 @@
-{ stdenv, lib, callPackage, fetchurl }:
+{ stdenv, lib, fetchurl, testers, infisical, installShellFiles }:
+
+# this expression is mostly automated, and you are STRONGLY
+# RECOMMENDED to use to nix-update for updating this expression when new
+# releases come out, which runs the sibling `update.sh` script.
+#
+# from the root of the nixpkgs git repository, run:
+#
+#    nix-shell maintainers/scripts/update.nix \
+#      --argstr commit true \
+#      --argstr package infisical
 
 let
-  inherit (stdenv.hostPlatform) system;
-  throwSystem = throw "Unsupported system: ${system}";
-
-  plat = {
-    x86_64-linux = "linux_amd64";
-    x86_64-darwin = "darwin_amd64";
-    aarch64-linux = "linux_arm64";
-    aarch64-darwin = "darwin_arm64";
-  }.${system} or throwSystem;
-
-  archive_fmt = "tar.gz";
-
-  sha256 = {
-    x86_64-linux = "194akxb692xpqppakw49aywp5ma43yfcwv5imw4pm05cna0n06b1";
-    x86_64-darwin = "0bgjx54c00v0nb88rzdv09g92yw9qsf2fxd8565g6fsw591va1pa";
-    aarch64-linux = "0z07aikjhk9055apbvyaxdp8cgjl291fqgwgfbp9y3826q7s0riq";
-    aarch64-darwin = "0garlx458jy6dpqbfd0y2p7xj9hagm815cflybbbxf5yz2v9da01";
-  }.${system} or throwSystem;
+  # build hashes, which correspond to the hashes of the precompiled binaries procured by GitHub Actions.
+  buildHashes = builtins.fromJSON (builtins.readFile ./hashes.json);
+
+  # the version of infisical
+  version = "0.14.3";
+
+  # the platform-specific, statically linked binary
+  src =
+    let
+      suffix = {
+        # map the platform name to the golang toolchain suffix
+        # NOTE: must be synchronized with update.sh!
+        x86_64-linux = "linux_amd64";
+        x86_64-darwin = "darwin_amd64";
+        aarch64-linux = "linux_arm64";
+        aarch64-darwin = "darwin_arm64";
+      }."${stdenv.hostPlatform.system}" or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+
+      name = "infisical_${version}_${suffix}.tar.gz";
+      hash = buildHashes."${stdenv.hostPlatform.system}";
+      url = "https://github.com/Infisical/infisical/releases/download/infisical-cli%2Fv${version}/${name}";
+    in
+    fetchurl { inherit name url hash; };
+
 in
-  stdenv.mkDerivation (finalAttrs: {
-    pname = "infisical";
-    version = "0.3.7";
-
-    src = fetchurl {
-      url = "https://github.com/Infisical/infisical/releases/download/v${finalAttrs.version}/infisical_${finalAttrs.version}_${plat}.tar.gz";
-      inherit sha256;
-    };
-
-    sourceRoot = ".";
-    installPhase = ''
-      mkdir -p $out/bin/ $out/share/completions/ $out/share/man/
-      cp completions/* $out/share/completions/
-      cp manpages/* $out/share/man/
-      cp infisical $out/bin
-    '';
+stdenv.mkDerivation {
+  pname = "infisical";
+  version = version;
+  inherit src;
 
-    postInstall = ''
-      installManPage share/man/infisical.1.gz
-      installShellCompletion share/completions/infisical.{bash,fish,zsh}
-      chmod +x bin/infisical
-    '';
+  nativeBuildInputs = [ installShellFiles ];
+
+  doCheck = true;
+  dontConfigure = true;
+  dontStrip = true;
+
+  sourceRoot = ".";
+  buildPhase = "chmod +x ./infisical";
+  checkPhase = "./infisical --version";
+  installPhase = ''
+    mkdir -p $out/bin/ $out/share/completions/ $out/share/man/
+    cp infisical $out/bin
+    cp completions/* $out/share/completions/
+    cp manpages/* $out/share/man/
+  '';
+  postInstall = ''
+    installManPage share/man/infisical.1.gz
+    installShellCompletion share/completions/infisical.{bash,fish,zsh}
+  '';
 
-    meta = with lib; {
-      description = "The official Infisical CLI";
-      longDescription = ''
-        Infisical is an Open Source, End-to-End encrypted platform that lets you
-        securely sync secrets and configs across your team, devices, and infrastructure
-      '';
-      mainProgram = "infisical";
-      homepage = "https://infisical.com/";
-      downloadPage = "https://github.com/Infisical/infisical/releases/";
-      license = licenses.mit;
-      maintainers = [ maintainers.ivanmoreau ];
-      platforms = [ "x86_64-linux" "x86_64-darwin" "aarch64-darwin" "aarch64-linux" ];
-    };
-  })
+  passthru = {
+    updateScript = ./update.sh;
+    tests.version = testers.testVersion { package = infisical; };
+  };
+
+  meta = with lib; {
+    description = "The official Infisical CLI";
+    longDescription = ''
+      Infisical is the open-source secret management platform:
+      Sync secrets across your team/infrastructure and prevent secret leaks.
+    '';
+    homepage = "https://infisical.com";
+    changelog = "https://github.com/infisical/infisical/releases/tag/infisical-cli%2Fv${version}";
+    license = licenses.mit;
+    mainProgram = "infisical";
+    maintainers = [ maintainers.ivanmoreau maintainers.jgoux ];
+    platforms = [
+      "x86_64-linux"
+      "aarch64-linux"
+      "aarch64-darwin"
+      "x86_64-darwin"
+    ];
+  };
+}