build: review the build script [skip ci]

1. make it work on macOS hosts
2. add quoting to paths to prevent failures if user was foolish
   enough to put the repo on a path with spaces
3. use -o pipefail for robustness
4. use wget --no-config to prevent surprises from ~/.wgetrc
5. add --init to docker run for better signals
6. detect effective USER:GROUP like a grown up
7. break fs download url into multiple configurable parts
8. make the script independent on launch location
9. build: generate nix-shell scripts with HEREDOC
9.1. this is easier on eyes, one could review generated script in ./build
9.2. we don't have to escape quotes and chain commands with &&
9.4. added some extra quoting for user-specified values

build-docker.sh

@@ -1,27 +1,31 @@
 #!/usr/bin/env bash
-set -e
+set -e -o pipefail
 
-CONTAINER_NAME=trezor-firmware-env.nix
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+CONTAINER_NAME=${CONTAINER_NAME:-trezor-firmware-env.nix}
+ALPINE_CDN=${ALPINE_CDN:-http://dl-cdn.alpinelinux.org/alpine}
+ALPINE_RELEASE=${ALPINE_RELEASE:-3.12}
+ALPINE_ARCH=${ALPINE_ARCH:-x86_64}
+ALPINE_VERSION=${ALPINE_VERSION:-3.12.0}
+CONTAINER_FS_URL=${CONTAINER_FS_URL:-"$ALPINE_CDN/v$ALPINE_RELEASE/releases/$ALPINE_ARCH/alpine-minirootfs-$ALPINE_VERSION-$ALPINE_ARCH.tar.gz"}
 
 TAG=${1:-master}
-REPOSITORY=${2:-local}
+REPOSITORY=${2:-/local}
 PRODUCTION=${PRODUCTION:-1}
 MEMORY_PROTECT=${MEMORY_PROTECT:-1}
 
-if [ "$REPOSITORY" = "local" ]; then
+wget --no-config -nc -P ci/ "$CONTAINER_FS_URL"
-  REPOSITORY=file:///local/
-else
-  REPOSITORY=https://github.com/$REPOSITORY/trezor-firmware.git
-fi
-
-wget -nc -P ci/ http://dl-cdn.alpinelinux.org/alpine/v3.12/releases/x86_64/alpine-minirootfs-3.12.0-x86_64.tar.gz
 docker build -t "$CONTAINER_NAME" ci/
 
-USER=$(ls -lnd . | awk '{ print $3 }')
+# stat under macOS has slightly different cli interface
-GROUP=$(ls -lnd . | awk '{ print $4 }')
+USER=$(stat -c "%u" . 2>/dev/null || stat -f "%u" .)
+GROUP=$(stat -c "%g" . 2>/dev/null || stat -f "%g" .)
 
-mkdir -p $(pwd)/build/core $(pwd)/build/legacy
+mkdir -p build/core build/legacy
-mkdir -p $(pwd)/build/core-bitcoinonly $(pwd)/build/legacy-bitcoinonly
+mkdir -p build/core-bitcoinonly build/legacy-bitcoinonly
+
+DIR=$(pwd)
 
 # build core
 
@@ -30,26 +34,34 @@ for BITCOIN_ONLY in 0 1; do
   DIRSUFFIX=${BITCOIN_ONLY/1/-bitcoinonly}
   DIRSUFFIX=${DIRSUFFIX/0/}
 
+  SCRIPT_NAME=".build_core_$BITCOIN_ONLY.sh"
+  cat <<EOF > "build/$SCRIPT_NAME"
+    # DO NOT MODIFY!
+    # this file was generated by ${BASH_SOURCE[0]}
+    # variant: core build BITCOIN_ONLY=$BITCOIN_ONLY
+    set -e -o pipefail
+    cd /tmp
+    git clone "$REPOSITORY" trezor-firmware
+    cd trezor-firmware/core
+    ln -s /build build
+    git checkout "$TAG"
+    git submodule update --init --recursive
+    poetry install
+    poetry run make clean vendor build_firmware
+    poetry run ../python/tools/firmware-fingerprint.py \
+               -o build/firmware/firmware.bin.fingerprint \
+               build/firmware/firmware.bin
+    chown -R $USER:$GROUP /build
+EOF
+
   docker run -it --rm \
-    -v $(pwd):/local \
+    -v "$DIR:/local" \
-    -v $(pwd)/build/core"${DIRSUFFIX}":/build:z \
+    -v "$DIR/build/core$DIRSUFFIX":/build:z \
     --env BITCOIN_ONLY="$BITCOIN_ONLY" \
     --env PRODUCTION="$PRODUCTION" \
+    --init \
     "$CONTAINER_NAME" \
-    /nix/var/nix/profiles/default/bin/nix-shell --run "\
+    /nix/var/nix/profiles/default/bin/nix-shell --run "bash /local/build/$SCRIPT_NAME"
-      cd /tmp && \
-      git clone $REPOSITORY trezor-firmware && \
-      cd trezor-firmware/core && \
-      ln -s /build build &&
-      git checkout $TAG && \
-      git submodule update --init --recursive && \
-      poetry install && \
-      poetry run make clean vendor build_firmware && \
-      poetry run ../python/tools/firmware-fingerprint.py \
-          -o build/firmware/firmware.bin.fingerprint \
-          build/firmware/firmware.bin && \
-      chown -R $USER:$GROUP /build"
-
 done
 
 # build legacy
@@ -59,28 +71,37 @@ for BITCOIN_ONLY in 0 1; do
   DIRSUFFIX=${BITCOIN_ONLY/1/-bitcoinonly}
   DIRSUFFIX=${DIRSUFFIX/0/}
 
+  SCRIPT_NAME=".build_legacy_$BITCOIN_ONLY.sh"
+  cat <<EOF > "build/$SCRIPT_NAME"
+    # DO NOT MODIFY!
+    # this file was generated by ${BASH_SOURCE[0]}
+    # variant: legacy build BITCOIN_ONLY=$BITCOIN_ONLY
+    set -e -o pipefail
+    cd /tmp
+    git clone "$REPOSITORY" trezor-firmware
+    cd trezor-firmware/legacy
+    ln -s /build build
+    git checkout "$TAG"
+    git submodule update --init --recursive
+    poetry install
+    poetry run script/cibuild
+    mkdir -p build/firmware
+    cp firmware/trezor.bin build/firmware/firmware.bin
+    cp firmware/trezor.elf build/firmware/firmware.elf
+    poetry run ../python/tools/firmware-fingerprint.py \
+               -o build/firmware/firmware.bin.fingerprint \
+               build/firmware/firmware.bin
+    chown -R $USER:$GROUP /build
+EOF
+
   docker run -it --rm \
-    -v $(pwd):/local \
+    -v "$DIR:/local" \
-    -v $(pwd)/build/legacy"${DIRSUFFIX}":/build:z \
+    -v "$DIR/build/legacy$DIRSUFFIX":/build:z \
     --env BITCOIN_ONLY="$BITCOIN_ONLY" \
     --env MEMORY_PROTECT="$MEMORY_PROTECT" \
+    --init \
     "$CONTAINER_NAME" \
-    /nix/var/nix/profiles/default/bin/nix-shell --run "\
+    /nix/var/nix/profiles/default/bin/nix-shell --run "bash /local/build/$SCRIPT_NAME"
-      cd /tmp && \
-      git clone $REPOSITORY trezor-firmware && \
-      cd trezor-firmware/legacy && \
-      ln -s /build build &&
-      git checkout $TAG && \
-      git submodule update --init --recursive && \
-      poetry install && \
-      poetry run script/cibuild && \
-      mkdir -p build/firmware && \
-      cp firmware/trezor.bin build/firmware/firmware.bin && \
-      cp firmware/trezor.elf build/firmware/firmware.elf && \
-      poetry run ../python/tools/firmware-fingerprint.py \
-          -o build/firmware/firmware.bin.fingerprint \
-          build/firmware/firmware.bin && \
-      chown -R $USER:$GROUP /build"
 
 done