From 59921e79a26bfce40bc591c260684afa63a8e641 Mon Sep 17 00:00:00 2001
From: Cameron Smith <cameron.ray.smith@gmail.com>
Date: Tue, 14 May 2024 18:33:58 -0400
Subject: [PATCH] ratchet: init at 0.9.2 Signed-off-by: Cameron Smith
 <cameron.ray.smith@gmail.com>

---
 pkgs/by-name/ra/ratchet/package.nix | 70 +++++++++++++++++++++++++++++
 pkgs/by-name/ra/ratchet/tests.nix   | 17 +++++++
 2 files changed, 87 insertions(+)
 create mode 100644 pkgs/by-name/ra/ratchet/package.nix
 create mode 100644 pkgs/by-name/ra/ratchet/tests.nix

diff --git a/pkgs/by-name/ra/ratchet/package.nix b/pkgs/by-name/ra/ratchet/package.nix
new file mode 100644
index 000000000000..627ba522491f
--- /dev/null
+++ b/pkgs/by-name/ra/ratchet/package.nix
@@ -0,0 +1,70 @@
+{
+  lib,
+  buildGoModule,
+  fetchFromGitHub,
+  callPackage,
+}:
+buildGoModule rec {
+  pname = "ratchet";
+  version = "0.9.2";
+
+  # ratchet uses the git sha-1 in the version string, e.g.
+  #
+  # $ ./ratchet --version
+  # ratchet 0.9.2 (d57cc1a53c022d3f87c4820bc6b64384a06c8a07, darwin/arm64)
+  #
+  # so we need to either hard-code the sha-1 corresponding to the version tag
+  # head or retain the git metadata folder and extract it using the git cli.
+  # We currently hard-code it.
+  src = fetchFromGitHub {
+    owner = "sethvargo";
+    repo = "ratchet";
+    rev = "d57cc1a53c022d3f87c4820bc6b64384a06c8a07";
+    hash = "sha256-gQ98uD9oPUsECsduv/lqGdYNmtHetU49ETfWCE8ft8U=";
+  };
+
+  proxyVendor = true;
+  vendorHash = "sha256-J7LijbhpKDIfTcQMgk2x5FVaYG7Kgkba/1aSTmgs5yw=";
+
+  subPackages = [ "." ];
+
+  ldflags =
+    let
+      package_url = "github.com/sethvargo/ratchet";
+    in
+    [
+      "-s"
+      "-w"
+      "-X ${package_url}/internal/version.name=${pname}"
+      "-X ${package_url}/internal/version.version=${version}"
+      "-X ${package_url}/internal/version.commit=${src.rev}"
+    ];
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    $out/bin/ratchet --version 2>&1 | grep ${version};
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/bin
+    install -Dm755 "$GOPATH/bin/ratchet" -T $out/bin/ratchet
+    runHook postInstall
+  '';
+
+  passthru.tests = {
+    execution = callPackage ./tests.nix { };
+  };
+
+  meta = with lib; {
+    description = "A tool for securing CI/CD workflows with version pinning.";
+    mainProgram = "ratchet";
+    downloadPage = "https://github.com/sethvargo/ratchet";
+    homepage = "https://github.com/sethvargo/ratchet";
+    license = licenses.asl20;
+    maintainers = with maintainers; [
+      cameronraysmith
+      ryanccn
+    ];
+  };
+}
diff --git a/pkgs/by-name/ra/ratchet/tests.nix b/pkgs/by-name/ra/ratchet/tests.nix
new file mode 100644
index 000000000000..7585c06d9172
--- /dev/null
+++ b/pkgs/by-name/ra/ratchet/tests.nix
@@ -0,0 +1,17 @@
+{
+  lib,
+  runCommand,
+  ratchet,
+}: let
+  inherit (ratchet) pname version;
+in
+  runCommand "${pname}-tests" {meta.timeout = 60;}
+  ''
+    set -euo pipefail
+
+    # Ensure ratchet is executable
+    ${ratchet}/bin/ratchet --version
+    ${ratchet}/bin/ratchet --help
+
+    touch $out
+  ''