Package chef-vault as an hab package

.expeditor/verify.pipeline.yml

@@ -11,20 +11,6 @@ expeditor:
 
 steps:
 
-- label: run-specs-ruby-2.7
-  command:
-    - .expeditor/run_linux_tests.sh rake
-  expeditor:
-    executor:
-      docker:
-        image: ruby:2.7
-- label: run-specs-ruby-3.0
-  command:
-    - .expeditor/run_linux_tests.sh rake
-  expeditor:
-    executor:
-      docker:
-        image: ruby:3.0
 - label: run-specs-ruby-3.1
   command:
     - .expeditor/run_linux_tests.sh rake
@@ -33,21 +19,6 @@ steps:
       docker:
         image: ruby:3.1
 
-- label: run-specs-ruby-3.0-windows
-  command:
-    - .expeditor/run_windows_tests.ps1
-  expeditor:
-    executor:
-      docker:
-        host_os: windows
-        shell: ["powershell", "-Command"]
-        image: rubydistros/windows-2019:3.0
-        user: 'NT AUTHORITY\SYSTEM'
-        environment:
-          - FORCE_FFI_YAJL=ext
-          - EXPIRE_CACHE=true
-          - CHEF_LICENSE=accept-no-persist
-
 - label: run-specs-ruby-3.1-windows
   command:
     - .expeditor/run_windows_tests.ps1

.github/workflows/unit.yml

@@ -15,10 +15,10 @@ jobs:
     runs-on: ubuntu-18.04
     steps:
       - uses: actions/checkout@v2
-      - name: Set up ruby 2.7
+      - name: Set up ruby 3.1
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 2.7
+          ruby-version: 3.1
           bundler-cache: true
       - name: run specs
         run: bundle exec rake spec --trace

Gemfile

@@ -5,6 +5,7 @@ gemspec
 group :development do
   gem "chefstyle"
   gem "rake"
+  gem "appbundler"
   if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.0.0")
     gem "contracts", "~> 0.16.1" # pin until we drop ruby < 2.7
     gem "chef-zero"
@@ -15,11 +16,11 @@ group :development do
   else
     gem "contracts", "~> 0.17"
     gem "chef-zero", ">= 15.0.4"
-    gem "chef", "~> 17.0"
+    gem "chef", ">= 18.5.0"
     gem "rspec", "~> 3.0"
     gem "aruba", "~> 2.2"
-    gem "knife", "~> 17.0"
-    gem "chef-utils", "17.10.68" # pin until we drop ruby >=3
+    gem "knife", "~> 18.0"
+    gem "chef-utils", ">= 18.5.0" # pin until we drop ruby >=3
   end
 end
 

Rakefile

@@ -1,6 +1,6 @@
 require "bundler/gem_tasks"
 
-WINDOWS_PLATFORM = %w{ x64-mingw32 x64-mingw-ucrt ruby }.freeze
+WINDOWS_PLATFORM = /mswin|win32|mingw/.freeze unless defined? WINDOWS_PLATFORM
 
 # Style Tests
 begin

chef-vault.gemspec

@@ -31,5 +31,5 @@ Gem::Specification.new do |s|
   s.bindir           = "bin"
   s.executables      = %w{ chef-vault }
 
-  s.required_ruby_version = ">= 2.7"
+  s.required_ruby_version = ">= 3.1"
 end

habitat/plan.ps1

@@ -0,0 +1,92 @@
+$ErrorActionPreference = "Stop"
+$PSDefaultParameterValues['*:ErrorAction']='Stop'
+
+$env:HAB_BLDR_CHANNEL = "LTS-2024"
+$pkg_name="chef-vault"
+$pkg_origin="chef"
+$pkg_version=$(Get-Content "$PLAN_CONTEXT/../VERSION")
+$pkg_maintainer="The Chef Maintainers <[email protected]>"
+
+$pkg_deps=@(
+  "chef/ruby31-plus-devkit"
+  "core/git"
+)
+$pkg_bin_dirs=@("bin"
+                "vendor/bin")
+$project_root= (Resolve-Path "$PLAN_CONTEXT/../").Path
+
+function pkg_version {
+    Get-Content "$SRC_PATH/VERSION"
+}
+
+function Invoke-Before {
+    Set-PkgVersion
+}
+function Invoke-SetupEnvironment {
+    Push-RuntimeEnv -IsPath GEM_PATH "$pkg_prefix/vendor"
+
+    Set-RuntimeEnv APPBUNDLER_ALLOW_RVM "true" # prevent appbundler from clearing out the carefully constructed runtime GEM_PATH
+    Set-RuntimeEnv FORCE_FFI_YAJL "ext"
+    Set-RuntimeEnv LANG "en_US.UTF-8"
+    Set-RuntimeEnv LC_CTYPE "en_US.UTF-8"
+}
+
+function Invoke-Build {
+    try {
+        $env:Path += ";c:\\Program Files\\Git\\bin"
+        Push-Location $project_root
+        $env:GEM_HOME = "$HAB_CACHE_SRC_PATH/$pkg_dirname/vendor"
+
+        Write-BuildLine " ** Configuring bundler for this build environment"
+        bundle config --local without integration deploy maintenance
+        bundle config --local jobs 4
+        bundle config --local retry 5
+        bundle config --local silence_root_warning 1
+        Write-BuildLine " ** Using bundler to retrieve the Ruby dependencies"
+        bundle install
+
+        gem build chef-vault.gemspec
+	    Write-BuildLine " ** Using gem to  install"
+	    gem install chef-vault*.gem --no-document
+
+        If ($lastexitcode -ne 0) { Exit $lastexitcode }
+    } finally {
+        Pop-Location
+    }
+}
+
+function Invoke-Install {
+    Write-BuildLine "** Copy built & cached gems to install directory"
+    Copy-Item -Path "$HAB_CACHE_SRC_PATH/$pkg_dirname/*" -Destination $pkg_prefix -Recurse -Force -Exclude @("gem_make.out", "mkmf.log", "Makefile",
+                     "*/latest", "latest",
+                     "*/JSON-Schema-Test-Suite", "JSON-Schema-Test-Suite")
+
+    try {
+        Push-Location $pkg_prefix
+        bundle config --local gemfile $project_root/Gemfile
+         Write-BuildLine "** generating binstubs for chef-vault with precise version pins"
+	 Write-BuildLine "** generating binstubs for chef-vault with precise version pins $project_root $pkg_prefix/bin " 
+            Invoke-Expression -Command "appbundler.bat $project_root $pkg_prefix/bin chef-vault"
+            If ($lastexitcode -ne 0) { Exit $lastexitcode }
+	Write-BuildLine " ** Running the chef-vault project's 'rake install' to install the path-based gems so they look like any other installed gem."
+
+        If ($lastexitcode -ne 0) { Exit $lastexitcode }
+    } finally {
+        Pop-Location
+    }
+}
+
+function Invoke-After {
+    # We don't need the cache of downloaded .gem files ...
+    Remove-Item $pkg_prefix/vendor/cache -Recurse -Force
+    # We don't need the gem docs.
+    Remove-Item $pkg_prefix/vendor/doc -Recurse -Force
+    # We don't need to ship the test suites for every gem dependency,
+    # only inspec's for package verification.
+    Get-ChildItem $pkg_prefix/vendor/gems -Filter "spec" -Directory -Recurse -Depth 1 `
+        | Where-Object -FilterScript { $_.FullName -notlike "*chef-vault*" }             `
+        | Remove-Item -Recurse -Force
+    # Remove the byproducts of compiling gems with extensions
+    Get-ChildItem $pkg_prefix/vendor/gems -Include @("gem_make.out", "mkmf.log", "Makefile") -File -Recurse `
+        | Remove-Item -Force
+}

habitat/plan.sh

@@ -0,0 +1,90 @@
+export HAB_BLDR_CHANNEL="LTS-2024"
+_chef_client_ruby="core/ruby3_1"
+pkg_name="chef-vault"
+pkg_origin="chef"
+pkg_maintainer="The Chef Maintainers <[email protected]>"
+pkg_description="Gem that allows you to encrypt a Chef Data Bag Item using the public keys of a list of chef nodes. This allows only those chef nodes to decrypt the encrypted values."
+pkg_license=('Apache-2.0')
+pkg_bin_dirs=(
+  bin
+  vendor/bin
+)
+pkg_build_deps=(
+  core/make
+  core/bash
+  core/gcc
+  core/libarchive
+)
+pkg_deps=(
+  $_chef_client_ruby
+  core/coreutils
+  core/git
+)
+pkg_svc_user=root
+
+pkg_version() {
+  cat "$SRC_PATH/VERSION"
+}
+
+do_before() {
+  update_pkg_version
+}
+
+do_unpack() {
+  mkdir -pv "$HAB_CACHE_SRC_PATH/$pkg_dirname"
+  cp -RT "$PLAN_CONTEXT"/.. "$HAB_CACHE_SRC_PATH/$pkg_dirname/"
+}
+
+do_build() {
+  echo $(pkg_path_for $_chef_client_ruby)
+  export GEM_HOME="$pkg_prefix/vendor/gems"
+
+  build_line "Setting GEM_PATH=$GEM_HOME"
+  export GEM_PATH="$GEM_HOME"
+  bundle config --local without integration deploy maintenance
+  bundle config --local jobs 4
+  bundle config --local retry 5
+  bundle config --local silence_root_warning 1
+  bundle install
+  gem build chef-vault.gemspec
+}
+
+do_install() {
+  export GEM_HOME="$pkg_prefix/vendor/gems"
+
+  build_line "Setting GEM_PATH=$GEM_HOME"
+  export GEM_PATH="$GEM_HOME"
+  gem install chef-vault-*.gem --no-document
+  wrap_ruby_chef_vault
+  set_runtime_env "GEM_PATH" "${pkg_prefix}/vendor/gems"
+}
+
+wrap_ruby_chef_vault() {
+  local bin="$pkg_prefix/bin/chef-vault"
+  local real_bin="$GEM_HOME/gems/chef-vault-${pkg_version}/bin/chef-vault"
+  wrap_bin_with_ruby "$bin" "$real_bin"
+}
+
+wrap_bin_with_ruby() {
+  local bin="$1"
+  local real_bin="$2"
+  build_line "Adding wrapper $bin to $real_bin"
+  cat <<EOF > "$bin"
+#!$(pkg_path_for core/bash)/bin/bash
+set -e
+
+# Set binary path that allows chef-vault to use non-Hab pkg binaries
+export PATH="/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:\$PATH"
+
+# Set Ruby paths defined from 'do_setup_environment()'
+export GEM_HOME="$pkg_prefix/vendor/gems"
+export GEM_PATH="\$GEM_HOME"
+
+exec $(pkg_path_for $_chef_client_ruby)/bin/ruby $real_bin \$@
+EOF
+  chmod -v 755 "$bin"
+}
+
+do_strip() {
+  return 0
+}