#!/usr/bin/env sh

set -xeo pipefail

#
# `morph build ...` output is like
#
#   Selected 2/2 hosts (name filter:-0, limits:-0):
#             0: xx.xx.xx.xx (secrets: 1, health checks: 0)
#             1: yy.yy.yy.yy (secrets: 2, health checks: 0)
#
#   /nix/store/d7spc457nnzh0rnv0f5lh1q2j435j1b9-morph
#   nix result path:
#   /nix/store/d7spc457nnzh0rnv0f5lh1q2j435j1b9-morph
#
# Get the last line so we can scan it.
#

OUTPUT=$1

[ -e scan-target ] && rm -v scan-target
nix-shell --run '
set -x
if morph_result=$(morph build morph/grid/testing/grid.nix 2>&1); then
  object=$(echo "$morph_result" | tail -n 1)
  ln -s "$object" scan-target
else
  echo "$morph_result"
  exit 1
fi
'

# vulnix exits with an error status if there are vulnerabilities.  we don't
# want to fail the job in that case because then we can't see the report.
nix-shell -p vulnix --run 'vulnix ./scan-target/ || true' | tee "$OUTPUT"