• should naked paths really be treated as caches? maybe a 'cache root' would be more appropriate now that path roots are a thing?
• figure out how to express locking semantics (buildkit supports 'locked' for synchronized access or 'shared' for concurrent - what is Bass setting?)

d'oh

should probably not do that anymore

idea: lexically analyze and recurse through any (use) or (import) calls

path-name?

$ go install github.com/vito/bass/cmd/...@latest

go install github.com/vito/bass/cmd/...@latest: github.com/vito/[email protected]
	The go.mod file for the module providing named packages contains one or
	more replace directives. It must not contain directives that would cause
	it to be interpreted differently than if it were the main module.

I'm on go version go1.16 linux/amd64 on ubuntu 20.04.

Bass looks awesome, thank you for making it!

too useful of a binding for regular code

It's kinda weird that it's just straight up JSON.

Related question: should Bass scripts support reading/writing protocols other than JSON?

Bass uses Buildkit as its default runtime, but it's Linux only. Bass itself is easy to compile and run on macOS (the nightly release already includes binaries for it), but it will need to talk to a Buildkit server over TCP.

I think this could be done using Lima but I don't currently have access to a Mac to dev/test this on.

Also need to make the Buildkit address configurable.

• write Lima config, have bass autodetect buildkitd
• detect appropriate platform via remote buildkitd
• update README
• add bass --prune

Looks like it's keeping the output limit til the very end.

Cache mounts would help alleviate pain from fetching dependencies, hitting rate limits and just plain ol' taking time.

Buildkit supports this; you just have to provide a cache ID. What should this value be? What is its scope? We obviously want it to span multiple runs, but how do we do that while preventing collisions?

A modest proposal: given that these are effectively global IDs, we could treat it like a global filesystem. When a local path is given to with-mount, it could be conceptualized as a path in a logical global cache filesystem. Under the hood it would just be a string passed to buildkitd that happens to look like a filesystem path. This approach keeps the interface just (with-mount thunk path fspath) instead of calling it a 'cache'.

Use case: storing planned GitHub release title as a file in the repo and passing it to gh release create --title.

There's precedent for this in the (yaml-decode) builtin.

I would like to be able to run a command and collect its entire stdout as one big string so that I can print it even if the thunk is cached.

Use case: generating coverage reports using CLIs which print human-friendly colorful output. If I run it, accidentally clear/truncate the output, and run it again, I'd like to see the coverage report printed. I could do this by setting the response protocol to :raw or something, which would return the output as the first response value, which could then be (print)ed by the script.

Side task: does it make sense for this to also change stdin to raw? i.e. thunk stdin should contain strings to write verbatim to stdin?

Right now Bass is strongly opinionated in preventing any access to the host filesystem (see #6).

With the recent pivot to an image building centric workflow in 9b78421, there is no longer a dependency on image registry push/pull. I think it'd be nice to extend that to local code so that I don't have to repeatedly git push as part of the feedback loop.

The obvious limitation will be that thunks built from local data will not be able to be published in JSON form, but that's not really a goal for local iteration anyway. As long as the failure mode is obvious I don't see why we couldn't just support both.

Caching should be aggressive and accurate so that only changes to files I care about will bust the cache. (.bassignore).

Access to local paths should be read-only (or copy-on-write), and the patterns for accessing it should encourage safety, enforcing it to whatever extent is possible. Untrusted Bass scripts should not be able to easily read arbitrary files.

There should be a clean practice for re-using Bass scripts for building from local code + reproducible code in CI.

only the output directory is captured; modifications to inputs do not propagate (mainly affects chaining (from))

see comments in #32

• add an interface for friendly errors to implement
• when a non-friendly error bubbles up to bass.WriteError, suggest reporting an issue, or help automate it

• implement a language server, bass-lsp
• vim syntax
• treesitter parser?
• wires up bass-lsp

Until then, here's the config I'm using - it basically hijacks the Clojure config, so you may want to disable that:

lua <<EOF
local configs = require('lspconfig/configs')
local util = require('lspconfig/util')

configs.bass = {
  default_config = {
    cmd = { 'bass-lsp' },
    root_dir = util.root_pattern('.git'),
    filetypes = { 'clojure' }
  },

  docs = {
    description = [[https://github.com/vito/bass]],
  },
};
EOF

autocmd! BufEnter *.bass setlocal ft=clojure lispwords+=job,def,op,defop,defn,defcmd,provide

I whipped up the shim builder really quickly and never closed this loop - it probably shouldn't just go and fetch that image, it should be more controlled. Maybe it should even be pre-built and mounted in.

Right now the Buildkit runtime just forwards status updates directly through to progrock (the types are the same), which is easy but some things will probably seem confusing to the end-user.

• shim building is noisy
• shim executable wrapping the command will look confusing
• exporting to client isn't super clear
• probably some other stuff

Looks like I can use use llb.WithCustomName to fix some of this.

Now that I'm using Bass in two projects (Bass + Booklit) I'm finding myself wanting to reuse a lot of code.

How should this be designed?

It's already possible to fetch libraries and load them using a thunk, but I'd like to not have to write that code multiple times. So it should probably be built in to Bass, maybe as part of stdlib.

Need a way to pass secrets into bass scripts in a way that keeps them safe.

• Decide the default approach for obtaining secret values
• Artifact thunks should not contain secrets in plaintext when encoded to JSON
• Consider censoring known secret values from the script's logs
• Try to prevent footguns with secret usage

Risks to mitigate:

• Committing plaintext secrets into source control
• Printing plaintext secrets to the console UI
• Leaving plaintext secrets in shell history

Goals to consider:

• Easy to scope secrets to workspaces/projects/something
• Fetching from a secret manager (e.g. Vault)
• Supporting interval-based credential rotation without it resulting in mass cache invalidation
• Fetching secret values as close to usage time as possible to support short expirations

Non-goals:

• Don't get too opinionated about best practices - if the barrier to entry is too high, folks may take shortcuts are less safe than a safe-but-not-100%-perfect workflow.

I'm testing the ability of bass to do aggressive caching on a large project that need to be compiled multiple times, and within one step of the compilation, minor predictable changes need to be applied (some constants in a certain file needs to be changed every time). I'm thinking of generating the required files locally, then mounting the files into the container with with-mount <trunk> ./local-dir ./src) but it seems to result in a empty directory being mounted. Is there a method to achieve this, or by design bass require a fixed source from a fixed input?

BTW, this is my first time writing that much Lisp, feel free to point out if I've done something wrong.

I'd like everything to have solid godocs, but I've been skipping this until ideas start to settle so I'm not wasting too much time.

drakeno: <thunk: 946a7e4c59c7ed13cb1e33e78eb201f7cbf715da>
drakeyes: <thunk: (.load "alpine/git")>

Excited to kick the tires on bass!

As per the instructions on the home page, I attempted to install bass with the go get command and was met with an error. I'm not really familiar with Go these days so perhaps I did something wrong.

$ go install github.com/vito/bass/cmd/...@latest
go: downloading github.com/vito/bass v0.0.0-20220103020353-a43629f9cd39
go install: github.com/vito/bass/cmd/...@latest (in github.com/vito/[email protected]):
	The go.mod file for the module providing named packages contains one or
	more replace directives. It must not contain directives that would cause
	it to be interpreted differently than if it were the main module.

I'm on macOS Big Sur 11.6.2 and am happy to provide other info or try out something else to lend a hand with troubleshooting.

Thanks,
+Jonathan

primarily to free up 'stream' for local bindings

Right now it's entirely ad hoc. Obviously there are no guarantees pre-1.0, but it's worth taking a step back before shipping anything.

I find myself disabling it all the time. It's pretty obnoxious and doesn't show me as much output in a small terminal.

runtimes/command.go L211 loops to make paths relative to the thunk's working directory, but it has a stop condition on dir != "." which seems to assume dir is always relative, and might go into an infinite loop otherwise

Right now if you run a thunk with multiple env vars multiple times it will not be cached properly as the order of the env vars may change each time.

related: #46

Right now it's just turned into {:repository str} so you have to set the full image info:

(from {:repository "golang" :tag "1.17"})

It would be nice if you could do this instead:

(from  "golang:1.17")

for symmetry

op -> operative
fn -> function
defop -> define operative
defn -> define function

• wait for DNS changes to propagate
• finish verifying domain
• wait for a certificate to be issued
• enable HTTPS
• update references to vito.github.io/bass

too commonly used as a local var name

also slightly weird that it exists at all

error! call trace (oldest first):

  5. /home/vito/src/booklit/ci/build.bass:1     (def [ref version] (case *args* () ["...
  4. /home/vito/src/booklit/ci/build.bass:4     (case *args* () ["HEAD" "0.0.0-dev"] ...
  2. (2 internal calls elided)
  1. /home/vito/src/booklit/ci/build.bass:4     *args*

unbound symbol: *args*

Should just bind it to [].

Loose image references would be a common way to introduce instability into your build graph.

Currently image references are resolved at the runtime layer, and the digests are cached in ~/.cache/bass/refs.db to prevent hitting Docker Hub's aggressive rate limits.

This makes thunks not as reproducible as they could be, because their image may resolve to a different digest on a different machine or at a different time (if refs.db is cleared).

Some early ideas:

• instead of storing ref digests in refs.db, store them in some sort of bass.lock file local to the repo
• instead of resolving digests at the runtime layer, resolve them ahead of time to ensure thunks are always pinned
• have the runtime return the set of digests it resolved, somehow

Ideally thunks would have digests embedded as soon as possible, because some scripts emit them directly to *stdout* without even running them.

Trade-offs to consider:

• Bass doesn't technically know anything about image resolution, so doing it ahead-of-time might mean changing that.
• Relying on the runtime layer to update .lock feels like it pokes holes through several abstraction layers. But I guess that's just a code problem; it could be abstracted away behind a callback or something.

Right now digests save in a refs.db file somewhere in the user's home directory (I don't remember which XDG dir it is).

I think it'd be nicer to turn that into a .lock file local to the repository that can be committed and pushed to track exact versions.

• how do we figure out where the file is/should be created?
• what goes into the .lock file? (image digests? libraries?)
• how are dependencies removed?
• how are dependencies bumped?

that was like one of the first pieces of code ever written and it is not up to par lol