1 files changed, 123 insertions, 0 deletions
diff --git a/pkgs/development/compilers/dotnet/update.nix b/pkgs/development/compilers/dotnet/update.nix
new file mode 100644
index 0000000000000..89291d2461d8d
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/update.nix
@@ -0,0 +1,123 @@
+{ stdenvNoCC
+, lib
+, fetchurl
+, writeScript
+, nix
+, runtimeShell
+, curl
+, cacert
+, jq
+, yq
+, gnupg
+
+, releaseManifestFile
+, releaseInfoFile
+, allowPrerelease
+}:
+
+let
+  inherit (lib.importJSON releaseManifestFile) channel release;
+
+  pkg = stdenvNoCC.mkDerivation {
+    name = "update-dotnet-vmr-env";
+
+    nativeBuildInputs = [
+      nix
+      curl
+      cacert
+      jq
+      yq
+      gnupg
+    ];
+  };
+
+  releaseKey = fetchurl {
+    url = "https://dotnet.microsoft.com/download/dotnet/release-key-2023.asc";
+    hash = "sha256-F668QB55md0GQvoG0jeA66Fb2RbrsRhFTzTbXIX3GUo=";
+  };
+
+  drv = builtins.unsafeDiscardOutputDependency pkg.drvPath;
+
+in writeScript "update-dotnet-vmr.sh" ''
+  #! ${nix}/bin/nix-shell
+  #! nix-shell -i ${runtimeShell} --pure ${drv}
+  set -euo pipefail
+
+  query=$(cat <<EOF
+      map(
+          select(
+              ${lib.optionalString (!allowPrerelease) ".prerelease == false and"}
+              .draft == false and
+              (.name | startswith(".NET ${channel}")))) |
+      first | (
+          .name,
+          .tag_name,
+          (.assets |
+              .[] |
+              select(.name == "release.json") |
+              .browser_download_url),
+          (.assets |
+              .[] |
+              select(.name | endswith(".tar.gz.sig")) |
+              .browser_download_url))
+  EOF
+  )
+
+  (
+      curl -fsL https://api.github.com/repos/dotnet/dotnet/releases | \
+      jq -r "$query" \
+  ) | (
+      read name
+      read tagName
+      read releaseUrl
+      read sigUrl
+
+      if [[ "$name" == ".NET ${release}" ]]; then
+          >&2 echo "release is already $name"
+          exit
+      fi
+
+      tmp="$(mktemp -d)"
+      trap 'rm -rf "$tmp"' EXIT
+
+      tarballUrl=https://github.com/dotnet/dotnet/archive/refs/tags/$tagName.tar.gz
+
+      mapfile -t prefetch < <(nix-prefetch-url --print-path "$tarballUrl")
+      tarballHash=$(nix-hash --to-sri --type sha256 "''${prefetch[0]}")
+      tarball=''${prefetch[1]}
+
+      cd "$tmp"
+      curl -L "$sigUrl" -o release.sig
+
+      export GNUPGHOME=$PWD/.gnupg
+      gpg --batch --import ${releaseKey}
+      gpg --batch --verify release.sig "$tarball"
+
+      tar --strip-components=1 --no-wildcards-match-slash --wildcards -xzf "$tarball" \*/eng/Versions.props
+      artifactsVersion=$(xq -r '.Project.PropertyGroup |
+          map(select(.PrivateSourceBuiltArtifactsVersion))
+          | .[] | .PrivateSourceBuiltArtifactsVersion' eng/Versions.props)
+
+      if [[ "$artifactsVersion" != "" ]]; then
+          artifactsUrl=https://dotnetcli.azureedge.net/source-built-artifacts/assets/Private.SourceBuilt.Artifacts.$artifactsVersion.centos.8-x64.tar.gz
+      else
+          artifactsUrl=$(xq -r '.Project.PropertyGroup |
+              map(select(.PrivateSourceBuiltArtifactsUrl))
+              | .[] | .PrivateSourceBuiltArtifactsUrl' eng/Versions.props)
+      fi
+
+      artifactsHash=$(nix-hash --to-sri --type sha256 "$(nix-prefetch-url "$artifactsUrl")")
+
+      jq --null-input \
+          --arg _0 "$tarballHash" \
+          --arg _1 "$artifactsUrl" \
+          --arg _2 "$artifactsHash" \
+          '{
+              "tarballHash": $_0,
+              "artifactsUrl": $_1,
+              "artifactsHash": $_2,
+          }' > "${toString releaseInfoFile}"
+
+      curl -fsL "$releaseUrl" -o ${toString releaseManifestFile}
+  )
+''