chore: migrate scripts generated by runCommand to writeShellApplication

`writeShellApplication` avoids substitute commands, provides the correct
package metadata and make sure that all scripts are shellcheked.

Author: jfroche

nix/apps.nix

@@ -1,32 +1,32 @@
 { ... }:
 {
   perSystem =
-    { self', ... }:
+    { self', lib, ... }:
     let
-      mkApp = attrName: binName: {
+      mkApp = attrName: {
         type = "app";
-        program = "${self'.packages."${attrName}"}/bin/${binName}";
+        program = lib.getExe self'.packages."${attrName}";
       };
     in
     {
       # Apps is a list of names of things that can be executed with 'nix run';
       # these are distinct from the things that can be built with 'nix build',
       # so they need to be listed here too.
       apps = {
-        start-server = mkApp "start-server" "start-postgres-server";
-        start-client = mkApp "start-client" "start-postgres-client";
-        start-replica = mkApp "start-replica" "start-postgres-replica";
-        # migrate-postgres = mkApp "migrate-tool" "migrate-postgres";
-        # sync-exts-versions = mkApp "sync-exts-versions" "sync-exts-versions";
-        pg-restore = mkApp "pg-restore" "pg-restore";
-        local-infra-bootstrap = mkApp "local-infra-bootstrap" "local-infra-bootstrap";
-        dbmate-tool = mkApp "dbmate-tool" "dbmate-tool";
-        update-readme = mkApp "update-readme" "update-readme";
-        show-commands = mkApp "show-commands" "show-commands";
-        build-test-ami = mkApp "build-test-ami" "build-test-ami";
-        run-testinfra = mkApp "run-testinfra" "run-testinfra";
-        cleanup-ami = mkApp "cleanup-ami" "cleanup-ami";
-        trigger-nix-build = mkApp "trigger-nix-build" "trigger-nix-build";
+        start-server = mkApp "start-server";
+        start-client = mkApp "start-client";
+        start-replica = mkApp "start-replica";
+        # migrate-postgres = mkApp "migrate-tool";
+        # sync-exts-versions = mkApp "sync-exts-versions";
+        pg-restore = mkApp "pg-restore";
+        local-infra-bootstrap = mkApp "local-infra-bootstrap";
+        dbmate-tool = mkApp "dbmate-tool";
+        update-readme = mkApp "update-readme";
+        show-commands = mkApp "show-commands";
+        build-test-ami = mkApp "build-test-ami";
+        run-testinfra = mkApp "run-testinfra";
+        cleanup-ami = mkApp "cleanup-ami";
+        trigger-nix-build = mkApp "trigger-nix-build";
       };
     };
 }

nix/packages/build-test-ami.nix

@@ -1,23 +1,29 @@
-{ pkgs, runCommand }:
-runCommand "build-test-ami"
-  {
-    buildInputs = with pkgs; [
-      packer
-      awscli2
-      yq
-      jq
-      openssl
-      git
-      coreutils
-      aws-vault
-    ];
-  }
-  ''
-    mkdir -p $out/bin
-    cat > $out/bin/build-test-ami << 'EOL'
-    #!/usr/bin/env bash
-    set -euo pipefail
-
+{
+  writeShellApplication,
+  packer,
+  awscli2,
+  yq,
+  jq,
+  openssl,
+  gitMinimal,
+  coreutils,
+  aws-vault,
+  python3,
+}:
+writeShellApplication {
+  name = "build-test-ami";
+  runtimeInputs = [
+    packer
+    awscli2
+    yq
+    jq
+    openssl
+    gitMinimal
+    coreutils
+    aws-vault
+    python3
+  ];
+  text = ''
     show_help() {
       cat << EOF
     Usage: build-test-ami [--help] <postgres-version>
@@ -52,30 +58,6 @@ runCommand "build-test-ami"
       exit 0
     fi
 
-    export PATH="${
-      pkgs.lib.makeBinPath (
-        with pkgs;
-        [
-          packer
-          awscli2
-          yq
-          jq
-          openssl
-          git
-          coreutils
-          aws-vault
-        ]
-      )
-    }:$PATH"
-
-    # Check for required tools
-    for cmd in packer aws-vault yq jq openssl; do
-      if ! command -v $cmd &> /dev/null; then
-        echo "Error: $cmd is required but not found"
-        exit 1
-      fi
-    done
-
     # Check AWS Vault profile
     if [ -z "''${AWS_VAULT:-}" ]; then
       echo "Error: AWS_VAULT environment variable must be set with the profile name"
@@ -140,18 +122,18 @@ runCommand "build-test-ami"
     VENV_DIR=$(mktemp -d)
     trap 'rm -rf "$VENV_DIR"' EXIT HUP INT QUIT TERM
     python3 -m venv "$VENV_DIR"
+    # shellcheck source=/dev/null
     source "$VENV_DIR/bin/activate"
 
     # Install required Python packages
     echo "Installing required Python packages..."
-    pip install boto3 boto3-stubs[essential] docker ec2instanceconnectcli pytest paramiko requests
+    pip install boto3 'boto3-stubs[essential]' docker ec2instanceconnectcli pytest paramiko requests
 
     # Run the tests with aws-vault
     echo "Running tests for AMI: $RANDOM_STRING using AWS Vault profile: $AWS_VAULT_PROFILE"
-    aws-vault exec $AWS_VAULT_PROFILE -- pytest -vv -s testinfra/test_ami_nix.py
+    aws-vault exec "$AWS_VAULT_PROFILE" -- pytest -vv -s testinfra/test_ami_nix.py
 
     # Deactivate virtual environment (cleanup is handled by trap)
     deactivate
-    EOL
-    chmod +x $out/bin/build-test-ami
-  ''
+  '';
+}

nix/packages/cleanup-ami.nix

@@ -1,35 +1,15 @@
-{ pkgs, runCommand }:
-runCommand "cleanup-ami"
-  {
-    buildInputs = with pkgs; [
-      awscli2
-      aws-vault
-    ];
-  }
-  ''
-    mkdir -p $out/bin
-    cat > $out/bin/cleanup-ami << 'EOL'
-    #!/usr/bin/env bash
-    set -euo pipefail
-
-    export PATH="${
-      pkgs.lib.makeBinPath (
-        with pkgs;
-        [
-          awscli2
-          aws-vault
-        ]
-      )
-    }:$PATH"
-
-    # Check for required tools
-    for cmd in aws-vault; do
-      if ! command -v $cmd &> /dev/null; then
-        echo "Error: $cmd is required but not found"
-        exit 1
-      fi
-    done
-
+{
+  writeShellApplication,
+  awscli2,
+  aws-vault,
+}:
+writeShellApplication {
+  name = "cleanup-ami";
+  runtimeInputs = [
+    awscli2
+    aws-vault
+  ];
+  text = ''
     # Check AWS Vault profile
     if [ -z "''${AWS_VAULT:-}" ]; then
       echo "Error: AWS_VAULT environment variable must be set with the profile name"
@@ -56,6 +36,5 @@ runCommand "cleanup-ami"
           aws ec2 deregister-image --region $REGION --image-id "$ami_id" || true
         done
     done
-    EOL
-    chmod +x $out/bin/cleanup-ami
-  ''
+  '';
+}