build: Patch the git-lfs hooks shebangs in `git-fetch'.

This reverts commit b6a070d2a3c059c1a574dc4048fb8f942e008799, which patched
git-lfs so its hooks would refer to a 'sh' from the store, but this reference
was at risk of going stale since the hooks are installed and preserved outside
the store.  The shebangs are now patched in the `git-fetch' procedure
directly.

* guix/scripts/perform-download.scm (perform-git-download): Expand comment.
* guix/git-download.scm (bash-package): New variable.
(git-fetch/in-band*): Add #:bash argument.
(git-fetch-builder): Add it to `inputs', so that it gets added to PATH.
* guix/build/git.scm (git-fetch): Substitute /bin/bash in the post-checkout
git-lfs hook shebang.

Fixes: https://codeberg.org/guix/guix/issues/5616
Reported-by: Simon Josefsson <simon@josefsson.org>
Change-Id: Ife81737705bef5d0a1edad307ed77a479af4609e

4 files changed, 20 insertions, 10 deletions

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index b54e296bcc3..f5db84f16c3 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -3953,11 +3953,6 @@ matching.")
       #:test-flags #~(list "-skip" "TestHistoryRewriterUpdatesRefs")
       #:phases
       #~(modify-phases %standard-phases
-          (add-after 'unpack 'patch-/bin/sh
-            (lambda* (#:key inputs #:allow-other-keys)
-              (substitute* "src/github.com/git-lfs/git-lfs/v3/lfs/hook.go"
-                (("/bin/sh")
-                 (search-input-file inputs "bin/sh")))))
           ;; Only build the man pages if ruby-asciidoctor is available.
           #$@(if (this-package-native-input "ruby-asciidoctor")
                  #~((add-before 'build 'man-gen
diff --git a/guix/build/git.scm b/guix/build/git.scm
index 07478373750..98077fe8be3 100644
--- a/guix/build/git.scm
+++ b/guix/build/git.scm
@@ -73,7 +73,13 @@ fetched, recursively.  Return #t on success, #f otherwise."
 
         (when lfs?
           (setenv "HOME" "/tmp")
-          (invoke git-command "lfs" "install"))
+          (invoke git-command "lfs" "install")
+          ;; Substitute the git-lfs hooks shebangs.  These can't be patched
+          ;; in-package because the hooks are installed and the commands
+          ;; referenced in their shebangs could become stale.
+          (substitute* ".git/hooks/post-checkout"
+            (("^#!/bin/sh")
+             (string-append "#!" (which "sh")))))
 
         (if (zero? (system* git-command "fetch" "--depth" "1" "--" "origin" commit))
             (invoke git-command "checkout" "FETCH_HEAD")
diff --git a/guix/git-download.scm b/guix/git-download.scm
index 6d96e63f009..609382eba11 100644
--- a/guix/git-download.scm
+++ b/guix/git-download.scm
@@ -77,6 +77,11 @@
   (recursive? git-reference-recursive?   ; whether to recurse into sub-modules
               (default #f)))
 
+(define (bash-package)
+  "Return the default Bash package."
+  (let ((distro (resolve-interface '(gnu packages bash))))
+    (module-ref distro 'bash-minimal)))
+
 (define (git-package)
   "Return the default Git package."
   (let ((distro (resolve-interface '(gnu packages version-control))))
@@ -87,9 +92,10 @@
   (let ((distro (resolve-interface '(gnu packages version-control))))
     (module-ref distro 'git-lfs)))
 
-(define (git-fetch-builder git git-lfs git-ref-recursive? hash-algo)
+(define (git-fetch-builder bash git git-lfs git-ref-recursive? hash-algo)
   (define inputs
-    `(,(or git (git-package))
+    `(,(or bash (bash-package))
+      ,(or git (git-package))
       ,@(if git-lfs
             (list git-lfs)
             '())
@@ -163,6 +169,7 @@
 (define* (git-fetch/in-band* ref hash-algo hash
                              #:optional name
                              #:key (system (%current-system))
+                             (bash (bash-package))
                              (guile (default-guile))
                              (git (git-package))
                              git-lfs)
@@ -177,7 +184,7 @@ respective documentation."
                       ;;
                       ;; Don't pass package specific data in to the following
                       ;; procedure, use #:env-vars below instead.
-                      (git-fetch-builder git git-lfs
+                      (git-fetch-builder bash git git-lfs
                                          (git-reference-recursive? ref)
                                          hash-algo)
                       #:script-name "git-download"
diff --git a/guix/scripts/perform-download.scm b/guix/scripts/perform-download.scm
index 86ac68284af..4c1034beaf7 100644
--- a/guix/scripts/perform-download.scm
+++ b/guix/scripts/perform-download.scm
@@ -216,7 +216,9 @@ Note: OUTPUT may differ from the 'out' value of DRV, notably for 'bmCheck' or
       ;; Commands such as 'git submodule' expect Coreutils and sed (among
       ;; others) to be in $PATH.  The 'git' package in Guix should address it
       ;; with wrappers but packages on other distros such as Debian may rely
-      ;; on ambient authority, hence the PATH value below.
+      ;; on ambient authority, hence the PATH value below.  The ambient 'sh'
+      ;; command is also used to patch the Git LFS hooks, which uses
+      ;; '/bin/sh'.
       (setenv "PATH" "/run/current-system/profile/bin:/bin:/usr/bin")
 
       (parameterize ((%download-methods